Can´t login after install: Openid button -> "Authentication provider is not configured"

growco

Hi,

penpot is the only app where i can´t login after installation.
Could you tell me what to do?

Thank you

nebulon

Just tried to reproduce this on a fresh penpot instance, but it works here. Are you able to login with OpenId in other apps?

growco

Then the error needs to be on my side. Honestly it´s the first app (of the apps i use within cloudron) which requires openid so can´t tell.

The error when using the OpenID button i get is:

Also i noticed when the site loads for a millisecond i can see a error on the top right, i had to record it to see it - but it´s just an empty error:

I don´t know where to look next

growco

The problem is exactly what the error says - i havent configured openid.
But also i didn´t see the option when clicking on users in the top menu.
->
Just figured out using the menu within the profile/name there is user directory and there it can be set up.

Sorry for this stupid question, leaving this here in case someone is as blind as me.

growco

Still doesn´t work.

1. Created a OpenID Connect Provider with:

Name: Penpot
Login Callback URL: https://my-penpot-domain.com/api/auth/oauth/oidc/callback
Signing Algorithm: RS256

2. Restarted the app

Still the same error.

If i open the discovery url
https://my.domain.com/.well-known/openid-configuration

I just see a white blank page, source code also emtpy

growco

Seems it was cloudflare. As a test i deactivated proxy -> only DNS for the dashboard and also the penpot URL, did flushdns, now it works. Changed it back to proxy, still works now?

So..

1. Is it enough only for the configuration for openid to deactivate proxy and activate it afterwards again or will this cause problems?
2. Is it cloudflare zero trust (asking for 2fa) or WAF (iam blocking all but my home ip) which caused this issue?

joseph

I am afraid you will have to debug this step by step to figure what is causing the problem.

hakunamatata

Fresh install of Penpot 2.13.3 on Cloudron 9.1.3 configured to use Cloudron's SSO, and experiencing the same issue.

Disabling the Cloudflare proxy doesn't do anything for me.

james

Hello @hakunamatata
I just tried to reproduce this issue, but was unable to do so.
Also used Cloudflare non proxied subdomain.

hakunamatata

@James thanks for the feedback. Will do some more troubleshooting on my end. Could be network/firewall related.

hakunamatata

I ran curl -v https://<your-cloudron-dashboard-url>/.well-known/openid-configuration from the Penpot terminal and it connected just fine. So maybe it is not network related. More investigations to follow.

james

Hello @hakunamatata

A note.
Penpot uses environment variables to configure OIDC.
https://git.cloudron.io/packages/penpot-app/-/blob/v1.15.3/start.sh?ref_type=tags#L43-L52

# OIDC
# CLOUDRON_OIDC_PROVIDER_NAME is not supported
export PENPOT_OIDC_BASE_URI="${CLOUDRON_OIDC_ISSUER}"
export PENPOT_OIDC_CLIENT_ID="${CLOUDRON_OIDC_CLIENT_ID}"
export PENPOT_OIDC_CLIENT_SECRET="${CLOUDRON_OIDC_CLIENT_SECRET}"
export PENPOT_OIDC_SCOPES="openid profile email"

# Optional list of roles that users are required to have. If no role
# is provided, roles checking  disabled.
#export PENPOT_OIDC_ROLES="role1 role2"

You check in the Web Terminal of the Penpot app if these variables exist and match with your system.

Example from my.demo.cloudron.io - Penpot app where I also confirmed the OIDC auth is working on a fresh installation:

printenv | grep -i OIDC
CLOUDRON_OIDC_PROFILE_ENDPOINT=https://my.demo.cloudron.io/openid/me
CLOUDRON_OIDC_KEYS_ENDPOINT=https://my.demo.cloudron.io/openid/jwks
CLOUDRON_OIDC_CLIENT_ID=c75fa80f-2edc-49e0-b50b-d3bf7d7d1a60-oidc
CLOUDRON_OIDC_PROVIDER_NAME=Cloudron Demo
CLOUDRON_OIDC_AUTH_ENDPOINT=https://my.demo.cloudron.io/openid/auth
CLOUDRON_OIDC_ISSUER=https://my.demo.cloudron.io/openid
CLOUDRON_OIDC_DISCOVERY_URL=https://my.demo.cloudron.io/openid/.well-known/openid-configuration
CLOUDRON_OIDC_TOKEN_ENDPOINT=https://my.demo.cloudron.io/openid/token
CLOUDRON_OIDC_CLIENT_SECRET=e30d42da66f055b3e214ebf3b971aafccfbaeb6ed8d134262ddc1aff695e4d0f

Note: the CLOUDRON_OIDC_CLIENT_ID and CLOUDRON_OIDC_CLIENT_SECRET are generated per app.
You can validate if the generated CLIENT_ID and CLIENT_SECRET exist in the Cloudron internal MySQL database.

SSH into your Cloudron server and run:
Note: Replace the id="$VALUE" in the SQL query with the CLOUDRON_OIDC_CLIENT_ID from your Penpot app

mysql --vertical -uroot -ppassword box -e 'SELECT * FROM oidcClients WHERE id="33ab2830-3db3-4da2-a057-c9e1b2d0eec0-oidc";'

Output:

mysql: [Warning] Using a password on the command line interface can be insecure.
*************************** 1. row ***************************
                     id: 33ab2830-3db3-4da2-a057-c9e1b2d0eec0-oidc
                 secret: bd643de389f84bb9ee1f1818ac830fb93c3de3a4be6cd38eb7845f1ad5595c8a
                  appId: 33ab2830-3db3-4da2-a057-c9e1b2d0eec0
                   name: OIDC Addon
       loginRedirectUri: /api/v1/callback,/api/v1/mobile/callback,org.getcubby://auth/callback
tokenSignatureAlgorithm: RS256

hakunamatata

@James many thanks for the tips. I have followed the instructions and was able to confirm that the app's CLIENT_ID and CLIENT_SECRET exist in the Cloudron internal MySQL database.

I will try to find some time this week to do some more troubleshooting and report back if I am able to resolve the problem.