Cannot login anymore after switch to OIDC in latest update
-
wrote on Sep 12, 2023, 8:31 AM last edited by
After the latest update (1.32.0 / see https://forum.cloudron.io/post/73395) of BookStacks which changes the login method to use OIDC, I cannot login anymore to my instance.
It throws an error about an already existing user with the same account info but different credentials.I've tried to edit the env file to not use OIDC, but "standard", that didn't work either.
How do I restore access?
-
N nebulon marked this topic as a question on Sep 12, 2023, 9:50 AM
-
wrote on Sep 12, 2023, 1:02 PM last edited by
Hello,
after updating to 1.32.0 we are not able to log in anymore.
We get this error.
What should we do? I have checked the configs and it seems like oidc is configured correctly.
I have rolled back to version 1.31.2. Now, we can work again. -
Your issue seems to be related to networking actually. With OpenID the apps have to be able to reach the OpenID provider, which is running on the dashboard domain.
Can you maybe check from a webterminal inside the app if the following works (after the rollback):curl -v https://my.<your cloudron domain>/.well-known/openid-configuration -
wrote on Sep 12, 2023, 4:06 PM last edited by
Hello there,
I have the same problem with version 1.32.0. Can call the openid-configuration from 1.32.0 as well as from 1.31.0. -
Do you have the same problem as @buesching or as @abuyuy ?
-
The issue with existing account, is happening for instances which are rather old, where the accounts were created with their UID instead of the username. To make app migration easier, we decided long ago to stick where possible to usernames, now with the change to OpenID this mapping does not work on old instances anymore. Currently looking for a possible migration path though.
-
Do you have the same problem as @buesching or as @abuyuy ?
-
Your issue seems to be related to networking actually. With OpenID the apps have to be able to reach the OpenID provider, which is running on the dashboard domain.
Can you maybe check from a webterminal inside the app if the following works (after the rollback):curl -v https://my.<your cloudron domain>/.well-known/openid-configurationwrote on Sep 14, 2023, 7:02 AM last edited by@nebulon said in Cannot login anymore after switch to OIDC in latest update:
curl -v https://my.<your cloudron domain>/.well-known/openid-configuration
I cannot reach this URL. Not from bookstack and not from any other sytem.
Do I have to configure something under Domain & Certs before?
-
With OpenID the apps backends have to be able to reach the OpenID provider, which on Cloudron is running on the dashboard domain. So any app with OpenID will fail if your system can't call the Cloudron APIs from within its app containers.
For a start, can you resolve the dashboard domain from the webterminal of an app?
host my.domain.comIf this is a system hosted behind a router (like a homesetup) make sure hairpinning is supported.
-
With OpenID the apps backends have to be able to reach the OpenID provider, which on Cloudron is running on the dashboard domain. So any app with OpenID will fail if your system can't call the Cloudron APIs from within its app containers.
For a start, can you resolve the dashboard domain from the webterminal of an app?
host my.domain.comIf this is a system hosted behind a router (like a homesetup) make sure hairpinning is supported.
wrote on Sep 14, 2023, 11:26 AM last edited by@nebulon It returns the public IP address. The system is behind a reverse proxy. The webinterface is reachable over the internet. Should I be able to open https://my.<your cloudron domain>/.well-known/openid-configuration from a browser?
I only get a server error.
-
Yes that should be publicly reachable. Can you check the server side logs at
/home/yellowtent/platformdata/logs/box.logabout any errors?wrote on Sep 14, 2023, 12:27 PM last edited by buesching Sep 14, 2023, 12:28 PM@nebulon It isnt even reachable from a local system, which uses the local address for my.<your cloudron domain>. The webinterface is still reachable. Do I have to set the well known location as I asked before?
-
wrote on Sep 14, 2023, 12:41 PM last edited by
Where can I change the dns settings? I would like to resolve the local address for my.<your cloudron domain>. I want to bypass my firewall. Maybe it should work then.
-
If the local systems can resolve the public IP then this seems fine.
What kind of reverse proxy setup is this, maybe it interferes with the requests? Can you maybe disable that and expose the system directly just to see if it works as expected then? -
wrote on Sep 14, 2023, 1:19 PM last edited by
We are using an Securepoint firewall with integrated reverse proxy. I will talk to the support.
-
wrote on Sep 15, 2023, 10:24 AM last edited by
Hello, we solved the problem. It was a wrong configuration in our firewall.
-
N nebulon has marked this topic as solved on Sep 15, 2023, 11:00 AM