Cannot login anymore after switch to OIDC in latest update

nebulon

Do you have the same problem as @buesching or as @abuyuy ?

nebulon

The issue with existing account, is happening for instances which are rather old, where the accounts were created with their UID instead of the username. To make app migration easier, we decided long ago to stick where possible to usernames, now with the change to OpenID this mapping does not work on old instances anymore. Currently looking for a possible migration path though.

simon

@nebulon same problem as @abuyuy

nebulon

We are working on a fix for that problem.

buesching

@nebulon said in Cannot login anymore after switch to OIDC in latest update:

curl -v https://my.<your cloudron domain>/.well-known/openid-configuration

I cannot reach this URL. Not from bookstack and not from any other sytem.
Do I have to configure something under Domain & Certs before?

nebulon

With OpenID the apps backends have to be able to reach the OpenID provider, which on Cloudron is running on the dashboard domain. So any app with OpenID will fail if your system can't call the Cloudron APIs from within its app containers.

For a start, can you resolve the dashboard domain from the webterminal of an app?
host my.domain.com

If this is a system hosted behind a router (like a homesetup) make sure hairpinning is supported.

buesching

@nebulon It returns the public IP address. The system is behind a reverse proxy. The webinterface is reachable over the internet. Should I be able to open https://my.<your cloudron domain>/.well-known/openid-configuration from a browser?
I only get a server error.

nebulon

Yes that should be publicly reachable. Can you check the server side logs at /home/yellowtent/platformdata/logs/box.log about any errors?

buesching

@nebulon It isnt even reachable from a local system, which uses the local address for my.<your cloudron domain>. The webinterface is still reachable. Do I have to set the well known location as I asked before?

buesching

Where can I change the dns settings? I would like to resolve the local address for my.<your cloudron domain>. I want to bypass my firewall. Maybe it should work then.

nebulon

If the local systems can resolve the public IP then this seems fine.
What kind of reverse proxy setup is this, maybe it interferes with the requests? Can you maybe disable that and expose the system directly just to see if it works as expected then?

buesching

We are using an Securepoint firewall with integrated reverse proxy. I will talk to the support.

buesching

Hello, we solved the problem. It was a wrong configuration in our firewall.

nebulon

Thanks for sharing and glad it worked out in the end.

abuyuy

@nebulon Have you marked the topic as solved because you found a way to migrate users in old setup to OIDC properly, or because the issue that hijacked the original topic of the thread solved itself (see posts above)?

nebulon

The package contains a user migration script https://git.cloudron.io/cloudron/bookstack-app/-/blob/master/migrateUsers.js?ref_type=heads
By now this should have been applied and it will be removed again from the start.sh

abuyuy

Thank you for the quick support!

buesching

Hello,

Now, I have the same problem at a customer. Cloudron and bookstack are not accessible from the internet. It is used only internal. I created a custom.conf for the unbound dns. But it is still not working. How do I have to configure the dns setting that OpenID Connect is working? We use a wildcard certificate.

girish

@buesching said in Cannot login anymore after switch to OIDC in latest update:

But it is still not working

Can you tell us what is not working?

a) Can users reach the cloudron dashboard?
b) Is the app not able to reach the cloudron oidc api? Like maybe nothing appears after you click oidc button in browser?
c) Is that wildcard certificate self signed?

If c) is the issue then fixing unbound won't help here. Most apps do not accept self signed certs for oidc. I recommend simply using a proper wildcard cert. You can either switch to one of the Cloudron supported DNS providers OR purchase a wildcard cert (it's only 45usd at https://www.garrisonhost.com/ssl-certificates/alphassl). In either case, you can keep your setup completely private as now.

buesching

@girish
a) yes
b) same error as in the 4th post. See above.
c) it is not self signed. Its from geotrust.

We had the same problem in our environment. It was an misconfiguration of our reverse proxy (from the firewall).
In the environment of the customer the dashboards are note accessible from the internet. In that case the traffic does not run over the reverse proxy. The connection is established locally.