Cannot login after switch to OIDC

odie

@girish I am on 7.6.0

I restored to backups of ttrs version v2.9.0 and v2.8.0. On 2.8.0, I can log in, once I update to 2.9.0 (or 2.10.0) with the OIDC login, my logins fail.

If the OIDC thing works, I would really love a step-by-step guide "for dummies" to set it up. I've gone over the documentation many many times on the Bookstack app, and I cannot understand it (it's a puzzle for me what I need to fill in where, and in which parts of my Cloudron)... But I guess that's another issue

jdaviescoates

@odie said in Cannot login after switch to OIDC:

I've gone over the documentation many many times on the Bookstack app

On a fresh install of the Bookstack app I just see this:

I click the button and I'm in.

But you've posted this in the Tiny Tiny RSS category, and on a fresh install of that it doesn't appear to use OIDC at all, it just presents this login box:

And standard Cloudron credentials work there.

girish

With the latest update, you should see a Login with Cloudron button. Do you see it?

jdaviescoates

@girish I didn't see it when I did a test last night, but note that I'm not yet on 7.6 so perhaps that is why?

odie

@jdaviescoates I used the Bookstack example to illustrate how hard it is for me to understand the OIDC documentation (what info goes where, how to obtain this info etc). OIDC login (ie using Cloudron credentials on an OIDC enabled app) initially didn't work on my Cloudron after the first app update, but it was fixed on a later update. So I made this reference. Sorry if it added to the confusion.

odie

@girish I see the login screen you post. I'll show you how it looks like on my Cloudron, first on 2.8.0 (where Cloudron credentials work), and second on 2.9.0 OIDC (where Cloudron credentials don't work any longer):

2.8.0 (Cloudron credentials) - home panel view:

2.8.0 (Cloudron credentials) - login screen - login works ok with Cloudron credentials:

2.9.0 (OIDC credentials) - home panel view:

2.9.0 (OIDC credentials) - login screen - login no longer works with Cloudron credentials:

nebulon

Do you see any error in your browser console, maybe it fails loading some state to show the OpenID login button?
Also just to be sure, have you installed any plugins or done some other customization within the app, which may interfere here?

And have you done a hard-refresh in the browser after the app update?

odie

@nebulon These are the only two login entries immediately upon trying to log in:

Oct 29 12:05:5585.252.85.54 - - [29/Oct/2023:11:05:55 +0000] "POST /public.php?return=https%3A%2F%2F<ttrss.mydomain.ext>%2F HTTP/1.1" 302 - "https://<ttrss.mydomain.ext>/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0"
Oct 29 12:05:55[Sun Oct 29 11:05:55.522403 2023] [php:warn] [pid 31] [client 172.18.0.1:38488] PHP Warning: Failed login attempt for <username> (service: ) from 85.252.85.54 in /app/code/classes/logger.php on line 52, referer: https://<ttrss.mydomain.ext>/

These are the only log entries after opening the instance:

Oct 29 12:09:5685.252.85.54 - - [29/Oct/2023:11:09:56 +0000] "GET / HTTP/1.1" 200 1757 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0"
Oct 29 12:09:5685.252.85.54 - - [29/Oct/2023:11:09:56 +0000] "GET /themes/light.css?1698577796023 HTTP/1.1" 200 8868 "https://<ttrss.mydomain.ext>/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0"
Oct 29 12:09:5685.252.85.54 - - [29/Oct/2023:11:09:56 +0000] "GET /lib/flat-ttrss/flat_combined.css HTTP/1.1" 200 17894 "https://<ttrss.mydomain.ext>/themes/light.css?1698577796023" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/118.0"

The plugins I have installed are:

• Fever plugin: at https://<ttrss.mydomain.ext>/plugins.local/fever/
  This authenticates after the upgrade (which is why I didn't notice this immediately)
• api_newsplus: API plugin for News+ v1.10, by hrk

In the plugins settings, the following plugins are enabled:

• af_comics
• api_newsplus
• auth_ldap
• bookmarklets
• mailer_smtp
• note

I have tried with several browsers on different platforms, incognito mode, being logged in, being logged out, etc. Same outcome every time.

nebulon

Does the OpenID login show up, if you install a second app instance fresh? If not, then maybe there is some routing issue on your Cloudron, since with OpenID the app needs to be able to connect via the dashboard domain, which in some situations caused issues on some setups. Also for this, might be worth checking if other apps using OpenID work for you.

odie

@nebulon I just setup a clean install, and I get a different first login screen:

When I fill in Cloudron credentials and click login, I get the login error. When I do the same, but click the Log in with Cloudron button, I am presented with a second login screen:

This login works.

nebulon

So the built-in login form (the one which does not work) is authenticating against the app's internal users. So it is by design that it won't work with the Cloudron credentials. One of the benefits with OpenID, and partly why we are moving apps to that, is that the app code itself now can't see the users password, which is not great.

So then for your initial issue, why the OpenID button is not shown, it appears to be an issue local to that app instance, so something is off with the configuration or indeed some of the mentioned plugins are causing that.

odie

@nebulon Something is definitely off/changed. In the old version of the app, the files config.php, env.sh and php.ini are quite large. In the new version, they are basically empty.

ie., some lines from the old env.sh (excerpt only):

#!/bin/bash

# https://git.tt-rss.org/fox/tt-rss/src/branch/master/classes/config.php and https://tt-rss.org/wiki/GlobalConfig
export TTRSS_DB_TYPE=mysql
export TTRSS_DB_HOST=$CLOUDRON_MYSQL_HOST
export TTRSS_DB_USER=$CLOUDRON_MYSQL_USERNAME
export TTRSS_DB_NAME=$CLOUDRON_MYSQL_DATABASE
export TTRSS_DB_PASS=$CLOUDRON_MYSQL_PASSWORD
export TTRSS_DB_PORT=$CLOUDRON_MYSQL_PORT
export TTRSS_MYSQL_CHARSET=UTF8
export TTRSS_SELF_URL_PATH=$CLOUDRON_APP_ORIGIN
export TTRSS_SINGLE_USER_MODE=
export TTRSS_SIMPLE_UPDATE_MODE=
export TTRSS_ICONS_DIR=/app/data/feed-icons

whereas the new env.sh file looks like this (this is the entire file):

# Add custom env vars here. See https://tt-rss.org/wiki/GlobalConfig

# add custom system plugins to this variable (comma separated)
export TTRSS_PLUGINS="$CLOUDRON_BUILTIN_PLUGINS, note, api_newsplus"

export TTRSS_SESSION_COOKIE_LIFETIME=604800

In the new instance, I have added the fever and api_newsplus plugins and everything still works. I have also exported the old OPML and settings and imported them in the new instance. Everything is present, all feeds are updating and all filters work.

So for me, I think the best solution is to just retire the old instance and migrate the new.

Would it be acceptable to post a follow-up question and ask how I could setup OIDC on TTRSS? I could make a new topic if that is better.

odie

@odie said in Cannot login after switch to OIDC:
@nebulon

In the new instance, I have added the fever and api_newsplus plugins and everything still works. I have also exported the old OPML and settings and imported them in the new instance. Everything is present, all feeds are updating and all filters work.

So for me, I think the best solution is to just retire the old instance and migrate the new.

Spoke too soon. In the new instance, everything seems to work. But login via the fever plugin no longer works. This is a must for me, since I use the Reeder app for iOS and MacOS.

girish

@odie said in Cannot login after switch to OIDC:

Would it be acceptable to post a follow-up question and ask how I could setup OIDC on TTRSS?

You don't need to do anything manually. It's all set up automatically. When you install the app is pre-setup with OIDC.

girish

@odie said in Cannot login after switch to OIDC:

But login via the fever plugin no longer works

Which plugin are you using ? It seems the one listed in our docs is outdated and https://github.com/DigitalDJ/tinytinyrss-fever-plugin#installation is the latest one. I see a fever emulation panel installing that but I don't know how to test this on android.... Seems all the apps are obsolete.

odie

@girish said in Cannot login after switch to OIDC:

@odie said in Cannot login after switch to OIDC:

Would it be acceptable to post a follow-up question and ask how I could setup OIDC on TTRSS?

You don't need to do anything manually. It's all set up automatically. When you install the app is pre-setup with OIDC.

Strange. Single sign-on doesn't seem to work, I have to login like before. It was my understanding that OIDC would provide SSO.

odie

@girish said in Cannot login after switch to OIDC:

@odie said in Cannot login after switch to OIDC:

But login via the fever plugin no longer works

Which plugin are you using ? It seems the one listed in our docs is outdated and https://github.com/DigitalDJ/tinytinyrss-fever-plugin#installation is the latest one. I see a fever emulation panel installing that but I don't know how to test this on android.... Seems all the apps are obsolete.

This is the one I am using. The latest version, pulled a few hours ago (v cc297d8, updated two days ago). I've tried it using Reeder on Mac and iPhone.

edit: just tried the Android app Focusreader (it also has fever). This gives http error 500.

This is the Cloudron log:

Oct 29 18:41:2185.252.85.54 - - [29/Oct/2023:17:41:21 +0000] "POST /plugins.local/fever/?api& HTTP/1.1" 500 - "-" "okhttp/4.9.2"
Oct 29 18:41:21[Sun Oct 29 17:41:21.697344 2023] [php:error] [pid 61] [client 172.18.0.1:40230] PHP Fatal error: Uncaught Error: Failed opening required 'classes/Db.php' (include_path='/app/data/plugins.local/fever:/app/code:/app/code/include:.:/usr/share/php') in /app/data/plugins.local/fever/index.php:36\nStack trace:\n#0 {main}\n thrown in /app/data/plugins.local/fever/index.php on line 36

odie

@odie said in Cannot login after switch to OIDC:

@girish said in Cannot login after switch to OIDC:

@odie said in Cannot login after switch to OIDC:

But login via the fever plugin no longer works

Which plugin are you using ? It seems the one listed in our docs is outdated and https://github.com/DigitalDJ/tinytinyrss-fever-plugin#installation is the latest one. I see a fever emulation panel installing that but I don't know how to test this on android.... Seems all the apps are obsolete.

This is the one I am using. The latest version, pulled a few hours ago (v cc297d8, updated two days ago). I've tried it using Reeder on Mac and iPhone.

edit: just tried the Android app Focusreader (it also has fever). This gives http error 500.

This is the Cloudron log:

Oct 29 18:41:2185.252.85.54 - - [29/Oct/2023:17:41:21 +0000] "POST /plugins.local/fever/?api& HTTP/1.1" 500 - "-" "okhttp/4.9.2"
Oct 29 18:41:21[Sun Oct 29 17:41:21.697344 2023] [php:error] [pid 61] [client 172.18.0.1:40230] PHP Fatal error: Uncaught Error: Failed opening required 'classes/Db.php' (include_path='/app/data/plugins.local/fever:/app/code:/app/code/include:.:/usr/share/php') in /app/data/plugins.local/fever/index.php:36\nStack trace:\n#0 {main}\n thrown in /app/data/plugins.local/fever/index.php on line 36

@odie said in Cannot login after switch to OIDC:

@girish said in Cannot login after switch to OIDC:

@odie said in Cannot login after switch to OIDC:

But login via the fever plugin no longer works

Which plugin are you using ? It seems the one listed in our docs is outdated and https://github.com/DigitalDJ/tinytinyrss-fever-plugin#installation is the latest one. I see a fever emulation panel installing that but I don't know how to test this on android.... Seems all the apps are obsolete.

This is the one I am using. The latest version, pulled a few hours ago (v cc297d8, updated two days ago). I've tried it using Reeder on Mac and iPhone.

edit: just tried the Android app Focusreader (it also has fever). This gives http error 500.

This is the Cloudron log:

Oct 29 18:41:2185.252.85.54 - - [29/Oct/2023:17:41:21 +0000] "POST /plugins.local/fever/?api& HTTP/1.1" 500 - "-" "okhttp/4.9.2"
Oct 29 18:41:21[Sun Oct 29 17:41:21.697344 2023] [php:error] [pid 61] [client 172.18.0.1:40230] PHP Fatal error: Uncaught Error: Failed opening required 'classes/Db.php' (include_path='/app/data/plugins.local/fever:/app/code:/app/code/include:.:/usr/share/php') in /app/data/plugins.local/fever/index.php:36\nStack trace:\n#0 {main}\n thrown in /app/data/plugins.local/fever/index.php on line 36

Quoting myself with a fix here, that works on both Reeder (MacOS and iOS) and Focusreader (Android).

On lines 36 and 37 in the Fever plugin file index.php, two classes are capitalized wrong:

Changed:

    require_once "classes/Db.php";
    require_once "classes/API.php";

into:

    require_once "classes/db.php";
    require_once "classes/api.php";

This fixes the Fever plugin...

girish

@odie Ha, I arrived at the same fixes! I was investigating yesterday why the casing is all wrong. Initially, I thought maybe this was a Windows developer who didn't notice change in filenames. But then I found, https://gitlab.tt-rss.org/tt-rss/tt-rss/-/commit/865ecc87963dc3b26e66296616eef2a1cc41ac3f from 4 days ago. Upstream changed all the filenames . I will make an update now to ttrss latest and then we don't need changes to the plugin.

girish

For future reference (since I couldn't find an android app to work with), one can test fever with curl like so:

$ curl https://ttrss.domain.com/plugins.local/fever/
{"api_version":3,"auth":0,"error":"NOT_LOGGED_IN"}

Then,

$ api_key=`echo -n "username:password" | md5sum | cut -d' ' -f1`
$ curl -F "api_key=$api_key" https://ttrss.domain.com/plugins.local/fever/
{"api_version":3,"auth":1,"last_refreshed_on_time":"0"}