Cloudron Forum

So currently the login flow pages are served up with content security policy headers to not allow being embedded in another domain/origin. The reason for this is to prevent clickjacking attacks and was explicitly done that way. I guess for this we would need a csp setting for the OpenID provider where one can allow specific domains/origins.

It works now

@girish Thank you, girish for the update!

So I am not sure what pangolin really needs here, but I did some more testing and the mentioned claims are all included in the JWT in my tests already in the currently released Cloudron OIDC server. How did you see that those aren't included in your case as you mentioned? Are you even getting a valid JWT and can you decode that? How does that json object look after that? The token response should look something like: { "access_token": "OGpFA1siYNbAQiCahuvjUDkKgoRAi4cz00lysJC6jt9", "expires_in": 3600, "id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6IjFrRF..........", "refresh_token": "IJpU-ULmWoEYmUJmd55HLQF7aVHPbZIzdmWHUYQ1vB0", "scope": "openid profile email", "token_type": "Bearer" } Which then decoded in my case holds: Payload (Claims) sub: "nebulon" family_name: "" given_name: "Firstname" locale: "de-DE" name: "Lastname" preferred_username: "nebulon" picture: "https://my.cloudron/api/v1/profile/avatar/uid-e6e4afd0-f677-45e3-8d61-4dd039c32a11.png" email: "nebulon@..." email_verified: true aud: "cid-b901ffe1294a0683aff450bb86d036b5" exp: 1765189670 (8.12.2025, 11:27:50) iat: 1765186070 (8.12.2025, 10:27:50) iss: "https://my.cloudron..../openid"

I also had similar issues as soon as I migrated to Cloudron 9.x and after a while or maybe after successful login attempts with an alternative auth flow, I had no longer any issues authenticating through OpenID. weird indeed but I have noticed similar complains about Cloudron 9 and OIDC in other threads.

Hello @scooke Glad I could explain/resolve this issue for you.

Ok nevermind, I found the corresponding update and it works again after updating to the next version.

@SDEInfo fixed with https://git.cloudron.io/platform/box/-/commit/e87d2e1218ce0e6d5a9ee89e57976e459b73c7d4

Hello @Lomeu Did you figure this out or is this still an issue?

@jdaviescoates and @girish: Excellent. Thank you. I can work with this. Very much appreciated.

@james the developer has released v5.1.1 which is supposed to have fixed the issue, however I am still experiencing the same behavior when I try to sign into the iOS app using OpenID. Can you please test on your iPhone and advise if it is the same for you as well?

Indeed they're back when they login with OIDC, thanks for the tips. This ticket can be closed I think.

@Mamouti if you need (smallish) changes to the packages, feel free to submit MRs . All the packages are at https://git.cloudron.io/packages/

MetaMask the crypto wallet? Not sure why that could be causing problems, but maybe a question for the MetaMask people.

thanks @nebulon & @girish, this does indeed fix everything, appreciate it

In OpenID there is no well supported way to log out users from services which used the OpenID for authentication (in Cloudron case the apps). Those app have their own session and session handling. So there is mostly likely no way around this unless an app would start using OAuth2 access and refresh tokens (but implementation of that was spotty in the past which sparked OpenID connect in the first place) For a start if you logout of the dashboard, subsequent app logins (from a state where the app has no login session) then Cloudron will prompt you to login with a username. If that is not happening the Oidc session was still alive. The best way I found was to use container tabs in like firefox and probably other browsers, which maintain isolated sessions. This is also how I use other services like Digitalocean where we have multiple accounts with different roles.

Good catch, we have to fixup the docs here. The OpenID provider session logout, triggered by the app used to be there, but we found that no app supports this properly so it got removed. For nextcloud, we have some changes to soon enable OIDC login by default in the package, so may not be worth it to investigate just now in your case.

Oops nm I figured out the right Wordpress login url and redirect pattern to use

Thank you @girish - Sounds promising. Looking forward to v8.