Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
  • Search
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum

Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. BookStack
  3. Cannot login anymore after switch to OIDC in latest update

Cannot login anymore after switch to OIDC in latest update

Scheduled Pinned Locked Moved Solved BookStack
46 Posts 6 Posters 3.0k Views 6 Watching
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • A Offline
    A Offline
    abuyuy
    wrote on last edited by
    #1

    Hi @girish / @nebulon

    After the latest update (1.32.0 / see https://forum.cloudron.io/post/73395) of BookStacks which changes the login method to use OIDC, I cannot login anymore to my instance.
    It throws an error about an already existing user with the same account info but different credentials.

    I've tried to edit the env file to not use OIDC, but "standard", that didn't work either.

    How do I restore access?

    1 Reply Last reply
    0
    • nebulonN Offline
      nebulonN Offline
      nebulon
      Staff
      wrote on last edited by
      #2

      have to see if we can reproduce this. For the moment you can restore the app to the backup prior the update and disable auto-updates for the moment.

      1 Reply Last reply
      0
      • nebulonN nebulon marked this topic as a question on
      • girishG Offline
        girishG Offline
        girish
        Staff
        wrote on last edited by
        #3

        We managed to reproduce this in another instance. Strange, so this is revoked for now. Will debug.

        1 Reply Last reply
        1
        • B Offline
          B Offline
          buesching
          wrote on last edited by
          #4

          Hello,

          after updating to 1.32.0 we are not able to log in anymore.
          We get this error.
          2023-09-12_07h45_16.png
          What should we do? I have checked the configs and it seems like oidc is configured correctly.
          I have rolled back to version 1.31.2. Now, we can work again.

          1 Reply Last reply
          0
          • nebulonN Offline
            nebulonN Offline
            nebulon
            Staff
            wrote on last edited by
            #5

            Your issue seems to be related to networking actually. With OpenID the apps have to be able to reach the OpenID provider, which is running on the dashboard domain.
            Can you maybe check from a webterminal inside the app if the following works (after the rollback):

            curl -v https://my.<your cloudron domain>/.well-known/openid-configuration
            
            B 1 Reply Last reply
            0
            • S Offline
              S Offline
              simon
              wrote on last edited by
              #6

              Hello there,
              I have the same problem with version 1.32.0. Can call the openid-configuration from 1.32.0 as well as from 1.31.0.

              1 Reply Last reply
              0
              • nebulonN Offline
                nebulonN Offline
                nebulon
                Staff
                wrote on last edited by
                #7

                Do you have the same problem as @buesching or as @abuyuy ?

                S 1 Reply Last reply
                0
                • nebulonN Offline
                  nebulonN Offline
                  nebulon
                  Staff
                  wrote on last edited by
                  #8

                  The issue with existing account, is happening for instances which are rather old, where the accounts were created with their UID instead of the username. To make app migration easier, we decided long ago to stick where possible to usernames, now with the change to OpenID this mapping does not work on old instances anymore. Currently looking for a possible migration path though.

                  1 Reply Last reply
                  1
                  • nebulonN nebulon

                    Do you have the same problem as @buesching or as @abuyuy ?

                    S Offline
                    S Offline
                    simon
                    wrote on last edited by
                    #9

                    @nebulon same problem as @abuyuy

                    1 Reply Last reply
                    0
                    • nebulonN Offline
                      nebulonN Offline
                      nebulon
                      Staff
                      wrote on last edited by
                      #10

                      We are working on a fix for that problem.

                      1 Reply Last reply
                      1
                      • nebulonN nebulon

                        Your issue seems to be related to networking actually. With OpenID the apps have to be able to reach the OpenID provider, which is running on the dashboard domain.
                        Can you maybe check from a webterminal inside the app if the following works (after the rollback):

                        curl -v https://my.<your cloudron domain>/.well-known/openid-configuration
                        
                        B Offline
                        B Offline
                        buesching
                        wrote on last edited by
                        #11

                        @nebulon said in Cannot login anymore after switch to OIDC in latest update:

                        curl -v https://my.<your cloudron domain>/.well-known/openid-configuration

                        I cannot reach this URL. Not from bookstack and not from any other sytem.
                        Do I have to configure something under Domain & Certs before?
                        4ee1a0f3-1929-4bd4-b21c-1b3b02216977-image.png

                        1 Reply Last reply
                        0
                        • nebulonN Offline
                          nebulonN Offline
                          nebulon
                          Staff
                          wrote on last edited by
                          #12

                          With OpenID the apps backends have to be able to reach the OpenID provider, which on Cloudron is running on the dashboard domain. So any app with OpenID will fail if your system can't call the Cloudron APIs from within its app containers.

                          For a start, can you resolve the dashboard domain from the webterminal of an app?
                          host my.domain.com

                          If this is a system hosted behind a router (like a homesetup) make sure hairpinning is supported.

                          B 1 Reply Last reply
                          0
                          • nebulonN nebulon

                            With OpenID the apps backends have to be able to reach the OpenID provider, which on Cloudron is running on the dashboard domain. So any app with OpenID will fail if your system can't call the Cloudron APIs from within its app containers.

                            For a start, can you resolve the dashboard domain from the webterminal of an app?
                            host my.domain.com

                            If this is a system hosted behind a router (like a homesetup) make sure hairpinning is supported.

                            B Offline
                            B Offline
                            buesching
                            wrote on last edited by
                            #13

                            @nebulon It returns the public IP address. The system is behind a reverse proxy. The webinterface is reachable over the internet. Should I be able to open https://my.<your cloudron domain>/.well-known/openid-configuration from a browser?
                            I only get a server error.
                            2023-09-14_13h25_27.png

                            1 Reply Last reply
                            0
                            • nebulonN Offline
                              nebulonN Offline
                              nebulon
                              Staff
                              wrote on last edited by
                              #14

                              Yes that should be publicly reachable. Can you check the server side logs at /home/yellowtent/platformdata/logs/box.log about any errors?

                              B 1 Reply Last reply
                              0
                              • nebulonN nebulon

                                Yes that should be publicly reachable. Can you check the server side logs at /home/yellowtent/platformdata/logs/box.log about any errors?

                                B Offline
                                B Offline
                                buesching
                                wrote on last edited by buesching
                                #15

                                @nebulon It isnt even reachable from a local system, which uses the local address for my.<your cloudron domain>. The webinterface is still reachable. Do I have to set the well known location as I asked before?

                                1 Reply Last reply
                                0
                                • B Offline
                                  B Offline
                                  buesching
                                  wrote on last edited by
                                  #16

                                  Where can I change the dns settings? I would like to resolve the local address for my.<your cloudron domain>. I want to bypass my firewall. Maybe it should work then.

                                  1 Reply Last reply
                                  0
                                  • nebulonN Offline
                                    nebulonN Offline
                                    nebulon
                                    Staff
                                    wrote on last edited by
                                    #17

                                    If the local systems can resolve the public IP then this seems fine.
                                    What kind of reverse proxy setup is this, maybe it interferes with the requests? Can you maybe disable that and expose the system directly just to see if it works as expected then?

                                    1 Reply Last reply
                                    0
                                    • B Offline
                                      B Offline
                                      buesching
                                      wrote on last edited by
                                      #18

                                      We are using an Securepoint firewall with integrated reverse proxy. I will talk to the support.

                                      1 Reply Last reply
                                      0
                                      • B Offline
                                        B Offline
                                        buesching
                                        wrote on last edited by
                                        #19

                                        Hello, we solved the problem. It was a wrong configuration in our firewall.

                                        1 Reply Last reply
                                        0
                                        • nebulonN Offline
                                          nebulonN Offline
                                          nebulon
                                          Staff
                                          wrote on last edited by
                                          #20

                                          Thanks for sharing and glad it worked out in the end.

                                          1 Reply Last reply
                                          0
                                          • nebulonN nebulon has marked this topic as solved on
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Don't have an account? Register

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • Bookmarks
                                          • Search