Serious OIDC EspoCRM issues!
-
Since the last update of the EspoCRM package it contains OIDC, I was looking forward to it but the current implementation is extremely user unfriendly
- If you click the button to log in the browser tries to open a pop-up window. Most browsers block that by default and some browser are showing a little warning that a pop-up window was requested. 99% of the users won't notice and can't log in!!
- If you accept the pop-up opening then you see a "bare" window with no buttons, so password managers like Bitwarden don't show and you can't login
- If you manage to fill in the credentials you get a strange warning (see screenshot) and can do nothing. If you close this pop-up and try to login again you're suddenly logged in!
- If you manage to login you can never ever logout again! What ever you try you keep being logged in as that one user. So it is impossible to switch users.
- In the Auth Log you don't see the username anymore so for security reasons and auditing it's useless and not acceptable. (see screenshot 2)
If this can't be solved I would really prefer to switch back to LDAP soon.
-
Ok, just before I read you comment I already decided to roll back to the latest backup because you can't use it anymore
-
Since the last update of the EspoCRM package it contains OIDC, I was looking forward to it but the current implementation is extremely user unfriendly
- If you click the button to log in the browser tries to open a pop-up window. Most browsers block that by default and some browser are showing a little warning that a pop-up window was requested. 99% of the users won't notice and can't log in!!
- If you accept the pop-up opening then you see a "bare" window with no buttons, so password managers like Bitwarden don't show and you can't login
- If you manage to fill in the credentials you get a strange warning (see screenshot) and can do nothing. If you close this pop-up and try to login again you're suddenly logged in!
- If you manage to login you can never ever logout again! What ever you try you keep being logged in as that one user. So it is impossible to switch users.
- In the Auth Log you don't see the username anymore so for security reasons and auditing it's useless and not acceptable. (see screenshot 2)
If this can't be solved I would really prefer to switch back to LDAP soon.
@imc67 said in Serious OIDC EspoCRM issues!:
If you manage to login you can never ever logout again! What ever you try you keep being logged in as that one user. So it is impossible to switch users.
This is how most OIDC login behave btw. For example, Google login on most sites. I tried this with gitlab.com just now and same behavior. You get auto logged in after logout.
-
@imc67 said in Serious OIDC EspoCRM issues!:
If you manage to login you can never ever logout again! What ever you try you keep being logged in as that one user. So it is impossible to switch users.
This is how most OIDC login behave btw. For example, Google login on most sites. I tried this with gitlab.com just now and same behavior. You get auto logged in after logout.
-
Any news about this topic? Cannot login using some kind of browsers, like Webcatalog
-
@p44 I am afraid that data has to be recreated.
The other alternative is to wait more. But these are more upstream issues and we don't have an idea when it will get sorted out. We have to report them first as well.
@girish Ok, thank's a lot Girish.
I think I cannot move forward, restoring backup, because data has been updated meanwhile, so we will lose all changes in case of restore.
I'll wait more hoping that those upstream issues will be fixed.
Thank's again for your patience
-
Since the last update of the EspoCRM package it contains OIDC, I was looking forward to it but the current implementation is extremely user unfriendly
- If you click the button to log in the browser tries to open a pop-up window. Most browsers block that by default and some browser are showing a little warning that a pop-up window was requested. 99% of the users won't notice and can't log in!!
- If you accept the pop-up opening then you see a "bare" window with no buttons, so password managers like Bitwarden don't show and you can't login
- If you manage to fill in the credentials you get a strange warning (see screenshot) and can do nothing. If you close this pop-up and try to login again you're suddenly logged in!
- If you manage to login you can never ever logout again! What ever you try you keep being logged in as that one user. So it is impossible to switch users.
- In the Auth Log you don't see the username anymore so for security reasons and auditing it's useless and not acceptable. (see screenshot 2)
If this can't be solved I would really prefer to switch back to LDAP soon.
@imc67 said in Serious OIDC EspoCRM issues!:
If you manage to fill in the credentials you get a strange warning (see screenshot) and can do nothing. If you close this pop-up and try to login again you're suddenly logged in!
This is opened in https://github.com/espocrm/espocrm/issues/2959
-
Looks like they solved it and will release it in the next update
-
Since the last update of the EspoCRM package it contains OIDC, I was looking forward to it but the current implementation is extremely user unfriendly
- If you click the button to log in the browser tries to open a pop-up window. Most browsers block that by default and some browser are showing a little warning that a pop-up window was requested. 99% of the users won't notice and can't log in!!
- If you accept the pop-up opening then you see a "bare" window with no buttons, so password managers like Bitwarden don't show and you can't login
- If you manage to fill in the credentials you get a strange warning (see screenshot) and can do nothing. If you close this pop-up and try to login again you're suddenly logged in!
- If you manage to login you can never ever logout again! What ever you try you keep being logged in as that one user. So it is impossible to switch users.
- In the Auth Log you don't see the username anymore so for security reasons and auditing it's useless and not acceptable. (see screenshot 2)
If this can't be solved I would really prefer to switch back to LDAP soon.
@imc67 said in Serious OIDC EspoCRM issues!:
- In the Auth Log you don't see the username anymore so for security reasons and auditing it's useless and not acceptable. (see screenshot 2)
Yury, the chief developer of the EspoCRM project, explained that the user is available on the View section of the AuthLog record.
-
Upstream EspoCRM 8.1.2 has fixed a few OIDC issues. Atleast, the first login error message is fixed. I have tested a bunch of browsers but only on Linux and Android. It works fine and I am also able to autocomplete using password manager (you have to use context menu in desktop to reach the password manager). We still have the popup but there is nothing we can do here. Upstream has made a note to change this at some point.
