Serious OIDC EspoCRM issues!
-
Any news about this topic? Cannot login using some kind of browsers, like Webcatalog
-
@p44 we reverted the package already. Just revert to the previous package version using your backups.
-
@p44 I am afraid that data has to be recreated.
The other alternative is to wait more. But these are more upstream issues and we don't have an idea when it will get sorted out. We have to report them first as well.
-
@girish Ok, thank's a lot Girish.
I think I cannot move forward, restoring backup, because data has been updated meanwhile, so we will lose all changes in case of restore.
I'll wait more hoping that those upstream issues will be fixed.
Thank's again for your patience
-
@imc67 @p44 We have opened the separate window popup as an issue upstream - https://github.com/espocrm/espocrm/issues/2958
-
@imc67 said in Serious OIDC EspoCRM issues!:
If you manage to fill in the credentials you get a strange warning (see screenshot) and can do nothing. If you close this pop-up and try to login again you're suddenly logged in!
This is opened in https://github.com/espocrm/espocrm/issues/2959
-
Looks like they solved it and will release it in the next update
-
@imc67 For the username in the auth log - https://github.com/espocrm/espocrm/issues/2959#issuecomment-1910219351
-
@imc67 said in Serious OIDC EspoCRM issues!:
- In the Auth Log you don't see the username anymore so for security reasons and auditing it's useless and not acceptable. (see screenshot 2)
Yury, the chief developer of the EspoCRM project, explained that the user is available on the View section of the AuthLog record.
-
Upstream EspoCRM 8.1.2 has fixed a few OIDC issues. Atleast, the first login error message is fixed. I have tested a bunch of browsers but only on Linux and Android. It works fine and I am also able to autocomplete using password manager (you have to use context menu in desktop to reach the password manager). We still have the popup but there is nothing we can do here. Upstream has made a note to change this at some point.
-
I quickly tested on an iPhone/Safari. It opens a new window for login. The popup does not close after login and shows some message. But the main screen logs in fine. Works fine on other browsers though (iPhone/Chrome closes the popup just fine).
I think it's best to report this upstream with screenshots explaining the problem (I can't follow up or test again since I don't have an iPhone). If someone does that, please put a link here for us to follow.
-
After 3 weeks and 3 updates waiting I decided to update again and instruct the users.
@girish there is still the issue of not being able to log out. This is also a security issue when users are sharing a PC (and that happens quite often in a small office). This issue is generic for all OIDC apps and thus a security issue for all those apps ... what do you think?
-
-
In a privacy tab of the browser I log into EspoCRM with OIDC and then log out from EspoCRM. You then see the log in OIDC button, when you press that you’re immediately logged in again without any credentials.
I can reproduce it in Safari and Firefox in MacOS and Safari in iOS.
-
@imc67 said in Serious OIDC EspoCRM issues!:
when you press that you’re immediately logged in again without any credentials.
I know this doesn't really address the issue, but I guess you probably wouldn't be if you also went and logged out of the Cloudron Dashboard?
