Serious OIDC EspoCRM issues!
-
Since the last update of the EspoCRM package it contains OIDC, I was looking forward to it but the current implementation is extremely user unfriendly
- If you click the button to log in the browser tries to open a pop-up window. Most browsers block that by default and some browser are showing a little warning that a pop-up window was requested. 99% of the users won't notice and can't log in!!
- If you accept the pop-up opening then you see a "bare" window with no buttons, so password managers like Bitwarden don't show and you can't login
- If you manage to fill in the credentials you get a strange warning (see screenshot) and can do nothing. If you close this pop-up and try to login again you're suddenly logged in!
- If you manage to login you can never ever logout again! What ever you try you keep being logged in as that one user. So it is impossible to switch users.
- In the Auth Log you don't see the username anymore so for security reasons and auditing it's useless and not acceptable. (see screenshot 2)
If this can't be solved I would really prefer to switch back to LDAP soon.
@imc67 said in Serious OIDC EspoCRM issues!:
If you manage to fill in the credentials you get a strange warning (see screenshot) and can do nothing. If you close this pop-up and try to login again you're suddenly logged in!
This is opened in https://github.com/espocrm/espocrm/issues/2959
-
Looks like they solved it and will release it in the next update
-
Since the last update of the EspoCRM package it contains OIDC, I was looking forward to it but the current implementation is extremely user unfriendly
- If you click the button to log in the browser tries to open a pop-up window. Most browsers block that by default and some browser are showing a little warning that a pop-up window was requested. 99% of the users won't notice and can't log in!!
- If you accept the pop-up opening then you see a "bare" window with no buttons, so password managers like Bitwarden don't show and you can't login
- If you manage to fill in the credentials you get a strange warning (see screenshot) and can do nothing. If you close this pop-up and try to login again you're suddenly logged in!
- If you manage to login you can never ever logout again! What ever you try you keep being logged in as that one user. So it is impossible to switch users.
- In the Auth Log you don't see the username anymore so for security reasons and auditing it's useless and not acceptable. (see screenshot 2)
If this can't be solved I would really prefer to switch back to LDAP soon.
@imc67 said in Serious OIDC EspoCRM issues!:
- In the Auth Log you don't see the username anymore so for security reasons and auditing it's useless and not acceptable. (see screenshot 2)
Yury, the chief developer of the EspoCRM project, explained that the user is available on the View section of the AuthLog record.
-
Upstream EspoCRM 8.1.2 has fixed a few OIDC issues. Atleast, the first login error message is fixed. I have tested a bunch of browsers but only on Linux and Android. It works fine and I am also able to autocomplete using password manager (you have to use context menu in desktop to reach the password manager). We still have the popup but there is nothing we can do here. Upstream has made a note to change this at some point.
-
I quickly tested on an iPhone/Safari. It opens a new window for login. The popup does not close after login and shows some message. But the main screen logs in fine. Works fine on other browsers though (iPhone/Chrome closes the popup just fine).
I think it's best to report this upstream with screenshots explaining the problem (I can't follow up or test again since I don't have an iPhone). If someone does that, please put a link here for us to follow.
-
I quickly tested on an iPhone/Safari. It opens a new window for login. The popup does not close after login and shows some message. But the main screen logs in fine. Works fine on other browsers though (iPhone/Chrome closes the popup just fine).
I think it's best to report this upstream with screenshots explaining the problem (I can't follow up or test again since I don't have an iPhone). If someone does that, please put a link here for us to follow.
-
After 3 weeks and 3 updates waiting I decided to update again and instruct the users.
@girish there is still the issue of not being able to log out. This is also a security issue when users are sharing a PC (and that happens quite often in a small office). This issue is generic for all OIDC apps and thus a security issue for all those apps ... what do you think?
-
After 3 weeks and 3 updates waiting I decided to update again and instruct the users.
@girish there is still the issue of not being able to log out. This is also a security issue when users are sharing a PC (and that happens quite often in a small office). This issue is generic for all OIDC apps and thus a security issue for all those apps ... what do you think?
-
In a privacy tab of the browser I log into EspoCRM with OIDC and then log out from EspoCRM. You then see the log in OIDC button, when you press that you’re immediately logged in again without any credentials.
I can reproduce it in Safari and Firefox in MacOS and Safari in iOS.
-
In a privacy tab of the browser I log into EspoCRM with OIDC and then log out from EspoCRM. You then see the log in OIDC button, when you press that you’re immediately logged in again without any credentials.
I can reproduce it in Safari and Firefox in MacOS and Safari in iOS.
@imc67 said in Serious OIDC EspoCRM issues!:
when you press that you’re immediately logged in again without any credentials.
I know this doesn't really address the issue, but I guess you probably wouldn't be if you also went and logged out of the Cloudron Dashboard?
-
Generally this "auto login" happens, since the OpenID session is still active, and you have only logged out of the app, not the OpenID provider (Cloudron) There are OpenID standards to let apps also trigger a flow to optionally log out the user from the OpenID provider, however Cloudron does not yet implement those. Also support within apps is spotty. Our initial implementation had this feature, but hardly any app would behave well with this.
When sharing a browser session across users or also if one uses a public computer like in a library, this is not great, I agree and one would have to use the Cloudron dashboard logout to also kill the OpenID session. Not sure what the best angle is to improve the situation at the moment.
-
Generally this "auto login" happens, since the OpenID session is still active, and you have only logged out of the app, not the OpenID provider (Cloudron) There are OpenID standards to let apps also trigger a flow to optionally log out the user from the OpenID provider, however Cloudron does not yet implement those. Also support within apps is spotty. Our initial implementation had this feature, but hardly any app would behave well with this.
When sharing a browser session across users or also if one uses a public computer like in a library, this is not great, I agree and one would have to use the Cloudron dashboard logout to also kill the OpenID session. Not sure what the best angle is to improve the situation at the moment.
@nebulon My feeling is the way the rest of the world deals with this is making OIDC one login option, not the only login option.
So you would have the normal App's login forms, and add a [ ⬢ Cloudron ] login button injected above or below that, to take you to the Cloudron OIDC login screen and auth redirect.
Just a random example, but my feeling is that this would then enable you to have the warning on the Cloudron OIDC login, that you will stay logged in all apps logged-in this way, until you logout from Cloudron.
This also suggests the Cloudron Panel should have a page listing the logged-in apps, with a button to logout of each, or all of them.
-
There are OpenID standards to let apps also trigger a flow to optionally log out the user from the OpenID provider, however Cloudron does not yet implement those
I think maybe this is what is lacking. I see that at least on some providers like wordpress.com logout of Google does log you out despite being logged into Google.
-
@p44 I don't know about webcatalog but it works on all the main browsers now. Maybe you can report this upstream at https://github.com/espocrm/espocrm/issues/ and ask them if they want to support it.
@girish Thank's, I confirm that is working in all browsers...
Any workaround to bypass this problem on Webcatalog? @marcusquinn
