Serious OIDC EspoCRM issues!

imc67

In a privacy tab of the browser I log into EspoCRM with OIDC and then log out from EspoCRM. You then see the log in OIDC button, when you press that you’re immediately logged in again without any credentials.

I can reproduce it in Safari and Firefox in MacOS and Safari in iOS.

jdaviescoates

@imc67 said in Serious OIDC EspoCRM issues!:

when you press that you’re immediately logged in again without any credentials.

I know this doesn't really address the issue, but I guess you probably wouldn't be if you also went and logged out of the Cloudron Dashboard?

nebulon

Generally this "auto login" happens, since the OpenID session is still active, and you have only logged out of the app, not the OpenID provider (Cloudron) There are OpenID standards to let apps also trigger a flow to optionally log out the user from the OpenID provider, however Cloudron does not yet implement those. Also support within apps is spotty. Our initial implementation had this feature, but hardly any app would behave well with this.

When sharing a browser session across users or also if one uses a public computer like in a library, this is not great, I agree and one would have to use the Cloudron dashboard logout to also kill the OpenID session. Not sure what the best angle is to improve the situation at the moment.

marcusquinn

@nebulon My feeling is the way the rest of the world deals with this is making OIDC one login option, not the only login option.

So you would have the normal App's login forms, and add a [ ⬢ Cloudron ] login button injected above or below that, to take you to the Cloudron OIDC login screen and auth redirect.

Just a random example, but my feeling is that this would then enable you to have the warning on the Cloudron OIDC login, that you will stay logged in all apps logged-in this way, until you logout from Cloudron.

https://wordpress.com/log-in/

This also suggests the Cloudron Panel should have a page listing the logged-in apps, with a button to logout of each, or all of them.

girish

There are OpenID standards to let apps also trigger a flow to optionally log out the user from the OpenID provider, however Cloudron does not yet implement those

I think maybe this is what is lacking. I see that at least on some providers like wordpress.com logout of Google does log you out despite being logged into Google.

p44

@girish @nebulon Any news about this issue? I'm still not able to login using Webcatalog...

girish

@p44 I don't know about webcatalog but it works on all the main browsers now. Maybe you can report this upstream at https://github.com/espocrm/espocrm/issues/ and ask them if they want to support it.

p44

@girish Thank's, I confirm that is working in all browsers...

Any workaround to bypass this problem on Webcatalog? @marcusquinn

marcusquinn

@p44 My guess is something to do with the external URL Handling settings for your app or Privacy > Share browsing data between service and accounts.

p44

@marcusquinn Yes.. I tried to copy and paste that url, but it seems part of a redirection process, so pasted urls seems to be not good (or expired)...