Can no longer access most of my WordPress sites
-
None of them work with Cloudron SSO OIDC.
I just get e.g.
One of the older ones I can still access just using my username/ password, but I'm completely locked out of nearly all of them
-
I tried renaming either or both of these but it didn't help
-
Aha! I think this was because even though I'm logged into my.cloudron as
jdaviescoatesin terms of OIDC in this browser I was logged in as 'josef' which didn't have access! I addedjosefto the relevant group and then I was back in.Confusing!
@staff it'd be good if the OIDC somehow prompted to choose which user you want to use/ gave the option of logging in as a different user like on Google etc - would that be possible?
Also - how do I actually end/ close the OIDC session for
josefso I can login to these sites asjdaviescoatesinstead?And/ or is it somehow possible to be logged into both and then be prompted to choose which one I want to use when logging into a new app? This would be ideal as I use
joseffor some apps andjdaviescoatesfor others. -
Aha! I think this was because even though I'm logged into my.cloudron as
jdaviescoatesin terms of OIDC in this browser I was logged in as 'josef' which didn't have access! I addedjosefto the relevant group and then I was back in.Confusing!
@staff it'd be good if the OIDC somehow prompted to choose which user you want to use/ gave the option of logging in as a different user like on Google etc - would that be possible?
Also - how do I actually end/ close the OIDC session for
josefso I can login to these sites asjdaviescoatesinstead?And/ or is it somehow possible to be logged into both and then be prompted to choose which one I want to use when logging into a new app? This would be ideal as I use
joseffor some apps andjdaviescoatesfor others.@jdaviescoates said in Can no longer access most of my WordPress sites:
Also - how do I actually end/ close the OIDC session for josef so I can login to these sites as jdaviescoates instead?
The ony way I seemed to be able to do this was to first logout of my.cloudron as
jdaviescoates. I was still logged into my.cloudron asjosefso I logged out as that too. Then log back in asjdaviescoates. Then I was able to login the the WordPress sitest as 'jdaviescoates' as I wanted. And interestingly I'm still logged into my Mastodon and Element apps asjosef.Seems we need some sort of "switch user" capability if that's possible with OIDC?
-
- 1 from me, asked this before because IMHO it is still a security issue that you can't OIDC logout from apps.
-
In OpenID there is no well supported way to log out users from services which used the OpenID for authentication (in Cloudron case the apps). Those app have their own session and session handling. So there is mostly likely no way around this unless an app would start using OAuth2 access and refresh tokens (but implementation of that was spotty in the past which sparked OpenID connect in the first place)
For a start if you logout of the dashboard, subsequent app logins (from a state where the app has no login session) then Cloudron will prompt you to login with a username. If that is not happening the Oidc session was still alive.
The best way I found was to use container tabs in like firefox and probably other browsers, which maintain isolated sessions. This is also how I use other services like Digitalocean where we have multiple accounts with different roles.
