Can no longer access most of my WordPress sites

jdaviescoates

None of them work with Cloudron SSO OIDC.

I just get e.g.

One of the older ones I can still access just using my username/ password, but I'm completely locked out of nearly all of them

jdaviescoates

I tried renaming either or both of these but it didn't help

jdaviescoates

Aha! I think this was because even though I'm logged into my.cloudron as jdaviescoates in terms of OIDC in this browser I was logged in as 'josef' which didn't have access! I added josef to the relevant group and then I was back in.

Confusing!

@staff it'd be good if the OIDC somehow prompted to choose which user you want to use/ gave the option of logging in as a different user like on Google etc - would that be possible?

Also - how do I actually end/ close the OIDC session for josef so I can login to these sites as jdaviescoates instead?

And/ or is it somehow possible to be logged into both and then be prompted to choose which one I want to use when logging into a new app? This would be ideal as I use josef for some apps and jdaviescoates for others.

jdaviescoates

@jdaviescoates said in Can no longer access most of my WordPress sites:

Also - how do I actually end/ close the OIDC session for josef so I can login to these sites as jdaviescoates instead?

The ony way I seemed to be able to do this was to first logout of my.cloudron as jdaviescoates. I was still logged into my.cloudron as josef so I logged out as that too. Then log back in as jdaviescoates. Then I was able to login the the WordPress sitest as 'jdaviescoates' as I wanted. And interestingly I'm still logged into my Mastodon and Element apps as josef.

Seems we need some sort of "switch user" capability if that's possible with OIDC?

imc67

• 1 from me, asked this before because IMHO it is still a security issue that you can't OIDC logout from apps.

nebulon

In OpenID there is no well supported way to log out users from services which used the OpenID for authentication (in Cloudron case the apps). Those app have their own session and session handling. So there is mostly likely no way around this unless an app would start using OAuth2 access and refresh tokens (but implementation of that was spotty in the past which sparked OpenID connect in the first place)

For a start if you logout of the dashboard, subsequent app logins (from a state where the app has no login session) then Cloudron will prompt you to login with a username. If that is not happening the Oidc session was still alive.

The best way I found was to use container tabs in like firefox and probably other browsers, which maintain isolated sessions. This is also how I use other services like Digitalocean where we have multiple accounts with different roles.