Verdaccio Tokens now short-lived

The jwt stuff works great. I have a default token life time of 1 year now, mirroring what gitlab is doing.

You're right. Sometimes it is just this feeling of: "It worked perfectly before" Btw: Thank you for finding the config.
And yes, the good thing is: Cloudron offers a generally really nice mix of managed experience without blocking control. On the other side, if stuff is working, and then it is not -> I'm sometimes a little confused about how migrations work, if I add too much custom stuff...

Would it be possible to allow OIDC login in addition to the old way to login? We kind of rely on verdaccio and generally like cloudron for managing it. But with this kind of basic infrastructure stuff, stuff has to work. And a change like this, where first all previous tokens are rendered obsolete, then the normal npm login flow does not work anymore, then tokens expire after a day, rendering all infrastructure work regarding this from the day before basically useless is NOT a nice ux for us.

Verdaccio tokens now seem to expire after a day... This is not usable for CI/CD... Any reason why?

yes. All good.

Ah, yes.

Since the change in the latest update to OIDC, npm login does not work anymore with App passwords.

security:
  api:
    migrateToSecureLegacySignature: true

solves this.

Seems like the secret key needs to be updated...

caused:

I'll use a fresh install then.

Fresh install works as expected.

Just took a look at the redirect uri:

&redirect_uri=%2Fanswer%2Fapi%2Fv1%2Fconnector%2Fredirect%2Fbasic&response_type=code&scope=openid+profile+email&state=state

That looks incomplete?

Also changing the location does not do the trick, which should update the redirect url.

All other apps work without a hitch. Also xxx.xxx is correct.

tried that, still the same error.

nope. xxx.xxx was always xxx.xxx

@BrutalBirdie

root@some-uid:/app/code# printenv | grep -i OIDC
CLOUDRON_OIDC_PROFILE_ENDPOINT=https://my.xxx.xxx/openid/me
CLOUDRON_OIDC_KEYS_ENDPOINT=https://my.xxx.xxx/openid/jwks
CLOUDRON_OIDC_CLIENT_ID=abcdefg
CLOUDRON_OIDC_PROVIDER_NAME=xxx.xxx Cloudron
CLOUDRON_OIDC_AUTH_ENDPOINT=https://my.xxx.xxx/openid/auth
CLOUDRON_OIDC_ISSUER=https://my.xxx.xxx/openid
CLOUDRON_OIDC_DISCOVERY_URL=https://my.xxx.xxx/openid/.well-known/openid-configuration
CLOUDRON_OIDC_TOKEN_ENDPOINT=https://my.xxx.xxx/openid/token
CLOUDRON_OIDC_CLIENT_SECRET= abcdefg

and

root@some-uid:/app/code# mysql --user=${CLOUDRON_MYSQL_USERNAME} --password=${CLOUDRON_MYSQL_PASSWORD} --host=${CLOUDRON_MYSQL_HOST} ${CLOUDRON_MYSQL_DATABASE} -e "SELECT value FROM config WHERE \`key\`='plugin.status'"
mysql: [Warning] Using a password on the command line interface can be insecure.
+---------------------------------------------+
| value                                       |
+---------------------------------------------+
| {"redis_cache":true,"basic_connector":true} |
+---------------------------------------------+

and

root@some-uid:/app/code# mysql --user=${CLOUDRON_MYSQL_USERNAME} --password=${CLOUDRON_MYSQL_PASSWORD} --host=${CLOUDRON_MYSQL_HOST} ${CLOUDRON_MYSQL_DATABASE} -e "SELECT * FROM plugin_config WHERE plugin_slug_name='basic_connector' \G"
mysql: [Warning] Using a password on the command line interface can be insecure.
*************************** 1. row ***************************
              id: 72
plugin_slug_name: basic_connector
           value: {"authorize_url":"https://my.xxx.xxx/openid/auth","check_email_verified":true,"client_id":"abced1234","client_secret":"abcd1234","email_verified_json_path":"email_verified","logo_svg":"","name":"xxx.xxx Cloudron","scope":"openid,profile,email","token_url":"https://my.xxx.xxx/openid/token","user_avatar_json_path":"","user_display_name_json_path":"name","user_email_json_path":"email","user_id_json_path":"sub","user_json_url":"https://my.xxx.xxx/openid/me","user_username_json_path":"preferred_username"}

redirect_uri did not match any of the client's registered redirect_uris

Apache throws OpenID connect error in latest version