Feature Request : Inclusion of OIDC Profile Claims in Cloudron Token

Hi @nebulon,

To test this feature, you have two options:

• Install a Pangolin server locally or on a dedicated instance (the installer is available at pangolin.net) to test the change in a controlled environment.

• Send me a Client ID/Client Secret pair: I can enable this configuration on my Pangolin server so you can run your tests directly (the easy way).

Let me know what works best for you!

Best regards,

Hi @joseph,

We have observed that the ID Token generated by Cloudron does not include the claims requested in the scopes, not even the mandatory "sub" claim, as defined by the OpenID Connect standard.

Without these claims, the token is incompatible with applications like Pangolin.

Could you provide an option to include the claim information directly in the token (without requiring a call to
/me ) ?

Thank you for your attention.

Cloudron offers an OpenID Connect (OIDC) implementation for centralized authentication across applications. However, to seamlessly integrate with third-party systems like Pangolin, certain user profile claims must be included in the OIDC token issued by Cloudron. Currently, these claims are not consistently present, requiring the use of an additional identity provider (such as Keycloak) to bridge this gap.

Issue

To enable direct and secure login between Cloudron and Pangolin (or similar applications), the OIDC token must include the following claims:

• email: The user’s email address, used for identification and communication.
• sub: The unique user identifier (Subject Claim), essential for session management and unique identification.
• preferred_username: The user’s primary username, often required for display and authorization purposes.

Without these claims, integration with Pangolin is not possible without relying on an external solution, which complicates the architecture and increases maintenance costs.

Request

We request the automatic inclusion of the email, sub, and preferred_username claims in the OIDC token generated by Cloudron. These claims are standardized by the OIDC specification and widely supported by modern identity providers.

Expected Benefits

• Simplified Integration: Enable direct login with applications like Pangolin, without depending on Keycloak or other third-party solutions.
• Standards Compliance: Align Cloudron with OIDC best practices, improving interoperability with other tools.
• Unified User Experience: Reduce configuration steps for administrators and end users.

Suggested Implementation

• Add an option in Cloudron’s admin interface to enable/disable the inclusion of the email, sub, and preferred_username claims in the OIDC token.
• Allow the OIDC client to explicitly request the inclusion of these claims by using a specific parameter in the authentication request (e.g., by adding a scope or custom parameter such as scope=openid email profile).
• Implement a mechanism so that the token is only generated with these additional claims if the client explicitly requests them, for example by using a parameter in the "Signature Algorithm" field (e.g., RS256 + Profile).
• Ensure that the email, sub, and preferred_username claims are always present in the token when this option is enabled, unless explicitly disabled.
• Document this feature in the OIDC authentication section of the official documentation, specifying how clients should format their request to obtain these claims.

Use Case

A user or organization wishing to connect Cloudron to Pangolin (or a similar application) will be able to configure OIDC authentication without deploying an additional identity server, thereby reducing complexity and associated security risks.

Thanks for this clue, I'll try without my footer

Ok, Update to 9.0.12 => Same trouble.
I try with new browser (MS Edge - never go 2 this website) => Same error

This trouble look like a javascript string in OpenID answer

`; window.cloudron.language = `fr`;

I can't re-do the trouble in Cloudron demo server.
fr is language for Profile and System

I'll try the update (it was on cloudron 9.0.11) - server is on 9.0.12

`; window.cloudron.language = `fr`;

Bug on OpenID Interaction

Cloudron made an update on my instance this night. Now, all my OpenID session are broken (can't finish ID, showed a string in /openid/interaction/ page

Description

Using Cloudron in frenchand try to SSO

Steps to reproduce

Upgrade in 9.0.11.
Server OVH VPS

Troubleshooting Already Performed

Try to reboot => NOK
On external OpenID Application, same trouble

System Details

Cloudron Version

Cloudron version : 9.0.11
Ubuntu version : Ubuntu 24.04.3 LTS Linux 6.8.0-87-generic
VPS CPU
6 Core "Intel Core Processor (Haswell, no TSX)"
12.24 GB RAM & 4.29 GB Swap

Cloudron installation method

• Manual with ./cloudron-setup on fresh VPS OVH Install

Output of cloudron-support --troubleshoot

Vendor: OpenStack Foundation Product: OpenStack Nova
Linux: 6.8.0-87-generic
Ubuntu: noble 24.04
Processor: Intel Core Processor (Haswell, no TSX)
BIOS pc-i440fx-9.2  CPU @ 2.0GHz x 6
RAM: 11956728KB
Disk: /dev/sda1        72G
[OK]    node version is correct
[OK]    IPv6 is enabled and public IPv6 address is working
[OK]    docker is running
[OK]    docker version is correct
[OK]    MySQL is running
[OK]    nginx is running
[OK]    dashboard cert is valid
[OK]    dashboard is reachable via loopback
[OK]    box v9.0.11 is running
[OK]    netplan is good
[OK]    DNS is resolving via systemd-resolved
[OK]    Dashboard is reachable via domain name
[OK]    Domain sdeinfo.com is valid and has not expired
[OK]    unbound is running