Login providers - Microsoft openid connect - creating new users issue

Anono_Nono · June 3, 2025, 1:00pm

Hi Allan,

I’m still getting this, and I’m on selfhosted 1.5.11.121 (latest), seems this issue is still somehow there New Users can’t Login - OpenCore - OpenIAP.

Tried with auto_create_user_from_jwt on and off, still the same. Any ideas how to fix?

Basically I’ve setup the Microsoft OIDC login provider, seems to work, but the new user gets unknown user user@domain.com in the browser, after the login via Microsoft login pages. If I turn on the auto_create_user, it works to login via Microsoft provider, but you can’t really control the rights in this case. It somehow auto adds the default rights even if I update them, so auto_create_user on is not an option.

And this is the api logs

query failed with: Not signed in, and missing jwt
Error: Not signed in, and missing jwt
at protowrap.IsPendingReply (file:///app/dist/public/server/chunks/auth.svelte-DeK_AaVj.js:4028:41)
at parser.ondata (file:///app/dist/public/server/chunks/auth.svelte-DeK_AaVj.js:3832:31)
at messageParser.write (file:///app/dist/public/server/chunks/auth.svelte-DeK_AaVj.js:3687:18)
at ws.onmessage (file:///app/dist/public/server/chunks/auth.svelte-DeK_AaVj.js:3822:20)
at callListener (file:///app/dist/public/server/chunks/module-CcjLScfg.js:10733:15)
at WebSocket.onMessage (file:///app/dist/public/server/chunks/module-CcjLScfg.js:10652:10)
at WebSocket.emit (node:events:524:28)
at Receiver.receiverOnMessage (file:///app/dist/public/server/chunks/module-CcjLScfg.js:12173:21)
at Receiver.emit (node:events:524:28)
at Receiver.dataMessage (file:///app/dist/public/server/chunks/module-CcjLScfg.js:9686:15) {
serverstack: '',
code: 0
}
core-web version 0.1.2.15 git commit 87ec93f opencore version 1.5.11.121
[server][INF] Client connected, client count 4
[server][INF] close n7duhffhw ws 172.18.0.1 undefined
[server][ERR] Disconnected client, client count 3
[server][INF] Client connected, client count 4
[server][INF] close v8osi3xit ws 172.18.0.1 undefined
[server][ERR] Disconnected client, client count 3
unknown user user@domain.com```

Allan_Zimmermann · June 3, 2025, 6:28pm

There is only two options, either you create the user your self first, or you enable auto_create_user .

I don’t understand the part about auto_create_user not being an option?

Anono_Nono · June 3, 2025, 8:44pm

Got it. What I meant about auto_create_user, is that users could create random accounts by using the Local provider. And I thought the regular new user has admin/advanced rights, since they could see menu items like Database User Roles, but I see they have limited range of actions in there.

But I deleted the Local provider completely, so they now can either login via Microsoft or Google.

Does the auto_create_user_from_jwt do anything at all? Doesn’t seem to make a difference if it is on/off.

Thanks

Allan_Zimmermann · June 3, 2025, 9:05pm

auto_create_user_from_jwt is a special setting with two purposes.

Back in the old, old days, Node-RED when running in Docker would issue its own token, so this setting was needed to create an account for a new Node-RED instance. Luckily, that is not needed anymore.

The other use case is when you have two OpenCore installations with the same encryption key, and you often swap between them. In this scenario, it can be handy for one OpenCore instance to accept a token issued by the other OpenCore and create a dummy user instead of throwing an error (since the token is theoretically valid but used by a non-existent user).
This will not work in the latest version of OpenCore, as the tokens now only contain the user ID and proof token. For a long time, tokens used to contain key user information and role memberships, giving us the necessary information to create a new user. We no longer have that.

So, I should really remove that setting. I will probably do that now.

system · June 6, 2025, 9:05pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.