[Feedback] OpenID and multi-user

[matt-fidd]

Thanks to @lelemm, OpenID and multi-user support was added to Actual in #3878 as an experimental feature. This issue is to track feedback/bugs/issues/requests related specifically to that feature.

[shaankhosla]

Thanks @lelemm for this amazing feature!

I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

[lelemm]

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.

If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid
Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!

I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

[shaankhosla]

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.

If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!
I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

Thanks, I'll dig around! I think Authelia has OpenID based on this, but I'll try the config.json.

[shaankhosla]

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.
If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!
I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

Thanks, I'll dig around! I think Authelia has OpenID based on this, but I'll try the config.json.

I tried with the config.json and set the authMethod to "oauth2" but still got the same error.

[lelemm]

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.
If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!
I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

Thanks, I'll dig around! I think Authelia has OpenID based on this, but I'll try the config.json.

I tried with the config.json and set the authMethod to "oauth2" but still got the same error.

To use the configuration in the file, you need to run the commands.
First disable the openid
yarn/npm run disable-openid
Then run
yarn/npm run enable-openid

This script will take the configuration from the file into the database

[shaankhosla]

Ah thanks, I didn't realize I had to run that command for it to use the config. That worked! I had to switch my docker container from edge-alpine to just edge to have npm in it.

[shaankhosla]

Actually, that seemed like it fixed the issue but I don't think it did.

After I run those commands I'm able to sign in (with account A) and assign a budget file to myself as admin. However, if I try to sign in through a different user account (with account B) in incognito mode I get the same openid-grant-failed error I was seeing before. I then re-ran the disable/enable commands again and signed in with account B, at which point account B became the admin and I couldn't see account A in the user directory list. Then I tried signing in with account A and got the same openid-grant-failed error as before.

[lelemm]

You have to give access to the second user in the user directory

[lelemm]

@shaankhosla https://deploy-preview-447.www.actualbudget.org/docs/experimental/multi-user

[shaankhosla]

Got it, it's working as expected. I thought that new users would be added to that automatically at sign in. Thanks for all of your help!

[feyleth]

it is possible to use multi-user without need to login with openID ?

[lelemm]

it is possible to use multi-user without need to login with openID ?

Nope. They are tied together for now. One can expand for internal user management

[alexsalex]

HI! Thank you for this future! Amazing!

But could you write some documentation about it? For example: what is the redirect URL for OAuth2?

[lelemm]

https://your-actual-server-domain:your-actual-server/openid/callback

[nichtdu]

just added via authentik. worked flawless so far. Enabling was quiet easy as well.

The fact that it deletes the url in case you change auth-provider in setup is a little confusing though - or rather the fact that it accepts invalid url and does not tell you (it resetted to placeholders but i did not notice and hit ok again - and i was not able to see error on first sight)

[mocdaniel]

I noticed that arbitrary users seem to be able to access budget files of other users as long as they log in from the same device.

Consider the following situation - I got two users in my IAM solution (Authentik), one is called Daniel Bodky and is Admin in Actualbudget, the other is called John Doe and got added to the user directory of Actualbudget manually:

There is only one budget file available on the server, called Daniel. It has been created by the admin user and is configured to be accessible only by him:

However, if I log in to Actualbudget with the second user John Doe, I am offered to open the budget file. It even states that the supposedly unprivileged user is the file owner. Consequently, I can open and edit the budget with the unprivileged user (note the username in the top right):

If I login as John Doe from a private browser window, the behavior is as expected: The user doesn't have a budget file yet, so none is displayed; the budget file(s) of other users don't show either.

I guess this is due to the offline capabilities of Actualbudget, and the fact that all local files are available in the device/browser? So once a budget file has been downloaded to a device/browser, it's accessible to all users that might log in on that device/browser?

[lelemm]

I guess this is due to the offline capabilities of Actualbudget, and the fact that all local files are available in the device/browser? So once a budget file has been downloaded to a device/browser, it's accessible to all users that might log in on that device/browser?

You are completely right. That's how its working atm

[mocdaniel]

Are there plans to mitigate this behavior in the future? Maybe by 'disabling' offline mode when enabling OIDC auth/multi-user support?

[lelemm]

AFAIK, not planned, but I guess with enough feedback for it will probably be mitigated

[ReclaimedBytes]

Working well here with Pocket ID. Thanks for implementing!

[lelemm]

Would be nice if someone is using a different OpenID provider, give some information like this:

    {
      label: 'Microsoft Entra',
      value: 'microsoft',
      issuer: 'https://login.microsoftonline.com/{tenant-id}',
      clientIdRequired: true,
      clientSecretRequired: true,
      tip: (
        <Link
          variant="external"
          to="https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc"
        >
          <Trans>OpenID Connect on the Microsoft identity platform</Trans>
        </Link>
      ),
    }

So the list of validated providers can be increased for future users

[ReclaimedBytes]

Where would I find that?

[lelemm]

Where would I find that?

That would be built by you, if you have the knowledge

[woolfyx]

Firstly, thanks for this great features ! 😍

Quick question regarding claims used to retrieve user information.Actually, at least for Entra ID, the username seems to be mapped to the display name? Is it correct? Maybe it can be interesting to be customized to use the UPN (which is unique in Entra ID - not sure it's the case for display name), for example?

This question aside, authentication process works perfectly.

[lelemm]

Firstly, thanks for this great features ! 😍

Quick question regarding claims used to retrieve user information.Actually, at least for Entra ID, the username seems to be mapped to the display name? Is it correct? Maybe it can be interesting to be customized to use the UPN (which is unique in Entra ID - not sure it's the case for display name), for example?

This question aside, authentication process works perfectly.

The username saved is a little clunky honestly.
in the spec, there are definitions of the name of the fields, but I guess some providers just do what they want lol.
probably for Entra Id is catching a bad value (on the big list of possible values).

[Arnoud-B]

To test this, I:

1. Created an account on auth0, created a (fake) web app and created a user there. For the callback URL I used https://actual.domain.com:5006/openid/callback.
2. Attempted a sign in with the user I created on auth0 and got an error message. I went back to the login page to try again, and now it logged me in automatically (weird?).
3. I opened a budget file, which worked. But when closing the budget file, it says: "Owner: Unassigned". Another budget file is showing the same, and a third (test) budget file is showing "Owner: Server". I expected the Owner to be the first OpenID user to open the budget file.

[DennaGherlyn]

[...] it also is preventing the regular password login from being disabled.

Can you even disable the regular password? I'm Server Owner but I still have the option to use the password. And I don't see any settings for that either. I would guess that deactivating the password option is not a thing yet.

Hmm, I was under the impression that once a server owner is set after the first OIDC login happens that it disables regular password based access and goes into multi-user mode only. Maybe I misunderstood, and can't test because my install isn't properly setting server owner by itself anyway and getting rid of the ability to edit OIDC settings before login. So right now, anybody could just edit OIDC settings to their own provider and get in.

Okay, so. I finally managed to get onto Discord (it was very stubborn today) and there lelemm said that disabling the password is not possible because the API needs it and auto-login is not available yet.

[ilovepancakes95]

[...] it also is preventing the regular password login from being disabled.

Can you even disable the regular password? I'm Server Owner but I still have the option to use the password. And I don't see any settings for that either. I would guess that deactivating the password option is not a thing yet.

Hmm, I was under the impression that once a server owner is set after the first OIDC login happens that it disables regular password based access and goes into multi-user mode only. Maybe I misunderstood, and can't test because my install isn't properly setting server owner by itself anyway and getting rid of the ability to edit OIDC settings before login. So right now, anybody could just edit OIDC settings to their own provider and get in.

Okay, so. I finally managed to get onto Discord (it was very stubborn today) and there lelemm said that disabling the password is not possible because the API needs it and auto-login is not available yet.

OK if that is the case, then it seems the only downside to my situation is without a server owner being set, anyone coming upon the login page can now change the OIDC settings to their own provider and then login. Obviously this prevents me from "launching" using this yet, completely not secure.

[shall0pass]

If you're referring to the link to change the OIDC settings on the login page, that link disappears once you login using openid.... at least it did for me.

I too would welcome an option (probably an environment option in the compose file that is easy to change before spinning up a container) to disable the web page password prompt. I do understand not totally locking it out for the API to continue to have access.

[ilovepancakes95]

If you're referring to the link to change the OIDC settings on the login page, that link disappears once you login using openid.... at least it did for me.

That is exactly what I mean. On my system, I get that prompt, I sign-in, but after I log out, the prompt is still there and I (or anyone else) can still change OIDC settings. And when I do login, under User Directory, my user (or any user) is not checked as "System Owner". Like whatever process that sets the system owner isn't working.

Hoping there is an easy quick fix.

[lelemm]

If you're referring to the link to change the OIDC settings on the login page, that link disappears once you login using openid.... at least it did for me.

That is exactly what I mean. On my system, I get that prompt, I sign-in, but after I log out, the prompt is still there and I (or anyone else) can still change OIDC settings. And when I do login, under User Directory, my user (or any user) is not checked as "System Owner". Like whatever process that sets the system owner isn't working.

Hoping there is an easy quick fix.

you probably had an error but somehow the flow went until the end so you system owner was never created. I highly suggest you to disable openid and enable again to check for errors and to be sure the system owner is created

[ilovepancakes95]

you probably had an error but somehow the flow went until the end so you system owner was never created. I highly suggest you to disable openid and enable again to check for errors and to be sure the system owner is created

Think you are right. If I disable OIDC and then re-enable and go throw the flow from scratch I get {"status":"error","reason":"user-already-exists"} as the error in the web browser immediately after clicking "Sign In with Open ID".

[lelemm]

you probably had an error but somehow the flow went until the end so you system owner was never created. I highly suggest you to disable openid and enable again to check for errors and to be sure the system owner is created

Think you are right. If I disable OIDC and then re-enable and go throw the flow from scratch I get {"status":"error","reason":"user-already-exists"} as the error in the web browser immediately after clicking "Sign In with Open ID".

I guess the username returned by the provider is empty string.
because there is a empty username string in the server (the fallback server password user has empty username)

[hendrik1120]

I have updated my initial bug report with additional information for troubleshooting. I still believe this a bug in the actualbudget oidc client.

[nicedevil007]

hey guys, just a small thing for you => authentik is written with a lowercase "a". Can you change this on the dropdown menu for the openID provider? I'm already on my PR for the documentation of authentik's official page and the guys that are reviewing my PR already told this to me :)

goauthentik/authentik#12590 (comment)

I mean this part here during the configuration:

[tugdualenligne]

I there, just wanted to say thanks!
And that OpenID set-up worked fine for me using Authentik 24.12.2
It should be precised though, that the Redirect URI should be https://actual.domain.tld/openid/callback
And that you cannot chose as an Encryption key the "Authentik self-signed certificate" as it doesn't work if you do

[savely-krasovsky]

Configured with Casdoor, works without any issues for me.

[ajfurber]

Just want to say thank you to all who were involved with developing this, seriously useful now that partner and I can share a single budget.

Just to add, due to issues with Entra / Azure AD using the Display Name (rather than the UPN or username), I've configured with Cloudflare Access OIDC as the IDP and it works perfectly!

Thanks Again!

[marouamghar]

Hey, just to add, it works great in my setup using the config workaround with Authelia.

However, I tried to disable all but opened using allowedLoginMethods in the config file, but it's not picked/applied. I can still login with either the password or openid. Is that behaviour wanted, at least for the experimental phase?

[bobokun]

Not sure if you're aware but it could be something related to the openID/multi-user integration that was introduced caused header auth to be broken in v25.1.0

[NateMcKenzie]

This is a great feature! My brother and I have self-hosted individual instances of Actual so that we can each have separate budgets. That's not a huge deal, but it is nice to just have one instance. This feature almost gets us there, but it seems like there is only one SimpleFIN token for the whole instsance, so we couldn't use separate SimpleFIN accounts. Is this correct? Are there any plans to say let each user have their own token?

[helloWorld44-89]

I have a similar issue as OP. I am using authentik and my account work as intended. I then tried to login as my wife’s account and got {"status":"error","reason":"openid-grant-failed"}. I checked and no user was created for the login.

Logs for actual budget server:
2025-01-18T23:35:50.199Z info: GET 200 /admin/owner-created/
2025-01-18T23:35:57.068Z info: GET 200 /account/needs-bootstrap
2025-01-18T23:35:57.097Z info: GET 200 /account/needs-bootstrap
2025-01-18T23:35:57.117Z info: GET 200 /account/needs-bootstrap
2025-01-18T23:35:57.158Z info: GET 200 /admin/owner-created/
Logging in via openid
2025-01-18T23:36:00.111Z info: POST 200 /account/login
2025-01-18T23:36:02.549Z info: GET 400 /openid/callback?code=4bec1426c3664e20977da978e750e693&state=HH-1bO-teG2MRKTXeiSSXvKv2y5vDgf40veduVCio8M
Logging in via openid
2025-01-18T23:41:47.867Z info: POST 200 /account/login
2025-01-18T23:41:50.388Z info: GET 400 /openid/callback?code=97bb298a0ccb45c3bd9006993019f9ab&state=azBkGiaWgKUnmJxdH5udZHMew37xpWm0ayHwOTZPzfo

UPDATE: I solved the issue. I had to create the user in Actual prior to them logging in.

Will the open id not create the new user?

[RubenOlsen]

On the UX side of the Enable OpenID dialog box I believe we should add a sentence saying that people must export their data before continuing. I am aware that there are no technical reason for this, but it's all about 1) making people feel safe; 2) reducing the number of potential support request on the variant of I enabled OpenID - now my data is lost.

[deathblade666]

I have a similar issue as OP. I am using authentik and my account work as intended. I then tried to login as my wife’s account and got {"status":"error","reason":"openid-grant-failed"}. I checked and no user was created for the login.

Logs for actual budget server: 2025-01-18T23:35:50.199Z info: GET 200 /admin/owner-created/ 2025-01-18T23:35:57.068Z info: GET 200 /account/needs-bootstrap 2025-01-18T23:35:57.097Z info: GET 200 /account/needs-bootstrap 2025-01-18T23:35:57.117Z info: GET 200 /account/needs-bootstrap 2025-01-18T23:35:57.158Z info: GET 200 /admin/owner-created/ Logging in via openid 2025-01-18T23:36:00.111Z info: POST 200 /account/login 2025-01-18T23:36:02.549Z info: GET 400 /openid/callback?code=4bec1426c3664e20977da978e750e693&state=HH-1bO-teG2MRKTXeiSSXvKv2y5vDgf40veduVCio8M Logging in via openid 2025-01-18T23:41:47.867Z info: POST 200 /account/login 2025-01-18T23:41:50.388Z info: GET 400 /openid/callback?code=97bb298a0ccb45c3bd9006993019f9ab&state=azBkGiaWgKUnmJxdH5udZHMew37xpWm0ayHwOTZPzfo

UPDATE: I solved the issue. I had to create the user in Actual prior to them logging in.

Will the open id not create the new user?

OpenID at this time does not create the user accounts within actual so they need to be created manually

[deathblade666]

On the UX side of the Enable OpenID dialog box I believe we should add a sentence saying that people must export their data before continuing. I am aware that there are no technical reason for this, but it's all about 1) making people feel safe; 2) reducing the number of potential support request on the variant of I enabled OpenID - now my data is lost.

on that thought, why wouldn't we have it for every experimental feature? and could even go a step further to create a flow that steps people through backing up their data?

[UncleArya]

Hello. Thank you so much for implementing an OIDC login. I have been switching as many services as I can over to Pocket ID and I got it setup with Actual Budget and was able to login without issue first try. Initial setup was very easy and straightforward.

The only issue I am now facing is when I open the User Directory and attempt to add a new user for my partner manually (as reading higher in this thread I see OIDC can't create a new user yet). I am getting an error that states:

It prevents me from adding a new user. I have recreated the image and restarted the container, without success.

I added OIDC login via GUI and have the following environment variables set in my compose file:

ACTUAL_OPENID_DISCOVERY_URL: https://<MYURL>.well-known/openid-configuration
ACTUAL_OPENID_CLIENT_ID: <VALUE>
ACTUAL_OPENID_CLIENT_SECRET: <VALUE>
ACTUAL_OPENID_SERVER_HOSTNAME: https://actual.budget.tld

Client version: v25.1.0
Server version: v25.1.0
Image: sha-45d53ff-alpine

[Mikhail773]

Hello, thank you for all the hard work that was put into openid. I noticed an interesting bug/issue:
When having openid setup it would be expected that each Budget would be able to set up their own simplefin account linking. Instead if you have multiple budgets/accounts each budget will be using the same simple fin token. This means that personal sharing info will be shared between users/budgets. I'm not certain what the solution is, but I would imagine there would need to be a dedicated simplefin/gocardless for each budget/user

[Frankynov]

Hi,
Just a note to let you know that I was able to setup the openID connection with Authentik, without any issue :)
Thanks a lot for the hard work !

[ezcafe]

Hi team,
I'm using pocket-id with this config

Name: actual-budget
Callback URLs: https://actual.budget.tld/openid-cb

When login to pocket-id, it shows this error

Invalid callback URL, it might be necessary for an admin to fix this. Please try again.

Is the Callback URLs correct? Which callback url should I use?

[savely-krasovsky]

@ezcafe you should set this: https://actual.budget.tld/openid/callback

[ezcafe]

It's working now. Thanks @savely-krasovsky