search

photoprism / photoprism-docs

Official Documentation (English)
https://docs.photoprism.app
Other
61 stars 108 forks source link

Documentation error for migrating existing accounts to OIDC is missing details. #184

Closed XtremeOwnageDotCom closed 4 months ago

XtremeOwnageDotCom commented 4 months ago

Problem Summary

The new documentation does not indicate how users without photoprism plus, can migrate their existing accounts to OIDC.

Solution / Details / Testing

Documentation for migrating OIDC users

image

The issue with this documentation, it references using Settings/Users which is a feature of photoprism plus.

Documentation, also does not list other alternatives, or work-arounds for managing this issue.

Assumption is though- you should be able to perform these commands via the Command line interface

(NOTE- none of the below credentials, tokens, etc are valid. Performed on a temporary instance of photoprism for testing and validation... Don't get too excited.)

So, starting with photoprism users show

root@240711:/photoprism$ photoprism users show akadmin
DEBU[2024-07-12T01:27:32Z] config: overriding config with values from /storage/storage/config/options.yml
DEBU[2024-07-12T01:27:32Z] config: running on 'QEMU Virtual CPU version 2.5+', 8.3 GB memory detected
DEBU[2024-07-12T01:27:32Z] settings: loaded from /storage/storage/config/settings.yml
DEBU[2024-07-12T01:27:32Z] vips: max cache size is 64 MB, using up to 1 worker
INFO[2024-07-12T01:27:32Z] Become a member today, support our mission and enjoy our member benefits! 💎
INFO[2024-07-12T01:27:32Z] Visit https://www.photoprism.app/membership to learn more.
DEBU[2024-07-12T01:27:32Z] config: successfully initialized [30.781342ms]

|---------------|--------------------------------------------------------------------|
|     Name      |                               Value                                |
|---------------|--------------------------------------------------------------------|
| AuthID        | "54b251266174b26e6e8c0919b4dc17be387c95a2605124200dbe9cf4a4f494a1" |
| AuthIssuer    | "https://auth.kube.xtremeownage.com/application/o/photoprism/"     |
| AuthMethod    | ""                                                                 |
| AuthProvider  | "oidc"                                                             |
| BackupEmail   | ""                                                                 |
| BasePath      | ""                                                                 |
| BornAt        | <nil>                                                              |
| CanInvite     | false                                                              |
| CanLogin      | true                                                               |
| ConsentAt     | <nil>                                                              |
| DeletedAt     | <nil>                                                              |
| DisplayName   | "authentik Default Admin"                                          |
| DownloadToken | "9u47u0b3"                                                         |
| ExpiresAt     | <nil>                                                              |
| InviteToken   | ""                                                                 |
| InvitedBy     | ""                                                                 |
| LoginAt       | time.Date(2024, time.July, 12,                                     |
|               | 1, 21, 24, 0, time.UTC)                                            |
| PreviewToken  | "9x32vidk"                                                         |
| RefID         | "userqwt4rp60"                                                     |
| ResetToken    | ""                                                                 |
| SuperAdmin    | false                                                              |
| Thumb         | ""                                                                 |
| ThumbSrc      | ""                                                                 |
| UUID          | ""                                                                 |
| UploadPath    | ""                                                                 |
| UserAttr      | ""                                                                 |
| UserDetails   | &entity.UserDetails{UserUID:"usghl3o9wzi5dhhs",                    |
|               | SubjUID:"", SubjSrc:"", PlaceID:"zz",                              |
|               | PlaceSrc:"", CellID:"zz", BirthYear:0,                             |
|               | BirthMonth:0, BirthDay:0, NameTitle:"",                            |
|               | GivenName:"authentik", MiddleName:"",                              |
|               | FamilyName:"Default Admin", NameSuffix:"",                         |
|               | NickName:"akadmin", NameSrc:"oidc",                                |
|               | UserGender:"", UserAbout:"", UserBio:"",                           |
|               | UserLocation:"", UserCountry:"", UserPhone:"",                     |
|               | SiteURL:"", ProfileURL:"", FeedURL:"",                             |
|               | AvatarURL:"", OrgTitle:"", OrgName:"",                             |
|               | OrgEmail:"", OrgPhone:"", OrgURL:"", IdURL:"",                     |
|               | CreatedAt:time.Date(2024, time.July, 12, 1,                        |
|               | 21, 24, 0, time.UTC), UpdatedAt:time.Date(2024,                    |
|               | time.July, 12, 1, 21, 24, 0, time.UTC)}                            |
| UserEmail     | "admin@xtremeownage.com"                                           |
| UserName      | "akadmin"                                                          |
| UserRole      | "guest"                                                            |
| UserSettings  | &entity.UserSettings{UserUID:"usghl3o9wzi5dhhs",                   |
|               | UITheme:"", UILanguage:"", UITimeZone:"",                          |
|               | MapsStyle:"", MapsAnimate:0, IndexPath:"",                         |
|               | IndexRescan:0, ImportPath:"", ImportMove:0,                        |
|               | DownloadOriginals:0, DownloadMediaRaw:0,                           |
|               | DownloadMediaSidecar:0, UploadPath:"",                             |
|               | DefaultPage:"", CreatedAt:time.Date(2024,                          |
|               | time.July, 12, 1, 21, 24, 0, time.UTC),                            |
|               | UpdatedAt:time.Date(2024, time.July, 12, 1, 21,                    |
|               | 24, 0, time.UTC)}                                                  |
| UserUID       | "usghl3o9wzi5dhhs"                                                 |
| VerifiedAt    | time.Date(2024, time.July, 12,                                     |
|               | 1, 21, 24, 0, time.UTC)                                            |
| VerifyToken   | ""                                                                 |
| WebDAV        | true                                                               |
|---------------|--------------------------------------------------------------------|

DEBU[2024-07-12T01:27:32Z] closed database connection
root@240711:/photoprism$

We can see an auth id, which seems like it would likely refer to the subject mentioned in the GUI interface.

So, running photoprism users mod to set the auth-id, and method...

root@240711:/photoprism$ photoprism users mod --auth-id 54b251266174b26e6e8c0919b4dc17be387c95a2605124200dbe9cf4a4f494a1 --auth oidc admin
DEBU[2024-07-12T01:30:59Z] config: overriding config with values from /storage/storage/config/options.yml
DEBU[2024-07-12T01:30:59Z] config: running on 'QEMU Virtual CPU version 2.5+', 8.3 GB memory detected
DEBU[2024-07-12T01:30:59Z] settings: loaded from /storage/storage/config/settings.yml
DEBU[2024-07-12T01:30:59Z] vips: max cache size is 64 MB, using up to 1 worker
INFO[2024-07-12T01:30:59Z] Become a member today, support our mission and enjoy our member benefits! 💎
INFO[2024-07-12T01:30:59Z] Visit https://www.photoprism.app/membership to learn more.
DEBU[2024-07-12T01:30:59Z] config: successfully initialized [35.105495ms]
DEBU[2024-07-12T01:30:59Z] migrate: running database migrations
...
DEBU[2024-07-12T01:31:00Z] migrate: completed in 41.103415ms
INFO[2024-07-12T01:31:00Z] user 'admin' has been updated
DEBU[2024-07-12T01:31:00Z] closed database connection

Then deleting the "new" oidc user via both CLI AND database (see #4394)...

Then, allows you to properly migrate an existing account over to OIDC.

(note- default, initial username of "admin")

image

Summarized version - How to migrate existing account to OIDC without photoprism plus.

  1. Log into via OIDC to create new account.
  2. photoprism users ls (Take note of new username).
  3. photoprism users show new_username (Copy AuthID Value)
  4. photoprism users rm new_username (Delete "new" user. Its not needed.)
  5. photoprism users mod --auth-id YOUR_COPIED_AUTHID --auth oidc your_old_username (Update old username with copied OIDC details
  6. Log in via OIDC, and you will be in your old profile.

Reverting changes, and removing OIDC.

  1. Log out.
  2. via CLI: photoprism users mod --auth-id null --auth local your_username (Remove auth id, and remove oidc).
  3. Log back in via OIDC.

Note- you are now on a new profile, since you disabled OIDC on the old profile.

image

Related issue-

If you run into "Invalid Credentials" error, you may need to manually remove your user from the auth_users table; See: https://github.com/photoprism/photoprism/issues/4394

As of the posting of this ticket, its related PR, and the ticket in the primary repo- it appears photoprism users rm does not remove the record from the auth table, which will prevent that OIDC user from being able to log in, or register until either you update the deleted user's auth_id, or just clear the entire row.

XtremeOwnageDotCom commented 4 months ago

@lastzero I did have a issue over in in the docs repo- for updating the docs!

Since- the commits are in, I'll go ahead and close this one, along with the PR.

Closed #184, resolved by these commits: