Replies: 15 comments 12 replies
-
|
Hi @Trembler34, Both issues come down to the same thing: NextAuth derives the OIDC Fix:
We saw the same root cause in discussion #182 (different symptom there, login was failing silently because of the same URL mismatch). We should make the installer prompt for the public URL by default, will track that. On your second question (2FA on the local super_admin, or disabling local login once SSO works): neither is implemented today. The 2FA section you see in Settings is the pass-through for Proxmox VE's own TFA settings, not for ProxCenter accounts. Local-account 2FA / TOTP is tracked in #140, and "SSO-only mode" isn't on the roadmap yet but it's a fair ask, feel free to open a feature request and we'll line it up alongside #140. Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
It seems to break things when i change the URL.. Here is what happens. When i change the nextauth URL from http://ip:3000 to https://fqdn The NGINIX proxy no longer works, also trying to connect to proxcenter from the internal IP, the page pulls up but you cannot authenticate into the instance. It will not take the credentials. As soon as i put things back everything works as it should. It seems as if the proxy can no longer recognize proxcenter on that internal IP to route traffice from http://ip to https://fqdn and therefore breaks the proxy. but the more concerning aspect of it is that you can't even login directly via IP anymore so it seems to be a two part issue created by changing the URL.
|
Beta Was this translation helpful? Give feedback.
-
|
Update on the local-2FA portion of your second question, @Trembler34. Local TOTP two-factor authentication has shipped on What you get out of the box:
This is on top of the OIDC reverse-proxy Available in the next release. Let us know if anything is off. |
Beta Was this translation helpful? Give feedback.
-
|
awesome that is perfect.. Is that also going to fix the issue i have above with the Token? |
Beta Was this translation helpful? Give feedback.
-
|
Two separate things here, neither related to 2FA, @Trembler34. 1. The nginx
|
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
that change still generates the oauth error
|
Beta Was this translation helpful? Give feedback.
-
|
DUO is sending The red docker compose -f /opt/proxcenter/docker-compose.yml logs --tail=200 proxcenter-frontend | grep -A 20 -iE 'oauth|next-auth|oidc'While you do that, two things worth checking in parallel that often cause this exact symptom once the scope fix is in:
The log line will narrow it down to one of those (or a different cause). Paste it and we will close this out. |
Beta Was this translation helpful? Give feedback.
-
Beta Was this translation helpful? Give feedback.
-
|
That's my mistake on the service name, sorry. The service inside docker compose -f /opt/proxcenter/docker-compose.yml logs --tail=200 frontend | grep -A 20 -iE 'oauth|next-auth|oidc'docker compose -f /opt/proxcenter/docker-compose.yml exec frontend printenv NEXTAUTH_URLOr, working off the container name with plain docker logs --tail=200 proxcenter-frontend | grep -A 20 -iE 'oauth|next-auth|oidc'
docker exec proxcenter-frontend printenv NEXTAUTH_URLYou are right that |
Beta Was this translation helpful? Give feedback.
-
|
Good news first, @Trembler34: we're past the scope problem. The new log line is openid-client's iss validation step, and the What's happeningWhen the OIDC config in ProxCenter has the manual override URLs filled in (Authorization URL, Token URL, Userinfo URL), our backend skips OIDC discovery and constructs the provider from those URLs directly. The issuer metadata never gets loaded, so NextAuth's id_token validator has nothing to compare the DUO's id_token claims Fix on your sideIn
Scopes ( Fix on our sideWe're patching this in v1.4.2 so the manual-override path passes the issuer through to NextAuth explicitly. That removes the foot-gun for anyone who copy-pastes all four URLs from the discovery doc. Let us know once the override fields are cleared. The next failed callback should either succeed or produce a real iss mismatch line we can read. |
Beta Was this translation helpful? Give feedback.
-
|
Perfect, glad that did it, @Trembler34. For the record so the thread is self-contained: the override fields under Advanced Endpoints (Authorization URL, Token URL, Userinfo URL) are optional. With them blank, ProxCenter uses Duo's We've patched that path for the next release (v1.4.2): the configured Issuer URL is now passed through even when the override fields are populated, so the foot-gun is gone either way. Docs are being updated to call this out too. Since your Duo MFA fires at the OIDC step, your sign-in is now fully covered, and the local super_admin TOTP from #351 is there for the backdoor account you wanted to harden. Closing this out, reopen if anything resurfaces. |
Beta Was this translation helpful? Give feedback.
-
|
ProxCenter's console is noVNC (VNC over WebSocket), not SPICE. It is the same console as the "noVNC" button in the Proxmox web UI. SPICE has no in-browser renderer anywhere (not in ProxCenter, not in upstream Proxmox): it needs a native client (virt-viewer / remote-viewer) opening a The missing mouse emulation is the USB tablet device. noVNC needs a USB tablet (absolute pointer) to track 1:1. With the display set to qxl/SPICE and the tablet off, VNC falls back to a relative pointer, which is exactly your symptom. Fix: VM > Hardware, enable USB Tablet (or For smoother performance, a qxl display tuned for SPICE feels sluggish over the VNC path. Try Standard VGA (std) or VirtIO-GPU for the in-browser console. True SPICE (audio, USB redirection, multi-monitor) stays a native-client workflow against the host. We do not render SPICE in-browser today. A "download .vv / open in virt-viewer" button is a fair feature request if your team would use it, happy to line it up. |
Beta Was this translation helpful? Give feedback.
-
|
Tablet is set, so we can rule out the absolute pointer. With the reverse proxy in front, what you are seeing as "no mouse emulation" is almost certainly proxy buffering: nginx (and Nginx Proxy Manager) default to On plain nginx, add this inside the proxy_buffering off;
proxy_request_buffering off;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;On Nginx Proxy Manager (your toggles above look like NPM), the same four lines go into the proxy host's Advanced tab, under Custom Nginx Configuration. The host reloads on its own. The two Keep Trust Upstream Forwarded Proto Headers disabled as you have it. That toggle is for ProxCenter behind a chain of proxies, which is not your case, and turning it on with a single hop would let a client spoof |
Beta Was this translation helpful? Give feedback.
-
|
On the inventory tree header collapsing the whole section when you click it to see the infrastructure-health dashboard: tracked as #366, will go out in the next release. The PROXMOX VE (and NETWORK) header will be select-only, with the |
Beta Was this translation helpful? Give feedback.








Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
My proxcenter is behind a reverse proxy with FQDN and Cert via nginix, working fine.
When i go to setup SSO/OIDC via DUO i notice proxcneter is passing the Internal IP address as the URL.. How do i change this to present the FQDN to DUO so it matches the request? This redirect URI will need to be the FQDN because after you make the login request and approve SSO to provision the user it will timeout looking for the IP as it obviously can't reach that.
Is there a setup guide for this somwhere? Thanks
also, since it is semi related to this. Is there a way to add some kind of 2fa auth to the local super admin account? Once i get SSO working, there needs to be a way to secure this local admin account for backdoor access with a long password string and some kind of 2fa like ttop.. or turn it off somehow so only sso works.
Beta Was this translation helpful? Give feedback.
All reactions