[Feedback] OpenID and multi-user

[matt-fidd]

Thanks to @lelemm, OpenID and multi-user support was added to Actual in #3878 as an experimental feature. This issue is to track feedback/bugs/issues/requests related specifically to that feature.

[shaankhosla]

Thanks @lelemm for this amazing feature!

I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

[lelemm]

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.

If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid
Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!

I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

[shaankhosla]

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.

If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!
I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

Thanks, I'll dig around! I think Authelia has OpenID based on this, but I'll try the config.json.

[shaankhosla]

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.
If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!
I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

Thanks, I'll dig around! I think Authelia has OpenID based on this, but I'll try the config.json.

I tried with the config.json and set the authMethod to "oauth2" but still got the same error.

[lelemm]

I'm not on the PC right now, but maybe authelia does not implement openid, but oauth2.
If that's the case, you have to setup it using the config.json on the server specifying the authMethod to oauth2 instead of openid Check this PR for more details https://github.com/actualbudget/actual-server/pull/527/files

Thanks @lelemm for this amazing feature!
I'm having some trouble setting this up with Authelia. I'm getting the following error after trying to sign in with OpenId:

status	"error"
reason	"openid-grant-failed"

When I look at the logs for Actual I see the following:

2024-12-24T02:24:06.997Z info: GET 200 /account/needs-bootstrap
2024-12-24T02:24:07.054Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.107Z info: GET 304 /account/needs-bootstrap
2024-12-24T02:24:07.168Z info: GET 200 /admin/owner-created/
Logging in via openid
2024-12-24T02:24:08.554Z info: POST 200 /account/login
OpenID grant failed: RPError: iss missing from the response
    at Client.callback (/app/node_modules/openid-client/lib/client.js:436:13)
    at loginWithOpenIdFinalize (file:///app/src/accounts/openid.js:177:31)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///app/src/app-openid.js:86:24 {
  params: {
    code: '<redacted>',
    state: '<redacted>'
  }
}

Anyone know what I might be doing wrong?

Thanks, I'll dig around! I think Authelia has OpenID based on this, but I'll try the config.json.

I tried with the config.json and set the authMethod to "oauth2" but still got the same error.

To use the configuration in the file, you need to run the commands.
First disable the openid
yarn/npm run disable-openid
Then run
yarn/npm run enable-openid

This script will take the configuration from the file into the database

[shaankhosla]

Ah thanks, I didn't realize I had to run that command for it to use the config. That worked! I had to switch my docker container from edge-alpine to just edge to have npm in it.

[shaankhosla]

Actually, that seemed like it fixed the issue but I don't think it did.

After I run those commands I'm able to sign in (with account A) and assign a budget file to myself as admin. However, if I try to sign in through a different user account (with account B) in incognito mode I get the same openid-grant-failed error I was seeing before. I then re-ran the disable/enable commands again and signed in with account B, at which point account B became the admin and I couldn't see account A in the user directory list. Then I tried signing in with account A and got the same openid-grant-failed error as before.

[lelemm]

You have to give access to the second user in the user directory

[lelemm]

@shaankhosla https://deploy-preview-447.www.actualbudget.org/docs/experimental/multi-user

[shaankhosla]

Got it, it's working as expected. I thought that new users would be added to that automatically at sign in. Thanks for all of your help!

[feyleth]

it is possible to use multi-user without need to login with openID ?

[lelemm]

it is possible to use multi-user without need to login with openID ?

Nope. They are tied together for now. One can expand for internal user management

[alexsalex]

HI! Thank you for this future! Amazing!

But could you write some documentation about it? For example: what is the redirect URL for OAuth2?

[lelemm]

https://your-actual-server-domain:your-actual-server/openid/callback

[nichtdu]

just added via authentik. worked flawless so far. Enabling was quiet easy as well.

The fact that it deletes the url in case you change auth-provider in setup is a little confusing though - or rather the fact that it accepts invalid url and does not tell you (it resetted to placeholders but i did not notice and hit ok again - and i was not able to see error on first sight)

[mocdaniel]

I noticed that arbitrary users seem to be able to access budget files of other users as long as they log in from the same device.

Consider the following situation - I got two users in my IAM solution (Authentik), one is called Daniel Bodky and is Admin in Actualbudget, the other is called John Doe and got added to the user directory of Actualbudget manually:

There is only one budget file available on the server, called Daniel. It has been created by the admin user and is configured to be accessible only by him:

However, if I log in to Actualbudget with the second user John Doe, I am offered to open the budget file. It even states that the supposedly unprivileged user is the file owner. Consequently, I can open and edit the budget with the unprivileged user (note the username in the top right):

If I login as John Doe from a private browser window, the behavior is as expected: The user doesn't have a budget file yet, so none is displayed; the budget file(s) of other users don't show either.

I guess this is due to the offline capabilities of Actualbudget, and the fact that all local files are available in the device/browser? So once a budget file has been downloaded to a device/browser, it's accessible to all users that might log in on that device/browser?

[lelemm]

I guess this is due to the offline capabilities of Actualbudget, and the fact that all local files are available in the device/browser? So once a budget file has been downloaded to a device/browser, it's accessible to all users that might log in on that device/browser?

You are completely right. That's how its working atm

[mocdaniel]

Are there plans to mitigate this behavior in the future? Maybe by 'disabling' offline mode when enabling OIDC auth/multi-user support?

[lelemm]

AFAIK, not planned, but I guess with enough feedback for it will probably be mitigated

[ReclaimedBytes]

Working well here with Pocket ID. Thanks for implementing!

[lelemm]

Would be nice if someone is using a different OpenID provider, give some information like this:

    {
      label: 'Microsoft Entra',
      value: 'microsoft',
      issuer: 'https://login.microsoftonline.com/{tenant-id}',
      clientIdRequired: true,
      clientSecretRequired: true,
      tip: (
        <Link
          variant="external"
          to="https://learn.microsoft.com/en-us/entra/identity-platform/v2-protocols-oidc"
        >
          <Trans>OpenID Connect on the Microsoft identity platform</Trans>
        </Link>
      ),
    }

So the list of validated providers can be increased for future users

[ReclaimedBytes]

Where would I find that?

[lelemm]

Where would I find that?

That would be built by you, if you have the knowledge

[woolfyx]

Firstly, thanks for this great features ! 😍

Quick question regarding claims used to retrieve user information.Actually, at least for Entra ID, the username seems to be mapped to the display name? Is it correct? Maybe it can be interesting to be customized to use the UPN (which is unique in Entra ID - not sure it's the case for display name), for example?

This question aside, authentication process works perfectly.

[lelemm]

Firstly, thanks for this great features ! 😍

Quick question regarding claims used to retrieve user information.Actually, at least for Entra ID, the username seems to be mapped to the display name? Is it correct? Maybe it can be interesting to be customized to use the UPN (which is unique in Entra ID - not sure it's the case for display name), for example?

This question aside, authentication process works perfectly.

The username saved is a little clunky honestly.
in the spec, there are definitions of the name of the fields, but I guess some providers just do what they want lol.
probably for Entra Id is catching a bad value (on the big list of possible values).

[Arnoud-B]

To test this, I:

1. Created an account on auth0, created a (fake) web app and created a user there. For the callback URL I used https://actual.domain.com:5006/openid/callback.
2. Attempted a sign in with the user I created on auth0 and got an error message. I went back to the login page to try again, and now it logged me in automatically (weird?).
3. I opened a budget file, which worked. But when closing the budget file, it says: "Owner: Unassigned". Another budget file is showing the same, and a third (test) budget file is showing "Owner: Server". I expected the Owner to be the first OpenID user to open the budget file.

[lelemm]

based on this topic, I asked chatgpt to summarize what was discussed here:

Consolidated Feedback on OpenID and Multi-User Support for Actual Budget

---

General Overview

This discussion tracks feedback, bug reports, and improvement suggestions related to the OpenID and multi-user support feature in Actual Budget. Below is a consolidated summary of reported issues, solutions, and requested improvements.

---

1. Setup Issues & Troubleshooting

Common Errors Reported:

1. "openid-grant-failed" due to missing iss in response

   • Occurred when trying to log in with Authelia and Authentik.
   • Solution: Ensure Authelia is correctly configured and, if necessary, switch authMethod to OAuth2 in config.json.
   • Running disable-openid and enable-openid commands was required to apply changes.

2. Error: "unable to get local issuer certificate"

   • Issue when setting up OpenID with a self-hosted Authentik using Caddy as a reverse proxy.
   • Solution: Ensure certificates are copied correctly to /usr/local/share/ca-certificates/ and update CA certs accordingly.

3. Error: "Invalid callback URL" when using Pocket ID

   • Solution: The correct callback URL format is https://actual.budget.tld/openid/callback.

4. Users need to be manually created before logging in

   • OpenID does not automatically create user accounts in Actual.
   • Solution: Users need to be manually added via the User Directory.

5. Switching Docker container from edge-alpine to edge

   • Required to include npm for running OpenID setup commands.

6. Login works for the first user but fails for additional users

   • Signing in with a second user resulted in openid-grant-failed errors, and signing back in with the first user caused the same issue.
   • Solution: New users must be explicitly granted access via the User Directory.

---

2. User Experience (UX) & Documentation Improvements

Proposed UX Enhancements:

1. Add a warning in the "Enable OpenID" dialog

   • Users should be reminded to export their data before enabling OpenID, not for technical reasons but to reduce support requests from users thinking their data was lost.

2. Consider adding a guided data backup flow

   • A step-by-step process for backing up data before enabling experimental features could improve safety and ease of use.

3. Clarify in the documentation that OpenID does not create users automatically

   • Users should be informed that they must manually add new accounts after enabling OpenID.

4. Provide an option to bypass the login screen

   • When OpenID is the only login method, users should have the option to be redirected directly to the identity provider.

---

3. Feature Requests & Enhancements

Feature Requests:

1. Support multi-user login without OpenID

   • Some users want multi-user support but without requiring OpenID.

2. Fix SimpleFin token sharing issue

   • Bug: When multiple users/budgets exist, they share the same SimpleFin token, which results in unintended data access.
   • Expected Behavior: Each budget should have its own separate SimpleFin token.

3. Ability to disable password login when OpenID is enabled

   • Setting environment variables (ACTUAL_LOGIN_METHOD=openid) does not remove password login from the dropdown.
   • Expected Behavior: If OpenID is the only allowed method, the password option should be hidden.

4. Automatic user provisioning with OpenID

   • OpenID logins should automatically create user accounts in Actual instead of requiring manual creation.

---

4. User Experiences & Success Stories

Users Who Successfully Set Up OpenID

• Pocket ID: Works correctly once the proper callback URL is set.
• Authentik: Successfully configured OpenID login.
• Self-hosted with Caddy: Works after fixing certificate paths.

Users Who Faced Challenges

• Authelia users: Faced issues due to potential OAuth2 vs. OpenID incompatibility.
• Authentik users: Faced issues with missing issuer certificate and manual user creation.

---

5. Summary of Next Steps

Fixes & Enhancements Required:

⏳ Clarify in documentation that OpenID does not auto-create users.
⏳ Fix SimpleFin token sharing issue for multi-user environments.
⏳ Allow disabling password login completely when OpenID is enforced.
✔ Provide a direct redirect option when OpenID is the only method. #4399
⏳ Improve OpenID user provisioning (automatic user creation on first login).
⏳ Improve UX with data backup prompts before enabling OpenID.

---

Final Thoughts

The OpenID and multi-user feature in Actual is highly appreciated but still requires refinements, particularly in automatic user creation, improved UX, and better support for multiple budgets.

[JazzyJosh]

Is there a specific reason there's not an environment variable for auth type and it has to be set manually in the config?

Seems like it'll be a pain to set up Github/other OAuth2 mechanisms on hosts like fly.io and pika pods. Presumably you'd need to extend the released docker image to customize the config

I'd tinker with the change myself, but I don't have a ton of auth experience so don't want to mess around with that too much.

[lelemm]

Is there a specific reason there's not an environment variable for auth type and it has to be set manually in the config?

Seems like it'll be a pain to set up Github/other OAuth2 mechanisms on hosts like fly.io and pika pods. Presumably you'd need to extend the released docker image to customize the config

I'd tinker with the change myself, but I don't have a ton of auth experience so don't want to mess around with that too much.

I'm very busy at work lately. I will do changes on this when I'm more available.

[JazzyJosh]

No rush of course, appreciate your contributions.

[ishanjain28]

Hi @lelemm I would like to add a feature request here.

I do not expose actual budget's web interface to public for security reasons and it sits behind the Authelia Login page. I have configured open id and right now, I have to login twice to get to the AB dashboard.

Would you consider adding a flag to auto redirect user to the open id login page if open id is configured when the user opens the AB website ?

Auto redirect in combination with pre configured consent would mean that I can have a better login flow where people have to login just once to Authelia. After which, They'll come to AB login page which redirects them to the open id page. Then, We have pre configured consent so they are immediately sent back to AB with the login token.

This'll result in a better login flow without compromising on security in any way

[danielgraycode]

This feature is working great, just one suggestion:
I run actual over several domains to provide convinient access methods for different persons, however with the openID functionality it is restricted to one callback URL, meaning it isn't compatible with my current setup. Is it possible to implement a list of allowed hostnames to redirect to/auto grab from the current URL to allow for multi domain functionality?

[pboling]

I'd like to get some clarity on what type of OpenID this feature targets. Based on a tiny number of references in comments, and the release notes, it looks like OpenID Connect, which is based on the OAuth 2 standard. If that is the case, what is the difference between the openid and oauth2 settings? OpenID, when used without "Connect", tends to refer to the older OpenID v1 and OpenID v2 standards, which are now deprecated in favor of OpenID Connect (OIDC), which is OpenID v3 in spirit, but never referred to as such.

[lelemm]

this is for OIDC, it serves as authentication and identity.
the oauth2 is just for backward compatibility, when there is no identity endpoint, so you can specify other endpoint to search for identity (like github https://api.github.com/user )

[jantznick]

I'm running into some issues where when I go to the user directory page and it makes a get call to get the user list, it's giving me a 'Too many requests, please try again later' error. This is then preventing me from creating a new user as well when it tries to make the new user post. Sometimes it seems to log me out too. It seems to be hitting the server over and over making the get user list request, interestingly, after a little bit of this the requests start to run just fine, but the POST to create the new user is still broke.

Running in docker on linux and accessing on a mac. Only local network, use authentik as the provider. I'm happy to help troubleshoot with any more info that might be needed. I will try and get a video of it happening in the next day or so.

Otherwise, very appreciative of everyone working on this feature.

Edit to add, it's definitely hammering the server with the get users request, over 2000 of them while I wrote up that comment, was able to copy the POST to create a user as curl from the network tab and sent it from the hosting server and it worked just fine to create the new user.

[lelemm]

I'm running into some issues where when I go to the user directory page and it makes a get call to get the user list, it's giving me a 'Too many requests, please try again later' error. This is then preventing me from creating a new user as well when it tries to make the new user post. Sometimes it seems to log me out too. It seems to be hitting the server over and over making the get user list request, interestingly, after a little bit of this the requests start to run just fine, but the POST to create the new user is still broke.

Running in docker on linux and accessing on a mac. Only local network, use authentik as the provider. I'm happy to help troubleshoot with any more info that might be needed. I will try and get a video of it happening in the next day or so.

Otherwise, very appreciative of everyone working on this feature.

Edit to add, it's definitely hammering the server with the get users request, over 2000 of them while I wrote up that comment, was able to copy the POST to create a user as curl from the network tab and sent it from the hosting server and it worked just fine to create the new user.

I noticed that too. I'm investigating

[SplendidAppendix]

Hi @lelemm I would like to add a feature request here.

I do not expose actual budget's web interface to public for security reasons and it sits behind the Authelia Login page. I have configured open id and right now, I have to login twice to get to the AB dashboard.

Would you consider adding a flag to auto redirect user to the open id login page if open id is configured when the user opens the AB website ?

Auto redirect in combination with pre configured consent would mean that I can have a better login flow where people have to login just once to Authelia. After which, They'll come to AB login page which redirects them to the open id page. Then, We have pre configured consent so they are immediately sent back to AB with the login token.

This'll result in a better login flow without compromising on security in any way

Tell me you haven't read the discussion without telling me you haven't read the discussion 😛. Auto redirect to the IDP has already been called out.

[ishanjain28]

Ah okay. I did read it but I must have missed it. Thanks for the correction

[lelemm]

Auto redirect is already developed for my branch, I just need to implement the OIDC Provider logout to avoid login again after a logout

[pboling]

@lelemm Wondering if there has been any thought to separating the data synced back to local devices from the server when multi-user is enabled.

If a single server is used to host budgets of multiple people who have no connection to each other it seems like all their data would sync to all of their individual devices. Is that how it works? Is there any documentation or link to a discussion about how this works from a security and privacy perspective?

With ElectricSQL (Sqlite in browser and PostgreSQL on Server) it uses DDLX rules and Shapes to control what each device receives from the cloud (I.e. from potential other users).

ref: https://legacy.electric-sql.com/docs/intro/sync-controls

[lelemm]

5. Summary of Next Steps

Fixes & Enhancements Required:

⏳ Clarify in documentation that OpenID does not auto-create users.
⏳ Fix SimpleFin token sharing issue for multi-user environments.
⏳ Allow disabling password login completely when OpenID is enforced.
✔ Provide a direct redirect option when OpenID is the only method. #4399
⏳ Improve OpenID user provisioning (automatic user creation on first login).
⏳ Improve UX with data backup prompts before enabling OpenID.

[SplendidAppendix]

Ah okay. I did read it but I must have missed it. Thanks for the correction

I was just teasing, hope it didn't come off as anything else. I just wanted to make sure you saw that it was already in the works at the time.

[lelemm]

5. Summary of Next Steps

Fixes & Enhancements Required:

⏳ Enhance docs with the many OpenID changes.
⏳ Fix SimpleFin token sharing issue for multi-user environments.
✔️ Allow disabling password login completely when OpenID is enforced. #4423
✅ Provide a direct redirect option when OpenID is the only method. #4399
✔️ Improve OpenID user provisioning (automatic user creation on first login). #4421
⏳ Improve UX with data backup prompts before enabling OpenID.

[rcrisanti]

I'm running into some issues where when I go to the user directory page and it makes a get call to get the user list, it's giving me a 'Too many requests, please try again later' error. This is then preventing me from creating a new user as well when it tries to make the new user post. Sometimes it seems to log me out too. It seems to be hitting the server over and over making the get user list request, interestingly, after a little bit of this the requests start to run just fine, but the POST to create the new user is still broke.
Running in docker on linux and accessing on a mac. Only local network, use authentik as the provider. I'm happy to help troubleshoot with any more info that might be needed. I will try and get a video of it happening in the next day or so.
Otherwise, very appreciative of everyone working on this feature.
Edit to add, it's definitely hammering the server with the get users request, over 2000 of them while I wrote up that comment, was able to copy the POST to create a user as curl from the network tab and sent it from the hosting server and it worked just fine to create the new user.

I noticed that too. I'm investigating

I also am running into this exact issue. Just want to make sure I'm not missing anything, is there a diagnosis/solution to this?

[lelemm]

I'm running into some issues where when I go to the user directory page and it makes a get call to get the user list, it's giving me a 'Too many requests, please try again later' error. This is then preventing me from creating a new user as well when it tries to make the new user post. Sometimes it seems to log me out too. It seems to be hitting the server over and over making the get user list request, interestingly, after a little bit of this the requests start to run just fine, but the POST to create the new user is still broke.
Running in docker on linux and accessing on a mac. Only local network, use authentik as the provider. I'm happy to help troubleshoot with any more info that might be needed. I will try and get a video of it happening in the next day or so.
Otherwise, very appreciative of everyone working on this feature.
Edit to add, it's definitely hammering the server with the get users request, over 2000 of them while I wrote up that comment, was able to copy the POST to create a user as curl from the network tab and sent it from the hosting server and it worked just fine to create the new user.

I noticed that too. I'm investigating

I also am running into this exact issue. Just want to make sure I'm not missing anything, is there a diagnosis/solution to this?

There is a fix for this on next release

[cswrd]

Are there any plans to be able to migrate or merge existing actual budget instances into one with multi-user support?

[tugdualenligne]

Not sure I get it: aren’t existing instances natively Multi-user? I just upgraded the container to the latest version and that’s it

[cswrd]

I mean multiple separate instances that were create before there was an (experimental) multi-user support, e.g. when hosting separate instances for family members. So will it be possible to migrate / merge them into one instance facilitating the integrated multi-user feature.

[lelemm]

Just export the budget and import in the final instance

[sebastianfredette]

Heyo, first -- thank you for doing this!

Second, I might be doing something wrong (or hopping on this before it's ready), but I'm having a bit of trouble with the new ACTUAL_OPENID_ENFORCE=true environmental variable (added by #4423 ). Adding it to my compose.yml seems to have the intented effect (i.e., only the OpenID button is available when navigating to my Actual instance). Clicking "Sign in with OpenID" also directs me to my SSO provider as expected. But, if I hit the back button on my SSO page (before signing in), Actual offers to let me sign in with my password.

This might be intentional (in case SSO is misconfigured maybe?) but, if so, "enforce" might be a bit misleading.

[g4m3r7ag]

Is there a way to disable the login with password option after OIDC is configured? I setup the app/provider in Authentik, setup OIDC in Actual using the UI, it took me back to the login and I chose login with OpenID and it authenticated me through Authentik correctly and seems to be working fine. But if I logout, the login screen gives me the option to login with either Open ID or Password. I was hoping to disable the password option from the login screen before exposing my Actual URL so that I can make transaction entries while out from my phone.

[lelemm]

Heyo, first -- thank you for doing this!

Second, I might be doing something wrong (or hopping on this before it's ready), but I'm having a bit of trouble with the new ACTUAL_OPENID_ENFORCE=true environmental variable (added by #4423 ). Adding it to my compose.yml seems to have the intented effect (i.e., only the OpenID button is available when navigating to my Actual instance). Clicking "Sign in with OpenID" also directs me to my SSO provider as expected. But, if I hit the back button on my SSO page (before signing in), Actual offers to let me sign in with my password.

This might be intentional (in case SSO is misconfigured maybe?) but, if so, "enforce" might be a bit misleading.

its not intentional. probably not triggering the filter when you hit back

[lelemm]

Is there a way to disable the login with password option after OIDC is configured? I setup the app/provider in Authentik, setup OIDC in Actual using the UI, it took me back to the login and I chose login with OpenID and it authenticated me through Authentik correctly and seems to be working fine. But if I logout, the login screen gives me the option to login with either Open ID or Password. I was hoping to disable the password option from the login screen before exposing my Actual URL so that I can make transaction entries while out from my phone.

its being added next release: #4423

[savely-krasovsky]

At "User Directory" page something crazy is going on, it's trying to fetch /api/users forever until it starts to get 429:

Screenshot

I use the latest v25.2.1, it's behind Traefik, anything special.

UPD. My guess problem is related to Traefik: https://community.traefik.io/t/http-router-removes-upstream-content-type-under-specific-conditions/25539

[lelemm]

At "User Directory" page something crazy is going on, it's trying to fetch /api/users forever until it starts to get 429:

I use the latest v25.2.1, it's behind Traefik, anything special.

UPD. My guess problem is related to Traefik: https://community.traefik.io/t/http-router-removes-upstream-content-type-under-specific-conditions/25539

There is a bug fix ready for next release