After having some good time with no problems, suddenly OIDC in Penpot is not working - again. Last time it was the certificates which i got fixed.
now - without changing anything in the config file - it stopped working.
DevTools, Backend and Frontend are telling me that the oidc provider is not configurated.
/api/auth/oidc?provider=oidc - gives me nothing.
Console says:
POSThttps://subdomain.domain.de/api/auth/oidc?provider=oidc[HTTP/2 400 16ms]
Restriction Error: provider not configured exceptions.cljc:301:9
==================== Data: -------------------- {:type :restriction, :code :sso-provider-not-configured, :hint “provider not configured”, :provider “oidc”, :uri “https://subdomain.domain.de/api/auth/oidc?provider=oidc”, :status 400}
Under environment in backend i have this elements:
PENPOT_OIDC_BASE_URI: …
PENPOT_OIDC_CLIENT_ID: …
PENPOT_OIDC_CLIENT_SECRET: …
and i enabled it in the flags.
how can i proceed to find the error? maybe it was an ubuntu update that is now blocking something.
Hello @DichterD ,
Which Penpot version are you running? Did you update it recently?
i did not update it before it started to fail. i now updatet it to 2.15.3 to see if this helps - did not.
previously i had a problem with the java certs. i fixed this problem but interrestingly, when i remove the cert folder from the penpot config, it still gives me the error.
Could you check if the backend logs show any OIDC / SSL / certificate / discovery related error during startup?
exec /opt/jre/bin/java -Dim4java.useV7=true -Djava.util.logging.manager=org.apache.logging.log4j.jul.LogManager -Dlog4j2.configurationFile=log4j2.xml -XX:-OmitStackTraceInFastThrow --sun-misc-unsafe-memory-access=allow --enable-native-access=ALL-UNNAMED --enable-preview -jar penpot.jar -m app.main
[2026-05-21 10:28:34.576] I app.main - hint=“start nrepl server”, port=6064
[2026-05-21 10:29:10.537] W app.auth.oidc - hint=“unable to initialize auth provider”, provider=“oidc”
SUMMARY:
-> clojure.lang.ExceptionInfo: unexpected exception on configuring provider (oidc.clj:150)
-> java.net.http.HttpConnectTimeoutException: HTTP connect timed out (:-1)
-> java.net.http.HttpConnectTimeoutException: HTTP connect timed out (:-1)
-> java.net.ConnectException: HTTP connect timed out (:-1)
DETAIL:
-> clojure.lang.ExceptionInfo: unexpected exception on configuring provider (oidc.clj:150)
at: app.auth.oidc$prepare_oidc_provider.invokeStatic(oidc.clj:150)
app.auth.oidc$prepare_oidc_provider.invoke(oidc.clj:129)
app.auth.oidc$eval30612$fn__30613.invoke(oidc.clj:165)
clojure.lang.MultiFn.invoke(MultiFn.java:234)
integrant.core$try_build_action.invokeStatic(core.cljc:419)
integrant.core$try_build_action.invoke(core.cljc:418)
integrant.core$build_key.invokeStatic(core.cljc:427)
integrant.core$build_key.invoke(core.cljc:423)
clojure.core$partial$fn__5933.invoke(core.clj:2660)
clojure.core.protocols$fn__8279.invokeStatic(protocols.clj:167)
clojure.core.protocols/fn(protocols.clj:123)
clojure.core.protocols$fn__8233$G__8228__8242.invoke(protocols.clj:19)
clojure.core.protocols$seq_reduce.invokeStatic(protocols.clj:31)
clojure.core.protocols$fn__8266.invokeStatic(protocols.clj:74)
clojure.core.protocols/fn(protocols.clj:74)
clojure.core.protocols$fn__8207$G__8202__8220.invoke(protocols.clj:13)
clojure.core$reduce.invokeStatic(core.clj:6969)
clojure.core$reduce.invoke(core.clj:6951)
integrant.core$build.invokeStatic(core.cljc:453)
integrant.core$build.invoke(core.cljc:430)
integrant.core$init.invokeStatic(core.cljc:658)
integrant.core$init.invoke(core.cljc:650)
integrant.core$init.invokeStatic(core.cljc:655)
integrant.core$init.invoke(core.cljc:650)
app.main$start$fn__30239.invoke(main.clj:600)
clojure.lang.AFn.applyToHelper(AFn.java:154)
clojure.lang.AFn.applyTo(AFn.java:144)
clojure.lang.Var.alterRoot(Var.java:310)
clojure.core$alter_var_root.invokeStatic(core.clj:5567)
clojure.core$alter_var_root.doInvoke(core.clj:5562)
clojure.lang.RestFn.invoke(RestFn.java:428)
app.main$start.invokeStatic(main.clj:594)
app.main$start.invoke(main.clj:590)
app.main$_main.invokeStatic(main.clj:659)
app.main$_main.doInvoke(main.clj:652)
clojure.lang.RestFn.invoke(RestFn.java:400)
clojure.lang.AFn.applyToHelper(AFn.java:152)
clojure.lang.RestFn.applyTo(RestFn.java:135)
clojure.lang.Var.applyTo(Var.java:707)
clojure.core$apply.invokeStatic(core.clj:667)
clojure.main$main_opt.invokeStatic(main.clj:515)
clojure.main$main_opt.invoke(main.clj:511)
clojure.main$main.invokeStatic(main.clj:665)
clojure.main$main.doInvoke(main.clj:617)
clojure.lang.RestFn.applyTo(RestFn.java:140)
clojure.lang.Var.applyTo(Var.java:707)
clojure.main.main(main.java:40)
dt: {:type :invalid-sso-config, :hint "unexpected exception on configuring provider", :provider "oidc"}
The SSL Problems i have posted (and solved) here: https://community.penpot.app/t/oicd-not-configured-after-update
seems like the ssl Problem does not occur but penpot lost connection to the oidc
Could you test the OIDC discovery URL from inside the Penpot backend container and see if it times out or gives a certificate error? Last time it was a Java keystore problem, but this new log looks more like the backend cannot reach the provider.
is there a simple way to do that? there is no ping/nslookup and i also cannot use apt-get somehow
