Fixup version in changelog

we generate a dynamic password because users might forget to change the admin password (with the oidc login being so click friendly)

CHANGELOG

@@ -2194,3 +2194,196 @@ Improve replication performance. See (#12080, #12054, #12009) for more details.
 * server-info: Avoid initializing audit/log http/kafka targets by @vadmeste in https://github.com/minio/minio/pull/18703
 * Fix precendence bug in S3Select SQL IN clauses by @donatello in https://github.com/minio/minio/pull/18708
 
+[3.12.0]
+* Update minio to 2024-01-01T16-36-33Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-01-01T16-36-33Z)
+* A significant performance improvement feature to optimize ListObjects() is part of this release.
+* New console HTTP security headers are fully customizable now for specific needs, refer #18631
+
+[3.12.1]
+* Update minio to 2024-01-05T22-17-24Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-01-05T22-17-24Z)
+* Added list of scanner metrics to document by @shtripat in #18731
+* scanner: Allow full throttle if there is no parallel disk ops by @vadmeste in #18109
+* fix: an odd crash when deleting null DEL markers by @harshavardhana in #18727
+* prom: Add read quorum per erasure set metric by @vadmeste in #18736
+* scanner: Add a config to disable short sleep between objects scan by @vadmeste in #18734
+* NEW API: GetObjectAttributes by @zveinn in #18732
+
+[3.12.2]
+* Update minio to 2024-01-11T07-46-16Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-01-11T07-46-16Z)
+
+[3.12.3]
+* Update minio to 2024-01-13T07-53-03Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-01-13T07-53-03Z)
+* Verify that remote target bucket is on MinIO server for bucket replication by @taran-p in https://github.com/minio/minio/pull/18656
+* avoid disk monitoring leaks under various conditions by @harshavardhana in https://github.com/minio/minio/pull/18777
+* xl: Remove wrong wording for errCorruptedFormat by @vadmeste in https://github.com/minio/minio/pull/18775
+* Add more size intervals to obj size histogram by @krisis in https://github.com/minio/minio/pull/18772
+* support proxying of tagging requests in replication by @poornas in https://github.com/minio/minio/pull/18649
+* treat all localhost endpoints as local setup with same port by @harshavardhana in https://github.com/minio/minio/pull/18784
+
+[3.12.4]
+* Update minio to 2024-01-16T16-07-38Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-01-16T16-07-38Z)
+* fix: listing SSE encrypted multipart objects by @harshavardhana in https://github.com/minio/minio/pull/18786
+* adding a missing return case to fix GetObjectTagging by @zveinn in https://github.com/minio/minio/pull/18793
+* xl-meta: Clean output by @klauspost in https://github.com/minio/minio/pull/18794
+
+[3.12.5]
+* Update minio to 2024-01-18T22-51-28Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-01-18T22-51-28Z)
+* reject reference format from a different deployment by @harshavardhana in #18800
+* fix: a typo in storeDataUsageInBackend() comment by @chienguo in #18778
+* Deallocate huge read buffers by @klauspost in #18813
+* fix: HealBucket regression for empty buckets, simplify it by @harshavardhana in #18815
+* Fix mini typo by @fwessels in #18816
+
+[3.12.6]
+* Update minio to 2024-01-29T03-56-32Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-01-29T03-56-32Z)
+* Fixes an ugly issue with runtime debug stack excessive logging regression
+* avoid calling close for nil inbound/outblock channels (3 hours ago)
+* remove getReplicationNodeMetrics() from peer metrics groups (4 hours ago)
+
+[3.12.7]
+* Update minio to 2024-01-31T20-20-33Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-01-31T20-20-33Z)
+* This release fixes a security issue related to service accounts and their permissions for more details
+* Performance improvement for large clusters with high IOPs requirements.
+* fix: bucket metric of data usage for replication info will be ignore by @jiuker in https://github.com/minio/minio/pull/18895
+* fix metrics panic in node metrics endpoint by @poornas in https://github.com/minio/minio/pull/18894
+* Update list.md by @dvaldivia in https://github.com/minio/minio/pull/18907
+* allow configuring maximum idle connections per host by @harshavardhana in https://github.com/minio/minio/pull/18908
+* enable xattr capture by default by @harshavardhana in https://github.com/minio/minio/pull/18911
+* reuse transports for callhome and remote tgt validation by @poornas in https://github.com/minio/minio/pull/18912
+* exclude veeam virtual objects from replication by @poornas in https://github.com/minio/minio/pull/18918
+* Add cgroup v2 support for memory limit by @vadmeste in https://github.com/minio/minio/pull/18905
+* remove checkBucketExist check entirely to avoid fan-out calls by @harshavardhana in https://github.com/minio/minio/pull/18917
+* Improve tracing & notification scalability by @klauspost in https://github.com/minio/minio/pull/18903
+* use all the available nr_requests for NVMe by @harshavardhana in https://github.com/minio/minio/pull/18920
+* add total usable capacity, free and used to DataUsageInfo() by @harshavardhana in https://github.com/minio/minio/pull/18921
+* remove all the frivolous logs, that may or may not be actionable by @harshavardhana in https://github.com/minio/minio/pull/18922
+* Update service file version in makefile by @donatello in https://github.com/minio/minio/pull/18925
+* Correct small typo by @fwessels in https://github.com/minio/minio/pull/18923
+* fix: permission checks for editing access keys by @donatello in https://github.com/minio/minio/pull/18928
+* Keep ServiceV1 admin stop/restart API and mark as deprecated by @vadmeste in https://github.com/minio/minio/pull/18932
+
+[3.12.8]
+* Update minio to 2024-02-04T22-36-13Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-02-04T22-36-13Z)
+* move a collection of peer APIs to websockets by @harshavardhana in https://github.com/minio/minio/pull/18936
+* Improve object reuse for grid messages by @klauspost in https://github.com/minio/minio/pull/18940
+* batch: Fix a typo while validating smallerThan field by @vadmeste in https://github.com/minio/minio/pull/18942
+* fix: null inline policy handling for access keys by @donatello in https://github.com/minio/minio/pull/18945
+* log: Use error log type instead of Application/MinIO type by @vadmeste in https://github.com/minio/minio/pull/18930
+* Fix some leftover issues from PR 18936 by @fwessels in https://github.com/minio/minio/pull/18946
+* simplify deadlineWriter, re-use WithDeadline by @harshavardhana in https://github.com/minio/minio/pull/18948
+* Fix ineffective recycling by @klauspost in https://github.com/minio/minio/pull/18952
+* deprecate disk tokens, instead rely on deadlines and active monitoring by @harshavardhana in https://github.com/minio/minio/pull/18947
+* move Make,Delete,Head,Heal bucket calls to websockets by @harshavardhana in https://github.com/minio/minio/pull/18951
+* Fix mux client memory leak by @klauspost in https://github.com/minio/minio/pull/18956
+* disconnected returns, an unexpected error to List() returning 500s by @harshavardhana in https://github.com/minio/minio/pull/18959
+* xl: Disable rename2 in decommissioning/rebalance by @vadmeste in https://github.com/minio/minio/pull/18964
+* Fix typo in api-router.go by @fwessels in https://github.com/minio/minio/pull/18955
+* Add more advanced cases for dangling by @harshavardhana in https://github.com/minio/minio/pull/18968
+
+[3.12.9]
+* Update minio to 2024-02-06T21-36-22Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-02-06T21-36-22Z)
+* Fixes a second memory leak observed in ReadVersion without data that uses websockets layer.
+* Fixes a crash while running mc admin trace on a distributed setup.
+* Fixes TCP socket hangs by adding short deadlines.
+
+[3.12.10]
+* Update minio to 2024-02-09T21-25-16Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-02-09T21-25-16Z)
+* do not block iam.store registration by @harshavardhana in https://github.com/minio/minio/pull/18999
+* listing must return WalkDir() errors first by @harshavardhana in https://github.com/minio/minio/pull/19006
+* Add GetBucketInfo toStorageErr conversion by @klauspost in https://github.com/minio/minio/pull/19005
+* fix: skip policy usage validation for cache update by @donatello in https://github.com/minio/minio/pull/19008
+* Update IAM access manager plugin demo by @donatello in https://github.com/minio/minio/pull/19007
+* Fix blocked streams blocking reconnects by @klauspost in https://github.com/minio/minio/pull/19017
+* optimize startup sequence performance by @harshavardhana in https://github.com/minio/minio/pull/19009
+* Fix shared top locks client by @klauspost in https://github.com/minio/minio/pull/19018
+* fix: dangling objects honor parityBlocks instead of dataBlocks by @harshavardhana in https://github.com/minio/minio/pull/19019
+* remove unnecessary metrics in 'mc admin info' output by @harshavardhana in https://github.com/minio/minio/pull/19020
+* Add extra disconnect safety by @klauspost in https://github.com/minio/minio/pull/19022
+* introduce reader deadlines for net.Conn by @harshavardhana in https://github.com/minio/minio/pull/19023
+
+[3.12.11]
+* Update minio to 2024-02-12T21-02-27Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-02-12T21-02-27Z)
+* avoid excessive logging for objects that do not exist by @harshavardhana in https://github.com/minio/minio/pull/19030
+* Fix panic in tagging request proxying by @poornas in https://github.com/minio/minio/pull/19032
+* do not have to use the same distributionAlgo as first pool by @harshavardhana in https://github.com/minio/minio/pull/19031
+* fix: allow configuring excess versions alerting by @harshavardhana in https://github.com/minio/minio/pull/19028
+* preserve conflicting objects when parent object is being deleted by @harshavardhana in https://github.com/minio/minio/pull/19034
+* Convert service account add/update expiration to cond values by @vadmeste in https://github.com/minio/minio/pull/19024
+* relax pre-emptive GetBucketInfo() for multi-object delete by @harshavardhana in https://github.com/minio/minio/pull/19035
+* honor replaced disk properly by updating globalLocalDrives by @harshavardhana in https://github.com/minio/minio/pull/19038
+* metrics: fix typo in namespace for proxy tagging metric by @poornas in https://github.com/minio/minio/pull/19039
+
+[3.12.12]
+* Update minio to 2024-02-13T15-35-11Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-02-13T15-35-11Z)
+* FIx unexpected behavior when creating service account by @taran-p in https://github.com/minio/minio/pull/19036
+* sts: Add test for DurationSeconds condition by @vadmeste in https://github.com/minio/minio/pull/19044
+* add missing handler for reloading site replication config on peers by @harshavardhana in https://github.com/minio/minio/pull/19042
+* fix: update batch replication stats for snowball uploads by @Praveenrajmani in https://github.com/minio/minio/pull/19045
+* Send a bucket notification event on DeleteObject() for non-existing object by @Praveenrajmani in https://github.com/minio/minio/pull/19037
+* fix incorrect disk io stats in k8s environment by @anjalshireesh in https://github.com/minio/minio/pull/19016
+
+[3.12.13]
+* Update minio to 2024-02-14T21-36-02Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-02-14T21-36-02Z)
+
+[3.12.14]
+* Update minio to 2024-02-17T01-15-57Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-02-17T01-15-57Z)
+
+[3.13.0]
+* Implement OIDC authentication
+
+[3.13.1]
+* Update minio to 2024-02-26T09-33-48Z 
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-02-26T09-33-48Z)
+* fix: crash in ResourceMetrics RPC handling concurrent writers by @harshavardhana in https://github.com/minio/minio/pull/19123
+* fix: re-arrange console-sys to log properly in k8s/docker by @harshavardhana in https://github.com/minio/minio/pull/19129
+
+[3.13.2]
+* Update minio to 2024-03-03T17-50-39Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-03-03T17-50-39Z)
+* Major performance improvement on total connection usage and de-duplicate ILM entries refer #18926
+* Major performance improvement for Listing() to avoid readdir() under situations for directory lookups refer #19100
+* Read drive IO stats from sysfs instead of procfs by @Praveenrajmani in #19131
+* ilm: Select an object when all AND tags are satisfied by @vadmeste in #19134
+* remove unnecessary 'recreate' code by @harshavardhana in #19136
+* feat: add userCredentials for nats by @jiuker in #19139
+
+[3.13.3]
+* Update minio to 2024-03-05T04-48-44Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-03-05T04-48-44Z)
+* fix: healthcheck to fail even if one erasure set doesn't have quorum by @Praveenrajmani in #19180
+* Add common middleware to S3 API handlers by @donatello in #19171
+* fix: nLink is unreliable on all filesystems by @harshavardhana in #19187
+* Fix ilm config at startup by @krisis in #19189
+* fix: skip local disks properly in cluster health maintenance check by @harshavardhana in #19184
+
+[3.13.4]
+* Update minio to 2024-03-07T00-43-48Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-03-07T00-43-48Z)
+* fix: cluster read health check to return proper values by @Praveenrajmani in #19203
+* fix: a regression in loading replication creds by @harshavardhana in #19204
+* fix: go mod update v1.33.0 https://pkg.go.dev/vuln/GO-2024-2611 by @harshavardhana in #19208
+* bucket import: avoid overwriting bucket creation date by @poornas in #19207
+* Set expected expiry date for ExpiredObjectAllVersions by @krisis in #19210
+
+[3.13.5]
+* Update minio to 2024-03-10T02-53-48Z
+* [Changelog](https://github.com/minio/minio/releases/tag/RELEASE.2024-03-10T02-53-48Z)
+* make immediate purge non-blocking up to 100,000 entries per drive (#19231)
+* make immediate purge non-blocking upto 100000 entries per drive
+* Bonus: turn-off O_DIRECT verification when FSType is 'XFS'
+

CloudronManifest.json

@@ -5,10 +5,10 @@
   "description": "file://DESCRIPTION.md",
   "changelog": "file://CHANGELOG",
   "tagline": "Distributed object storage",
-  "version": "3.11.4",
-  "upstreamVersion": "2023-12-23T07-19-11Z",
+  "version": "3.13.5",
+  "upstreamVersion": "2024-03-10T02-53-48Z",
   "healthCheckPath": "/minio/login",
-  "memoryLimit": 805306368,
+  "memoryLimit": 2147483648,
   "httpPort": 8000,
   "httpPorts": {
     "API_SERVER_DOMAIN": {
@@ -19,8 +19,10 @@
     }
   },
   "addons": {
-    "localstorage": {}
+    "localstorage": {},
+    "oidc": { "loginRedirectUri": "/oauth_callback" }
   },
+  "optionalSso": true,
   "manifestVersion": 2,
   "website": "http://www.minio.io",
   "minBoxVersion": "7.1.2",

Dockerfile

@@ -3,7 +3,7 @@ FROM cloudron/base:4.2.0@sha256:46da2fffb36353ef714f97ae8e962bd2c212ca091108d768
 RUN mkdir -p /app/code
 WORKDIR /app/code
 
-ARG VERSION=RELEASE.2023-12-23T07-19-11Z 
+ARG VERSION=RELEASE.2024-03-10T02-53-48Z
 
 # sometimes here https://dl.min.io/server/minio/release/linux-amd64/archive/
 # RUN wget https://dl.min.io/server/minio/release/linux-amd64/minio.${VERSION} -O /app/code/minio && chmod +x /app/code/minio
@@ -11,6 +11,6 @@ RUN wget https://dl.min.io/server/minio/release/linux-amd64/archive/minio.${VERS
 # https://dl.min.io/client/mc/release/linux-amd64/
 RUN wget https://dl.min.io/client/mc/release/linux-amd64/mc -O /app/code/mc && chmod +x /app/code/mc
 
-COPY env.sh start.sh /app/code/
+COPY env.sh.template start.sh /app/code/
 
 CMD [ "/app/code/start.sh" ]

POSTINSTALL.md

@@ -1,7 +1,19 @@
+<nosso>
 Please use the following credentials to login:
 
 **Username**: minioadmin<br/>
 **Password**: minioadmin<br/>
 
 Please change the credentials immediately by following this [guide](https://cloudron.io/documentation/apps/minio/#admin-credentials).
+</nosso>
 
+<sso>
+
+Please use the following credentials to login via 'Other Authentication Methods' -> 'Use Credentials':
+
+**Username**: minioadmin<br/>
+**Password**: See `MINIO_ROOT_PASSWORD` in `/app/data/env.sh` <a href="/frontend/filemanager.html#/viewer/app/$CLOUDRON-APP-ID/env.sh">Open File Manager</a><br/>
+
+Cloudron users have `readwrite` access policy. See the [docs](https://cloudron.io/documentation/apps/minio/#admin-credentials) on how to change it.
+
+</nosso>

env.sh

@@ -1,9 +0,0 @@
-# Add custom minio configuration to this file. Restart the app for changes to take effect.
-
-export CLOUDRON_MINIO_STARTUP_ARGS='server /app/data/data'
-
-# See https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_ROOT_USER
-# You can use pwgen -1s 64 to generate usernames and passwords
-export MINIO_ROOT_USER=minioadmin
-export MINIO_ROOT_PASSWORD=minioadmin
-

env.sh.template

@@ -0,0 +1,4 @@
+# Add custom minio configuration to this file. Restart the app for changes to take effect.
+
+export CLOUDRON_MINIO_STARTUP_ARGS='server /app/data/data'
+

start.sh

@@ -5,7 +5,18 @@ set -eu
 mkdir -p /app/data/data /run/minio/config /run/minio/certs
 
 # env vars take precedence over config.yaml (https://github.com/minio/minio/blob/master/docs/distributed/CONFIG.md#things-to-know)
-[[ ! -f /app/data/env.sh ]] && cp /app/code/env.sh /app/data/env.sh
+if [[ ! -f /app/data/env.sh ]]; then
+    echo "=> First run"
+    cp /app/code/env.sh.template /app/data/env.sh
+    # minio does not show the password login by default when OIDC is setup (https://github.com/minio/minio/discussions/16928)
+    # we generate a dynamic password because users might forget to change the admin password (with the oidc login being so click friendly)
+    if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+        echo -e "export MINIO_ROOT_USER=minioadmin\nexport MINIO_ROOT_PASSWORD=$(pwgen -1s 20)\n\n" >> /app/data/env.sh
+    else
+        echo -e "export MINIO_ROOT_USER=minioadmin\nexport MINIO_ROOT_PASSWORD=minioadmin\n\n" >> /app/data/env.sh
+    fi
+fi
+
 source /app/data/env.sh
 
 # https://docs.min.io/minio/baremetal/reference/minio-server/minio-server.html#envvar.MINIO_SERVER_URL
@@ -17,6 +28,19 @@ if [[ ! -d /app/data/mc_config ]]; then
     /app/code/mc --config-dir /app/data/mc_config &> /dev/null || true
 fi
 
+if [[ -n "${CLOUDRON_OIDC_ISSUER:-}" ]]; then
+    export MINIO_IDENTITY_OPENID_DISPLAY_NAME="Cloudron"
+    export MINIO_IDENTITY_OPENID_CONFIG_URL="${CLOUDRON_OIDC_DISCOVERY_URL}"
+    export MINIO_IDENTITY_OPENID_CLIENT_ID="${CLOUDRON_OIDC_CLIENT_ID}"
+    export MINIO_IDENTITY_OPENID_CLIENT_SECRET="${CLOUDRON_OIDC_CLIENT_SECRET}"
+    export MINIO_IDENTITY_OPENID_SCOPES="openid profile email"
+    if [[ -z "${MINIO_IDENTITY_OPENID_ROLE_POLICY:-}" ]]; then
+        export MINIO_IDENTITY_OPENID_ROLE_POLICY="readwrite"
+    fi
+
+    export MINIO_IDENTITY_OPENID_COMMENT="Cloudron OIDC"
+fi
+
 # minio is used for backups at times and has a large number of files. optimize by checking if files are actually in correct chown state
 echo "==> Changing ownership"
 [[ $(stat --format '%U' /app/data/data) != "cloudron" ]] && chown -R cloudron:cloudron /app/data

test/package.json

@@ -9,10 +9,10 @@
   "author": "",
   "license": "ISC",
   "dependencies": {
-    "chromedriver": "^120.0.1",
+    "chromedriver": "^122.0.4",
     "expect.js": "^0.3.1",
-    "mocha": "^10.2.0",
-    "selenium-webdriver": "^4.16.0",
+    "mocha": "^10.3.0",
+    "selenium-webdriver": "^4.18.1",
     "superagent": "^8.1.2"
   }
 }

test/test.js

@@ -20,15 +20,23 @@ const execSync = require('child_process').execSync,
     { Builder, By, until } = require('selenium-webdriver'),
     { Options } = require('selenium-webdriver/chrome');
 
+if (!process.env.USERNAME || !process.env.PASSWORD) {
+    console.log('USERNAME and PASSWORD env vars need to be set');
+    process.exit(1);
+}
+
 describe('Application life cycle test', function () {
     this.timeout(0);
 
     const LOCATION = 'test';
-    const TEST_TIMEOUT = 30000;
+    const TEST_TIMEOUT = parseInt(process.env.TIMEOUT, 10) || 30000;
     const BUCKET = 'cloudrontestbucket';
     const EXEC_ARGS = { cwd: path.resolve(__dirname, '..'), stdio: 'inherit' };
 
     let browser, app;
+    let athenticated_by_oidc = false, rootPassword;
+    let username = process.env.USERNAME;
+    let password = process.env.PASSWORD;
 
     before(function () {
         browser = new Builder().forBrowser('chrome').setChromeOptions(new Options().windowSize({ width: 1280, height: 1024 })).build();
@@ -49,23 +57,58 @@ describe('Application life cycle test', function () {
         expect(app).to.be.an('object');
     }
 
-    async function login(accessKey='minioadmin', secretKey='minioadmin') {
+    async function login(username, password, expandLoginForm=true) {
+        await browser.manage().deleteAllCookies();
+        await browser.get('about:blank');
+        await browser.sleep(2000);
         await browser.get(`https://${app.fqdn}/login`);
+        await browser.sleep(2000);
+
+        if (expandLoginForm) {
+            await waitForElement(By.xpath('//div[@id="alternativeMethods-select"]/div[contains(., "Other Authentication Methods")]'));
+            await browser.findElement(By.xpath('//div[@id="alternativeMethods-select"]/div[contains(., "Other Authentication Methods")]')).click();
+            await browser.sleep(2000);
+            await browser.findElement(By.xpath('//li[contains(., "Use Credentials")] | //div[@label="Use Credentials"]')).click();
+            await browser.sleep(2000);
+        }
         await waitForElement(By.id('accessKey'));
-        await browser.findElement(By.id('accessKey')).sendKeys(accessKey);
-        await browser.findElement(By.id('secretKey')).sendKeys(secretKey);
+        await browser.findElement(By.id('accessKey')).sendKeys(username);
+        await browser.findElement(By.id('secretKey')).sendKeys(password);
         await browser.findElement(By.xpath('//button[@id="do-login"]')).click();
         await waitForElement(By.xpath('//span[contains(text(), "Buckets")]'));
         await timers.setTimeout(5000);
     }
 
+    async function loginOIDC(username, password) {
+        browser.manage().deleteAllCookies();
+        await browser.get(`https://${app.fqdn}/login`);
+        await browser.sleep(10000);
+
+        await browser.findElement(By.xpath('//button[contains(., "Cloudron")]')).click();
+        await browser.sleep(10000);
+
+        if (!athenticated_by_oidc) {
+            await waitForElement(By.xpath('//input[@name="username"]'));
+            await browser.findElement(By.xpath('//input[@name="username"]')).sendKeys(username);
+            await browser.findElement(By.xpath('//input[@name="password"]')).sendKeys(password);
+            await browser.sleep(2000);
+            await browser.findElement(By.id('loginSubmitButton')).click();
+            await browser.sleep(2000);
+
+            athenticated_by_oidc = true;
+        }
+
+        await waitForElement(By.xpath('//span[contains(text(), "Buckets")]'));
+    }
+
     async function logout() {
         await browser.get(`https://${app.fqdn}/`);
         await waitForElement(By.xpath('//span[contains(text(), "Buckets")]'));
         const button = await browser.findElement(By.xpath('//button[@id="sign-out"]'));
         await browser.executeScript('arguments[0].scrollIntoView(false)', button);
         await button.click();
-        await waitForElement(By.id('accessKey'));
+        await browser.sleep(10000); // needed!
+        await waitForElement(By.xpath('//*[@id="accessKey"] | //button[contains(., "Cloudron")]'));
     }
 
     async function addBucket() {
@@ -96,38 +139,87 @@ describe('Application life cycle test', function () {
         expect(response.body.toString('utf8')).to.contain('<Code>AccessDenied</Code>');
     }
 
+    async function changeAdminCredentials() {
+        let data = fs.readFileSync(path.join(__dirname, '../env.sh.template'), 'utf8');
+        data += '\nexport MINIO_ROOT_USER=minioakey\nexport MINIO_ROOT_PASSWORD=minioskey\n';
+        fs.writeFileSync('/tmp/env.sh', data);
+        execSync(`cloudron push --app ${app.id} /tmp/env.sh /app/data/env.sh`, EXEC_ARGS);
+        execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS);
+        await timers.setTimeout(10000);
+    }
+
+    async function getAdminCredentials() {
+        execSync(`cloudron pull --app ${app.id} /app/data/env.sh /tmp/env.sh`, EXEC_ARGS);
+        const data = fs.readFileSync('/tmp/env.sh', 'utf8');
+        const m = data.match(/MINIO_ROOT_PASSWORD=(.*)/);
+        if (!m) throw new Error('Could not detect root password');
+        rootPassword = m[1].trim();
+        console.log(`root password is [${rootPassword}]`);
+    }
+
     xit('build app', function () { execSync('cloudron build', EXEC_ARGS); });
-    it('install app', async function () {
-        execSync(`cloudron install --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS);
+
+    // // no SSO
+    it('install app (no SSO)', async function () {
+        execSync(`cloudron install --no-sso --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS);
         await timers.setTimeout(10000);
     });
 
     it('can get app information', getAppInfo);
 
-    it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
+    it('can admin login', login.bind(null, 'minioadmin', 'minioadmin', false));
     it('can add bucket', addBucket);
     it('can logout', logout);
     it('does redirect', checkRedirect);
     it('check api', checkApi);
 
-    it('can change credentials', async function () {
-        let data = fs.readFileSync(path.join(__dirname, '../env.sh'), 'utf8');
-        data = data
-            .replace(/MINIO_ROOT_USER=.*/, 'MINIO_ROOT_USER=minioakey')
-            .replace(/MINIO_ROOT_PASSWORD=.*/, 'MINIO_ROOT_PASSWORD=minioskey');
-        fs.writeFileSync('/tmp/env.sh', data);
-        execSync(`cloudron push --app ${app.id} /tmp/env.sh /app/data/env.sh`, EXEC_ARGS);
+    it('can change admin credentials', changeAdminCredentials);
+    it('can restart app', async function () {
         execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS);
         await timers.setTimeout(10000);
     });
 
-    it('can restart app', function () { execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS); });
-
-    it('can login', login.bind(null, 'minioakey', 'minioskey'));
+    it('can admin login', login.bind(null, 'minioakey', 'minioskey', false));
     it('has bucket', checkBucket);
     it('can logout', logout);
     it('does redirect', checkRedirect);
     it('check api', checkApi);
+    it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
+
+    // SSO
+    it('install app (SSO)', async function () {
+        execSync(`cloudron install --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS);
+        await timers.setTimeout(10000);
+    });
+
+    it('can get app information', getAppInfo);
+    it('can get admin credentials', getAdminCredentials);
+    it('can admin login', async function () { await login('minioadmin', rootPassword); });
+    it('can add bucket', addBucket);
+    it('can logout', logout);
+    it('does redirect', checkRedirect);
+    it('check api', checkApi);
+
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+
+    it('can change admin credentials', changeAdminCredentials);
+
+    it('can restart app', async function () {
+        execSync(`cloudron restart --app ${app.id}`, EXEC_ARGS);
+        await timers.setTimeout(10000);
+    });
+
+    it('can admin login', login.bind(null, 'minioakey', 'minioskey'));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+    it('does redirect', checkRedirect);
+    it('check api', checkApi);
+
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
 
     it('backup app', function () { execSync('cloudron backup create --app ' + app.id, EXEC_ARGS); });
     it('restore app', async function () {
@@ -139,9 +231,15 @@ describe('Application life cycle test', function () {
         await timers.setTimeout(10000);
     });
 
-    it('can login', login.bind(null, 'minioakey', 'minioskey'));
+    it('can get app information', getAppInfo);
+    it('can admin login', login.bind(null, 'minioakey', 'minioskey'));
     it('has bucket', checkBucket);
     it('can logout', logout);
+
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+
     it('does redirect', checkRedirect);
     it('check api', checkApi);
 
@@ -152,28 +250,44 @@ describe('Application life cycle test', function () {
     });
     it('can get app information', getAppInfo);
 
-    it('can login', login.bind(null, 'minioakey', 'minioskey'));
+    it('can admin login', login.bind(null, 'minioakey', 'minioskey'));
     it('has bucket', checkBucket);
     it('can logout', logout);
+
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+
     it('does redirect', checkRedirect);
     it('check api', checkApi);
 
     it('uninstall app', function () { execSync('cloudron uninstall --app ' + app.id, EXEC_ARGS); });
 
     // test update
-    it('can install app', function () { execSync('cloudron install --appstore-id io.minio.cloudronapp --location ' + LOCATION, EXEC_ARGS); });
+    it('can install app for update', function () { execSync('cloudron install --appstore-id io.minio.cloudronapp --location ' + LOCATION, EXEC_ARGS); });
     it('can get app information', getAppInfo);
 
-    it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
+    it('can get admin credentials', getAdminCredentials);
+    it('can admin login', async function () { await login('minioadmin', rootPassword); });
     it('can add buckets', addBucket);
     it('can logout', logout);
+
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+
     it('can update', function () { execSync(`cloudron update --app ${LOCATION}`, EXEC_ARGS); });
     it('can configure', function () { execSync(`cloudron configure --app ${LOCATION} --location ${LOCATION} --secondary-domains API_SERVER_DOMAIN=${LOCATION}-api`, EXEC_ARGS); });
     it('can get app information', getAppInfo);
 
-    it('can login', login.bind(null, 'minioadmin', 'minioadmin'));
+    it('can admin login', async function () { await login('minioadmin', rootPassword); });
     it('has bucket', checkBucket);
     it('can logout', logout);
+
+    it('can OIDC login', loginOIDC.bind(null, username, password));
+    it('has bucket', checkBucket);
+    it('can logout', logout);
+
     it('does redirect', checkRedirect);
     it('check api', checkApi);