Zum Hauptinhalt springen

Login & Authentication Troubleshooting

Can't log in — "Invalid credentials"

With built-in IdP:

  • Verify you're using the correct tenant identifier, email, and password.
  • Passwords are case-sensitive and must be at least 10 characters.
  • If your password was recently reset by an admin, you may need to use the temporary password and then set a new one.

With external OIDC:

  • Verify your IdP is reachable from the Atrium server.
  • Check that the user's email in the IdP matches a user record in Atrium. OIDC login requires a pre-existing Atrium user with the same email.
  • Verify the OIDC client ID, client secret, and issuer URL in Atrium's settings.

Logged out unexpectedly

Access tokens expire after 15 minutes. The application refreshes them automatically using the refresh token (valid for 7 days). If you're logged out unexpectedly:

  • Refresh token expired: You've been inactive for more than 7 days. Log in again.
  • JWT signing key rotated: If the admin rotated the JWT signing key, existing tokens become invalid. Log in again.
  • Browser cleared cookies/storage: The token is stored in the browser. Clearing site data logs you out.

"Must change password" prompt

This appears when your account has the must_change_password flag set — typically after an admin-initiated password reset. Enter your current (temporary) password and choose a new one. This is a one-time requirement.

OIDC redirect loop

If you're stuck in a redirect loop between Atrium and your IdP:

  1. Clear your browser cookies for both the Atrium domain and the IdP domain.
  2. Verify the OIDC redirect URI configured in your IdP matches https://<your-atrium-domain>/api/v1/auth/oidc/callback exactly.
  3. Check that the OIDC client in your IdP has the correct scopes (typically openid, profile, email).

Kiosk won't authenticate

If the kiosk shows the setup screen instead of the standby screen:

  • The device token may have expired (after ~1 year) or been revoked.
  • Re-pair the kiosk by logging in with admin credentials and selecting the site.
  • Check the dashboard for the kiosk's device status.