Skip to content
This repository has been archived by the owner on Sep 10, 2024. It is now read-only.

Signing out from the service does not force re-logging in from the upstream IdP #1569

Open
hughns opened this issue Aug 23, 2023 · 6 comments
Open

Signing out from the service does not force re-logging in from the upstream IdP #1569

hughns opened this issue Aug 23, 2023 · 6 comments
Assignees
@sandhose
Labels
A-Login-Flow Related to the user login flow A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers O-Occasional Affects or can be seen by some users regularly or most users rarely S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Something isn't working

Comments

@hughns
Copy link
Member

hughns commented Aug 23, 2023
edited
Loading

A current experience:

Sign.Out.on.consent.behaviour.mov
@hughns
Copy link
Member Author

hughns commented Aug 23, 2023
edited
Loading

This is caused by the upstream IdP remaining signed in (rather than the sign out being propagated to it).

The fix is that when MAS re-authenticates with the upstream IdP that it send prompt= select_account so that the upstream IdP prompts the user appropriate.

Also, change the button label to "Switch account"

@hughns hughns changed the title Unintuitive Sign Out button behaviour on consent screen Improve Sign Out button behaviour on consent screen Aug 23, 2023
@pmaier1
Copy link
Collaborator

pmaier1 commented Aug 24, 2023

Please also

  • remove any references to Matrix here (e.g., "wants to access your account")
  • remove that callback link (first line) or make it more user friendly

@pmaier1 pmaier1 mentioned this issue Aug 24, 2023
Closed
26 tasks
@Johennes Johennes added Z-AirFocus Moving issues from GH to AirFocus purposefully using this tag. Z-MAS-September All the things needed for the MAS release in September and removed Z-AirFocus Moving issues from GH to AirFocus purposefully using this tag. labels Aug 24, 2023
@sandhose sandhose self-assigned this Aug 24, 2023
@Johennes Johennes removed the Z-MAS-September All the things needed for the MAS release in September label Aug 24, 2023
@sandhose
Copy link
Member

Boo, Keycloak doesn't support prompt=select_account, only prompt=login, and the UI for it is quite bad :(

image

You have to click on the weird blue arrow to log out and change account.

I'll try to evaluate how much of a pain it would be to properly do RP-initiated logout instead.

@pmaier1
Copy link
Collaborator

pmaier1 commented Aug 31, 2023

Alternative: Remove "sign out" button and improve it for a further release.

@sandhose sandhose changed the title Improve Sign Out button behaviour on consent screen Signing out from the service does not force re-logging in from the upstream IdP Oct 11, 2023
@sandhose sandhose added T-Defect Something isn't working A-Login-Flow Related to the user login flow A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers O-Occasional Affects or can be seen by some users regularly or most users rarely S-Minor Blocks non-critical functionality, workarounds exist. labels Oct 11, 2023
@sandhose sandhose mentioned this issue Dec 8, 2023
Open
@wrjlewis
Copy link
Contributor

mas.logout.mov

This is still the case today ^

@matrixbot matrixbot mentioned this issue Sep 9, 2024
Open
@matrixbot
Copy link
Member

For your information, this issue has been copied over to the Element fork of matrix-authentication-service: element-hq/matrix-authentication-service#1569

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@sandhose sandhose

Labels
A-Login-Flow Related to the user login flow A-Upstream-OAuth Related to login via upstream OAuth 2.0 providers O-Occasional Affects or can be seen by some users regularly or most users rarely S-Minor Blocks non-critical functionality, workarounds exist. T-Defect Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@Johennes @wrjlewis @sandhose @hughns @matrixbot @pmaier1