logging in to github with an LDAP email = endless loop

[gdestuynder]

1. have an LDAP account eg [email protected]
2. login to github with a github account that has the same primary email as your LDAP account eg [email protected]
3. after the login finishes you'll be told that you must login with your LDAP account
4. go back, auto-login to github kicks in, told to login to your LDAP account

the only way to get out of this situation is to clear localstorage for the auth0 domain, which is quite bad

[gdestuynder]

While I suspect we don't currently/yet get what login method is to be used for a user for PersonAPI, and even if we did, there's always a possible loop scenario, we should add a fail-safe condition, such as:

• store timestamp, counter in localStorage just before login process starts
• increment counter by 1 if last timestamp < 60s (arbitrary time interval here, it could be slightly less/more)
• during next call to auto-login, if timestamp < 60s && counter > 3, cancel auto-login

[hidde]

I've given this some thought. In NLX 1.2.0, this can be resolved by (auto)logging in to SSO Dashboard and then using the updated logout functionality, as that will clear localStorage.

I would like to propose that that solves this issue and leave the proposed timestamp/counter solution as it is quite arbitrary and difficult to discover for users.

[gdestuynder]

The timestamp/counter is not a user-visible-feature. It's a layer of defense against random implementation issues, ie if there are problems that we somehow did not otherwise catch, or web browser issues, or the users not being aware of how to log out - it would always catch these.

Think of it as a "UX fail-over/safety mechanism"

./cc @m-branson

[hidde]

@viorelaioia also noted that of course that updated logout is not going to solve this particular issue, as users encountering it wouldn't get into SSO Dashboard.

I will add this, it will not be ready, tested and shipped with this week's release, still planning on fixing it this week.

[freaktechnik]

Why not just force-disable auto-login when you press "go back" from the error that prompts you to use LDAP? The go back button is currently broken either way (I get an internal server error or similar for most services).

[mbransn]

Why not just force-disable auto-login when you press "go back" from the error that prompts you to use LDAP? The go back button is currently broken either way (I get an internal server error or similar for most services).

Agreed with this solution (and yes, I'm receiving same error when testing). Users will expect 'Go Back' to route to NLX start screen. If auto-login is disabled this will allow a new login attempt where the user can choose to re-enable auto-login (after our current work on auto-login opt-in/-out is live of course).

[ghost]

➤ Hidde de Vries commented:

This is currently BLOCKED, because we have not decided (in #99) whether to keep errors in SSO Dashboard (in which case we need to investigate if we can add a parameter that disables autologin) or move them to NLX (in which case we can turn off auto-login right there).

[gdestuynder]

side note: im not 100% sure if we'd be able to implement a back-button-is-cancel at the moment as you go back to the auto login url, which is the auth0 call (not NLX)

if you spam back multiple times it might work though :)

[hidde]

I had an idea this morning and added something that puts the newLocation into history before redirecting to do autologin: 4fbd913 This should enable using the back button to return to NLX without being automatically logged in.

(cc @viorelaioia: this is now on DEV)

[viorelaioia-zz]

@hidde , this seems seems to stop the autologin when clicking "Go Back" button from an error page. But I believe it might also have stopped autologin for cases where we want it to work.
I tried the following scenario:

1. Login with LDAP in sso.allizom.org, with autologin enabled
2. Navigate to mozillians staging
3. Click "Log In" button

Expected: I'm automatically logged in with LDAP
Actual: nlx window to enter credentials is returned

Can you please take a look? Thanks!

[hidde]

Hi @viorelaioia , I have just fixed this. Could you please test again?

[viorelaioia-zz]

Autologin works again now, but looks like after clicking "Go Back" from error page and trying to login again, user is automatically logged in with last used connection (so autologin is not stopped).

Steps I followed:

1. Have an LDAP account
2. Login to mozillians staging with an fxa account that has the same primary email as your LDAP account => sso error page is returned
3. Click "Go Back" button
4. Click "Log In" button

Expected: nlx asking to enter credentials is returned
Actual: I'm autologged in with fxa.

[hidde]

Aah, thanks for the steps. What I implemented is something slightly different:

1. Have an LDAP account
2. Login to mozillians staging with an fxa account that has the same primary email as your LDAP account => sso error page is returned

then: use the browser back button to go back to the login page.

Thinking about what you described and mixing @gdestuynder's original idea: maybe we can just do autologin maximum once per 10 minutes? So we try it, when you try again, no autologin happens. If we do that, your steps would work if they're done in the same 10 minutes (and they would likely not bother anyone else?)

[hidde]

Just discussed this with @viorelaioia, we'll do this, and also check RP, so autologin will be stopped if it is the second (or more) time within ten minutes into the same RP.

[hidde]

This change is now live! 🎉

@viorelaioia Can we close this issue?

[viorelaioia-zz]

yes! Closing it!