fix: Display error when a user connected with OIDC token from another… #4646
Conversation
|
Can we add the link to logout directly from the error message? calling /auth/logout is ok? |
I'm not sure, I'll check, it's just an error page, and we can't just add link as text, it will be displayed as is |
|
Thanks. Now, next iteration will be to make a good design for this page 🙄 |
It's just my local run without css, in general it's better |
| if dmErr, ok := err.(*DomainMismatchError); ok { | ||
| extras["ErrorArgs"] = dmErr.TranslationArgs() | ||
| errMsg = dmErr.TranslationKey() | ||
| if logoutURL := getOIDCLogoutURL(inst.ContextName); logoutURL != "" { |
There was a problem hiding this comment.
logout from OIDC is really the SSO endpoint? So if backchannel logout is not working, we'll not be disconnected from the stack right?
Shouldn't we call internal stack api (something like DELETE /auth or I don't remember) and let this route call SSO endpoint if needed?
There was a problem hiding this comment.
Yes, it's the SSO endpoint, and in the Twake Workplace case, it'sthe URL in sign-up /oauth/logout.
We'll not be disconnected from the "first" stack, and it's the same problem we were talking about last week
I think no:
- OIDC logout flow should be initiated by RP
- current DELETE /auth/login doesn't call
end_session_edpointand even if we call DELETE/auth/register/, only a specific session will be destroyed, and the user will stay logged in, in our case we want the user to be disconnected from SSO completely
There was a problem hiding this comment.
OK it makes sense (thanks!).
We need to work on "be sure to be logout from the stack" if we're not connected to the sso (by making the stack more consistent with the sso provider)
shepilov
force-pushed
the
fix_oidc_access_token_missmatch
branch
from
a8a5c04 to
fb99f69
Compare
Improve OIDC error message when user has an active session for different account
When users try to login to one Twake instance while having an active OIDC session for a different instance, they now see a helpful message, "To connect to X, please disconnect first from Y" instead of the generic "The authentication has failed". This helps users understand why login failed and what action to take.