-
Notifications
You must be signed in to change notification settings - Fork 6
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign in with security key not working if email is cached #290
Comments
Thank you for reporting us your feedback! The internal ticket has been created: https://warthogs.atlassian.net/browse/IAM-1114.
|
…change email link to restart the flow. fixes canonical#290 Signed-off-by: David Edler <david.edler@canonical.com>
…change email link to restart the flow. fixes canonical#290 Signed-off-by: David Edler <david.edler@canonical.com>
…kie to reset the email
…change email link to restart the flow. fixes canonical#290 Signed-off-by: David Edler <david.edler@canonical.com>
…kie to reset the email Signed-off-by: David Edler <david.edler@canonical.com>
…change email link to restart the flow. fixes canonical#290 Signed-off-by: David Edler <david.edler@canonical.com>
…kie to reset the email Signed-off-by: David Edler <david.edler@canonical.com>
…change email link to restart the flow. fixes canonical#290 feat: add `clear-session` api for kratos session cookie fix part two of the fix for canonical#290 that clears the browser cookie to reset the email Signed-off-by: David Edler <david.edler@canonical.com>
I don't really like the approach we take here:
We should have a look at what major providers do and copy them. For example on github (not the best example, I know) if you press back on the authorizer screen, you will be asked to enter your username/password again and if you do browser forward, you will again will be asked for totp. I think for us the best flow would one of the following:
What do you think? cc @lukasSerelis @edlerd Originally posted by @nsklikas in #292 (review) |
What is happening
If you try to sign in but don't complete MFA and visit the initial sign in page again, it caches the email and only shows password and security key sign up options, even if security key is not set up. If the security key is not set up it's not putting an error message, it just keep redirecting back to the same page.
What should happen
First of all it shouldn't obscure the email address that is cached, it's bad UX practice as the user might be trying to sign in to a different account, and you're making them guess which email has been cached. Display the email even thought it's been cached. Secondly, either display all methods of sign in or only supported ones, cause now you're doing neither.
Preferred flow
Flow in screens
User visits resource that is accessible via Login UI. UI displays all of possible sign in methods
User signs in with email and password. Login UI asks for MFA. User closes the tab
User visits resource that is accessible via Login UI. UI displays cached email with ability to edit email, and all sign in methods that this email is able to use (in this example, email has security key and google, but not Okta set up for this identity.)
Compromise option
Same flow, but display all of the possible sign in option, regardless of what options are possible.
The text was updated successfully, but these errors were encountered: