Task #3480
openRedirections to auth.tdf are sometimes lacking the back URL
0%
Description
I've noticed that when I log in, I somehow find myself in the password change dialog / page, even though I've only recently changed my password.
Updated by Guilhem Moulin over 3 years ago
Log in to what? What are the exact steps that land you there? Note that if you visit https://auth.documentfoundation.org (as opposed to being redirected there) you see the password prompt indeed, along with the OAuth2 grants. This is intentional.
Updated by Eyal Rozenberg over 3 years ago
Log in to what?
To RedMine (hence the bug category). But it's really to everything, via the auth subdomain.
What are the exact steps that land you there? Note that if you visit https://auth.documentfoundation.org (as opposed to being redirected there) you see the password prompt indeed, along with the OAuth2 grants. This is intentional.
Next time this happens I'll try to write down exact reproduction instructions, but basically - if you've logged in, and go back to the window without the login, and reload - you do not (necessarily) appear as logged in, and when clicking the Sign In link, you get to the auth website, to the password changing dialog.
I don't think that dialog should be the thing you see by default, anyways.
Updated by Guilhem Moulin over 3 years ago
- Subject changed from Always directed to the password change dialog to Redirections to auth.tdf are sometimes lacking the back URL
- Category changed from Redmine to Single Sign-On
Eyal Rozenberg wrote:
Log in to what?
To RedMine (hence the bug category). But it's really to everything, via the auth subdomain.
Changing the category then. And the Subject, if that's not reproducible.
Next time this happens I'll try to write down exact reproduction instructions, but basically - if you've logged in, and go back to the window without the login, and reload - you do not (necessarily) appear as logged in, and when clicking the Sign In link, you get to the auth website, to the password changing dialog.
The instructions are unclear to me, but I can't reproduce this. In a new browser session:
- Visit https://auth.documentfoundation.org/ . A yellow “Authentication required” dialog appears. After authentication the password change screen shows up — this is not a bug.
- Visit this ticket page https://redmine.documentfoundation.org/issues/3480 . I'm not logged to Redmine, so the Sign in / Register links are visible on the top right.
- Clicking Redmine's Sign in link (to https://redmine.documentfoundation.org/login), I'm first redirected to its OAuth2 SP endpoint, then to https://auth.documentfoundation.org/oauth2/authorize?client_id=redmine with a suitable redirect URI . As I already authenticated to the Single Sign-On platform I'm redirected back to Redmine without further authentication.
Do you have a browser extension that might block the redirect? Is there an error message showing up in your browser console?
I don't think that dialog should be the thing you see by default, anyways.
auth.documentfoundation.org is an authentication platform, nothing more.
Updated by Guilhem Moulin over 3 years ago
Guilhem Moulin wrote:
The instructions are unclear to me, but I can't reproduce this.
One way to reproduce the missing redirect, is to enter wrong credentials. In a new browser session:
- Visit https://redmine.documentfoundation.org/ and click “Sign in” on the top right.
- Enter wrong credentials at https://auth.documentfoundation.org
- The ”Go to portal” page on the error page is lacking the redirect URL, so clicking that and authenticating doesn't redirect back to the SP.
Doesn't seem to be what you're describing though.