Task #3829
closed
Redmine: Authentication (login) fails quietly
0%
Description
I went to TDF’s Redmine instance (this site) for the first time today. At ~17:06, I tried authenticating. Clicking "Connexion" initially prompted for credentials, but once these were provided, the tab returned to the homepage without logging me in. Further clicks on "Connexion" quietly failed, with no more effect than reloading the page. This persisted for more than 1 hour, until after I reported the issue to the website mailing list and Guilhem Moulin helped. This occurred with both of the browsers which I tried (Mozilla Firefox 138.0.1 and Google Chrome 136).
After Guilhem intervened, I needed to "logout from SSO", which I managed to do thanks to https://auth.documentfoundation.org/?logout=1
Even though I was not logged in on either HelpWiki, Redmine or user.documentfoundation.org, I was still in fact "authenticated to SSO" (…or perhaps more accurately, to "Reduced Sign-On"). "Logging out from RSO" in both browsers allowed me to then authenticate properly, in both browsers.
I am asking Guilhem what he did, but from my understanding, he probably merely made a manipulation to my account, so this bug is account-dependent. He pointed to the following fragment from Redmine’s home page:
In order to create or edit tickets you need to have an account on our Single Sign On service . In addition, write access to Redmine is currently subject to manual approval (this helps avoiding the creation of spam accounts).
That fragment seems to refer to authorization, but seems to become incoherent once you pay attention to the parenthesis, which is visibly about authentication (account creation). Whatever it means, it would surely help to clarify what it means by "manual approval".
Updated by Guilhem Moulin 4 days ago
- Project changed from Websites to Infrastructure
- Category set to Redmine
- Status changed from New to Rejected
I disagree this is a bug. The text in the homepage could be improved but it works as intended and has for years. Users requesting access to this Redmine instance need to use the mailto: URL on the homepage; an admin will then follow up from there and provide instructions how to sign in.
Updated by Philippe Cloutier 2 days ago
Hi Guilhem,
Guilhem Moulin wrote in #note-1:
I disagree this is a bug. The text in the homepage could be improved but it works as intended and has for years.
This bug is not about the text. I mentioned the text because it is related, but it is the Sign in / Connexion link (at the top, right) which is broken.
Users requesting access to this Redmine instance need to use the mailto: URL on the homepage; an admin will then follow up from there and provide instructions how to sign in.
Right, I said "manual approval" was unclear, but looking at this again, what is most unclear is what is approved. What is approved appears to be indeed a manual request, so the sentence should rather read something like:
write access to Redmine is not possible until a <a>manual request</a> is manually approved (this helps avoiding the creation of spam accounts).
Updated by Guilhem Moulin 2 days ago
This bug is not about the text. I mentioned the text because it is related, but it is the Sign in / Connexion link (at the top, right) which is broken.
And I argue it works as intended, since it doesn't authenticate and redirects to a page with instructions how to request access. That might be what you call “restricted SSO“ but having an account in SSO doesn't automatically grant you access to all resources and services at TDF. Some are only for TDF members, others are only for staff, others only for elected bodies, etc. And others, like Redmine, are in open to all but subject to manual approval. That's the system is designed.
write access to Redmine is not possible until a <a>manual request</a> is manually approved (this helps avoiding the creation of spam accounts).
Changed with a minor tweak, thanks for the suggestion.
Updated by Philippe Cloutier 2 days ago
Thank you for the change Guilhem, that is clearer.
Guilhem Moulin wrote in #note-3:
This bug is not about the text. I mentioned the text because it is related, but it is the Sign in / Connexion link (at the top, right) which is broken.
And I argue it works as intended, since it doesn't authenticate and redirects to a page with instructions how to request access.
I hope the intention was not that clicking "Sign in" doesn't authenticate🙄, but thanks, I understand your perception a little more.
So, when one click a "Sign in" link, one expects to either:
1. be authenticated
2. be presented with a login form
3. or receive a message about why that failed.
You seem to be arguing that it is also fine to be brought to a page from which one can figure out how to sign in. I agree that it would be fine to bring to a page whose purpose is to explain how to authenticate and which does that clearly, but that is not the case here:
1. The target is the homepage ("Welcome to The Document Foundation Redmine").
2. The page does not explain how to sign in. You claim a follow-up does, but that page never even mentions such a follow-up.
Instead, the user goes from:
A. the homepage, https://redmine.documentfoundation.org
B. a login form
C. a consent form for sharing information with Redmine
A. back to the same homepage, unchanged
In other words, from step C to D, the user feels like he is going backwards.
If solutions are not clear, please consult someone experimented in user experience. As a very poor workaround, changing the Sign in button’s label to "Sign in or start a process which may let you sign in" would technically fix.