fusionauth-issues
fusionauth-issues copied to clipboard
User Self Service Account Management "Keep Me
Self Service Account Management Login Bug - Unchecking "Keep me signed in" prevents user access
Description
I created an application in a tenant for a user to log into to edit their profile using FusionAuth's Self Service Account Management tool.
My relevant OAuth configuration for the application is as follows:
client_id: <application id> client_secret: <obscured> Client Authentication: "Not required when using PCKE" PKCE: "Not required when using client authentication"
I created a user and assigned the user to my application within my tenant. I then used the Account URL (found when inspecting the application that takes the form of <subdomain>.fusionauth.io/account/?client_id=<application id>) to attempt to log in, unchecking "Keep me signed in". FusionAuth reported a successful log in on the user's page in the console, but a network trace shows that I was routed back to the log in page, which appears to the user that they did not successfully log in.
However, when I leave the "Keep me signed in" checkbox checked, and log in, I am authenticated properly and can view my user edit page.
Affects versions
1.30.2
Steps to reproduce
Steps to reproduce the behavior:
- Create a tenant in the FusionAuth Web Console
- Create an application within the newly created tenant
- Create a user, setup user password, and assign them to the newly created application
- Visit application page in web console, inspect application, and copy Account URL
- Visit Account URL, enter username and password, and uncheck "Keep me signed in"
- Will get redirected to log in page
- Verify that log in succeeded by visiting user page in FusionAuth web console -> Recent Logins
Expected behavior
Access the self service account management page (the ability to edit and change my user's profile with the appropriate permissions setup).
Screenshots
If applicable, add screenshots to help explain your problem.
Login where "Keep me signed in" unchecked:
Login where "Keep me signed in" checked:
Platform
(Please complete the following information)
- Device: Desktop
- OS: Windows 10
- Browser + version: Chrome 97.0.4692.71 | Edge 97.0.1072.55
Community guidelines
N/A
Additional context
Additionally, when attempting to log into the Self Service Account Management portal, if one uses a browser that does not save cookies (like incognito mode), the portal redirects the user to the login page as well. This issue may be related to what I've described above.
@ansonallard Thanks for the report. I can seemingly replicate the same behavior -- we will take a look!
This is working as designed. The self-service account pages use SSO for authorization. If you disable SSO by unchecking "remember me" - the user has no SSO session.
If we wanted to build out a separate token and session for self-service outside of SSO and treat it like a separate application we could look into that. Or possibly just allow you to send a JWT along on the Authorization header.
@robotdan Then there should be no "remember me" on the login or you can get to a situation where you can't login.
So, basically, the self service editor is not "embeddable" in our application based on this unless the user checks "remember me"?
@awoodsprim
You can always add a hidden field to ensure that 'remember me' is always true.
Then make sure that the SSO session length is small enough and that the logout button is prominent enough that your users won't be inadvertently leaving themselves vulnerable on a shared computer (if that is a common use case).
So, basically, the self service editor is not "embeddable" in our application based on this unless the user checks remember me"?
That is correct.
@mooreds is exactly correct - you do not have to provide the user an option to un-check the box, instead, using the theme, modify this checkbox and make it a hidden field and hard code the value so that the user always has an SSO session.
If you want to de-couple this feature from SSO, you could open a request to use a separate session, or to take a JWT issued from your application as authorization. Or we could convert this issue into a feature request.
Hope that helps!
We had plans to replace the editor with our own, this will just accelerate them. We had hoped to use the editor "as is" for a bit to allow users to modify their settings.
I can work with the theme option, thanks @mooreds and @robotdan for the ideas!
Thanks @awoodsprim I'm going to note this limitation/design choice in the docs and close this bug out. Please re-open if I'm incorrect in doing so.
This "no bug" or "unwanted feature" is also a drawback for me, which makes the possibility of unusable Self Account Management (without implementing workaround as hidden fields).
To be summarized, the behaviour is as follows:
Go to the Account URL, try the login and if the "Remember Me" box is not checked, you can not enter. In a Private Browser, Works without checking the "Remember Me" box.
From the point of view of a product user, it does not seem the best.
I hope it can be addressed soon.
I’m happy to re-open this for consideration.
But I don’t have any timeline when we would change this behavior.
Added a feature request to address this issue: https://github.com/FusionAuth/fusionauth-issues/issues/1860
Moving to #1860 as a feature request.