fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

Review Passwordless login when an SSO session already exists

Open robotdan opened this issue 3 years ago • 1 comments

Review Passwordless login when an SSO session already exists

Description

Ensure the current behavior is expected.

Use case 1

  • User A has an SSO session
  • User B performs a passwordless login via email
  • ?

Use case 2

  • User B has an SSO session
  • User B performs a passwordless login via email
  • ?

Could we ensure that the passwordless login request belongs to the same user as the current SSO session? or if we generate an auth code, does it need to belong to the same owner of the current SSO session?

Community guidelines

All issues filed in this repository must abide by the FusionAuth community guidelines.

robotdan avatar Oct 07 '22 03:10 robotdan

If the existing behaviour (in use case 1) is deemed to be expected, an option (either at tenant level or at request level for passwordless logins) to sign out any existing SSO session as part of a (successful) passwordless login would be ideal.

We'd like to ensure that if a passwordless login is performed on a shared device (by scanning a QR code in our case - so the passwordless login may be this user's first interaction with FusionAuth or our app), any SSO session from a previous user (who forgot to log out) is terminated / replaced by the new user's session.

pauln avatar Oct 10 '22 22:10 pauln

Internal

  • https://github.com/FusionAuth/fusionauth-app/pull/178

spwitt avatar Dec 29 '22 21:12 spwitt