New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Introduce new account app (to replace oauth app) #1422
Comments
Regarding the whole login/logout confusion issue between console and oauth provider, here's my plan:
If I don't hear any complaints about this plan I'll start implementing this. |
Sounds like a great plan. I agree we don't need explicit logout of Console and stay logged in via OAuth in the UX, although it will work that way underneath. What do you need for cross-origin logout? Wouldn't it be a simple two-step approach; logout "page" to remove Console stored access token, then redirect to generic logout page where the Account app logs out? Or do you want this without redirection but post to a logout endpoint? |
For logout, we can get some inspiration from OpenID Connect logout. Nice summary can be found here: https://medium.com/@robert.broeckelmann/openid-connect-logout-eccc73df758f |
Two-step approach is OK. My concern was that the logout of the account app needs to be CSRF disabled, meaning that anyone with a logout link could lure someone into logging out from their account. This is also currently possible with the v2 stack (clicking here will log you out). |
I've done quite some work now for the new account app:
I did this by hardcoding an access token, to be able to use the stack API. I'm currently unable to advance with a proper implementation, since I don't know what would be the best way to obtain an access token for the account app.
I already said to @htdvisser that the whole delegated authentication/authorization aspect of this is somewhat overwhelming to me and I don't feel knowledgeable enough to be responsible for such a security-sensitive matter. What we should aim for is a flow that makes the authentication flow of our official clients feel like native authentication (see also my other comment), meaning that logins and logouts are global and there should be no distinction between the authenticated state of the clients and the authorization provider. So, I'd need some help and input to go on with the account app. How can we coordinate this? |
Yes, password grant must not be used, see specification and reasoning here: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-13#section-3.4 |
@kschiffer what is the status here? |
Currently rebasing my work on the new scaffold, which is ongoing here: #3453 Next up is rebasing, fixing and PRing the authenticated views and adjusting the current designs to the new branding. |
@kschiffer what is the status here? |
The Account App has been introduced in 3.11. Currently still missing are:
|
OK. #488 is already closed it seems. This has been a big issue. Can you file one or two new issues for the above to replace this one, so it can be closed? |
Summary
We currently have a lot of issues revolving around our OAuth flow, account switching, token management, respective branding, etc. This is an attempt to make all of these more actionable under a new
account
app that will take care of all of these concerns.Why do we need this?
What is already there? What do you see now?
What is missing? What do you want to see?
An app that acts as OAuth provider and fully featured and branded configuration UI around all account and authentication concerns
Environment
Web
How do you propose to implement this?
I think a big problem with the current implementation is the lacking clarity and context for the user. It is hard to recognize the OAuth app as an independent authentication entity. Reasons are:
To improve clarity, we need to make the app more visible, distinguishable and purposeful:
I've created three wireframes that give an idea of how I envision the account app:
See wireframes
(notice the account switcher integrated in the user dropdown in the top right)
Can you do this yourself and submit a Pull Request?
Yes. @johanstokking @htdvisser, please let me know whether you think its good to continue.
The text was updated successfully, but these errors were encountered: