-
Notifications
You must be signed in to change notification settings - Fork 903
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix auto login #1362
base: main
Are you sure you want to change the base?
Fix auto login #1362
Conversation
…single one when only one is defined
@dokterbob I did a new PR from the good branch this time 😉 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just reviewed the functionality (in our own app, with a single oauth provider).
What I hoped this would do, was to remove the intermittent login step before the redirect, which our users have found confusing (as there's no user interaction required).
What instead happened, is that now there is a single button for the user to click; there is a choice to be made but nothing to choose. Remember those websites back in the 90's with the 'Click here to ender the website'-button?
Of course, users need to be able to log out and I see the pain there. Our own users also have this issue.
What's happening AFAIK, is that when a user logs out from chainlit, the oauth authentication is immediately initiated again. If a user was not logged out from the oauth provider, this means that they are automatically logged in again. What the user's expectation is instead, is that when they're logging out, they are presented a prompt to log in again. If there's a single OAuth provider, they should end up seeing that provider's oauth login screen again (not a page with a single button).
So IMHO, what's necessary is that logging a user out in the frontend also logs them out on the oauth backend. The proper way might be to add an optional async def logout()
method to OAuthProvider
which for each OAuth provider uses the available credentials to have the provider revoke their credentials.
Alternatively, if 'properly' implementing OAuth (logout) (not a trivial matter!), perhaps we could make this behaviour configurable, setting prior behaviour as the default (e.g. single_oauth_auto_redirect = True
, allowing users to specifically disable it?
I could not help myself from digging a little deeper and it seems that OAuth2 has a To implement this, we could add That seems like a much simpler and elegant solution! |
Hello, this method is interesting, I'm going to dig that. |
@dokterbob I restored the previous behaviour and added prompt=consent to the authorization params for each one of the 9 chainlit external providers, as refered here |
Great! Could you please indicate to what extent you manually tested it? It's essential for this we do extensive manual testing! |
Sure, I only tested it on github oauth, but since it is defined in the OpenID connect core 1.0 spec, it should be sure that it work with the other one. If you want to test them, it would be great, I personnaly do not have the possibility to do so... |
Fix the automatic enter of the only oauth providers, which makes it unable to logout