Canonical SSO provider

No way to cancel 2-factor auth step

Bug #972996 reported by Anthony Lenton
18
This bug affects 4 people
Affects Status Importance Assigned to Milestone
Canonical SSO provider
Fix Released
High
Natalia Bidart
Canonical SSO provider 12.10.11

Bug Description

Today I wanted to test a bit of code that required me to be signed out of SSO.
As I imagined I'd be signed in on SSO I fired up a browser and went to login.ubuntu.com to sign out of SSO.
It turns out at the time I was indeed signed in, but my 2-factor auth had expired, so it sent me to https://login.ubuntu.com/two_factor_auth?next=/

At this point I wanted to *log out*, but I had no way to cancel the 2-factor auth login and sign out. The screen has no "Cancel" link, no "I'm somebody else". I ended up logging in just to be able to log out.

I later noticed that if I'd have gone to https://login.ubuntu.com/+logout it would have logged me out, but you need to know this url off by heart.

So, if you use SSO with 2-factor auth and then leave the box unattended and somebody else comes along a while later and tries to use SSO too with their own account, SSO will try ask them to log in with 2-factor auth (which is *great*, as it doesn't allow them to use your account), but it doesn't allow them to log in with their own account either.

Related branches

lp://staging/~nataliabidart/canonical-identity-provider/dazed-and-confused
Ricardo Kirkner (community): Approve
Diff: 347 lines (+52/-43)
9 files modified
identityprovider/admin.py (+1/-1)
identityprovider/templates/device/addition-generic.html (+2/-2)
identityprovider/templates/device/addition-yubi.html (+3/-3)
identityprovider/templates/ubuntu/registration/twofactor.html (+1/-1)
identityprovider/tests/unit/test_devices.py (+3/-2)
identityprovider/tests/unit/test_views_devices.py (+3/-3)
identityprovider/tests/unit/test_views_ui.py (+33/-22)
identityprovider/views/devices.py (+5/-5)
identityprovider/views/ui.py (+1/-4)
Ricardo Kirkner (ricardokirkner)
Changed in canonical-identity-provider:
status: New → Confirmed
importance: Undecided → High
Revision history for this message
Dean Henrichsmeyer (dean) wrote :

Agreed, either a "sign-in as another user" or "logout" link would be great to have on that page.

Stuart Metcalfe (stuartmetcalfe)
tags: added: maintenance
Ricardo Kirkner (ricardokirkner)
tags: added: twofactor
Ricardo Kirkner (ricardokirkner)
Changed in canonical-identity-provider:
milestone: none → public-rollout
Natalia Bidart (nataliabidart)
Changed in canonical-identity-provider:
assignee: nobody → Natalia Bidart (nataliabidart)
status: Confirmed → In Progress
ISD Branch Mangler (isd-branches-mangler)
Changed in canonical-identity-provider:
status: In Progress → Fix Committed
Ricardo Kirkner (ricardokirkner)
Changed in canonical-identity-provider:
milestone: public-rollout → 12.10.11
Ricardo Kirkner (ricardokirkner)
Changed in canonical-identity-provider:
status: Fix Committed → Fix Released
Revision history for this message
Leo Arias (elopio) wrote :

Confirmed in production. Thanks for the fix.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.