Single redirect /account to home.account.gov.uk rather than session start if no redirect param passed #3670
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KludgeKML
force-pushed
the
account-redirect
branch
from
95dd10f
to
7413dda
Compare
KludgeKML
changed the title
KludgeKML
force-pushed
the
account-redirect
branch
from
7413dda
to
35118f8
Compare
KludgeKML
force-pushed
the
account-redirect
branch
from
35118f8
to
696ae2d
Compare
…tart. - Currently /account/home redirects to home.account.gov.uk, but /account is the session creation start, which bounces to the acount api signin URL (on oidc.account.gov.uk) - This is causing odd behaviour when people log in to check emails (accounts with 2FA are logged in then sent for an uplift to 2FA to get to their account homepage - especially awkward when they reset their password, at which point they end up putting in 3 2FA codes - one to change the password, then twice to log in to their account). - DI have asked that we redirect /account directly to home.account.gov.uk to avoid this problem. This should be okay, although this endpoint also takes redirects. To keep current behaviour, we bounce to home.account.gov.uk only if no valid redirect params are passed.
KludgeKML
force-pushed
the
account-redirect
branch
from
696ae2d
to
6451136
Compare
KludgeKML
added a commit
to alphagov/email-alert-frontend
that referenced
this pull request
Jul 13, 2023
In order to improve the logged-in experience, in alphagov/frontend#3670 we are redirecting /account directly to home.account.gov.uk. This means that we are skipping session creation. It improves the general logged in behaviour, but means that if someone goes to /account and logs in, then follows the link to /email/manage, email-alert-frontend will not know that the user is logged in (because no session will exist), and they'll be prompted for their email address. To get around this, we add support for a hint parameter (from=your-services) which will be added to the link in the home.account.gov.uk/your-services page. When we go to /email/manage?from=your-services, the app knows that we came from One Login and are therefore probably logged in, so attempts a silent login.
KludgeKML
added a commit
to alphagov/email-alert-frontend
that referenced
this pull request
Jul 13, 2023
In order to improve the logged-in experience, in alphagov/frontend#3670 we are redirecting /account directly to home.account.gov.uk. This means that we are skipping session creation. It improves the general logged in behaviour, but means that if someone goes to /account and logs in, then follows the link to /email/manage, email-alert-frontend will not know that the user is logged in (because no session will exist), and they'll be prompted for their email address. To get around this, we add support for a hint parameter (from=your-services) which will be added to the link in the home.account.gov.uk/your-services page. When we go to /email/manage?from=your-services, the app knows that we came from One Login and are therefore probably logged in, so attempts a silent login.
KludgeKML
added a commit
to alphagov/email-alert-frontend
that referenced
this pull request
Jul 19, 2023
In order to improve the logged-in experience, in alphagov/frontend#3670 we are redirecting /account directly to home.account.gov.uk. This means that we are skipping session creation. It improves the general logged in behaviour, but means that if someone goes to /account and logs in, then follows the link to /email/manage, email-alert-frontend will not know that the user is logged in (because no session will exist), and they'll be prompted for their email address. To get around this, we add support for a hint parameter (from=your-services) which will be added to the link in the home.account.gov.uk/your-services page. When we go to /email/manage?from=your-services, the app knows that we came from One Login and are therefore probably logged in, so attempts a silent login.
KludgeKML
added a commit
to alphagov/email-alert-frontend
that referenced
this pull request
Jul 19, 2023
In order to improve the logged-in experience, in alphagov/frontend#3670 we are redirecting /account directly to home.account.gov.uk. This means that we are skipping session creation. It improves the general logged in behaviour, but means that if someone goes to /account and logs in, then follows the link to /email/manage, email-alert-frontend will not know that the user is logged in (because no session will exist), and they'll be prompted for their email address. To get around this, we add support for a hint parameter (from=your-services) which will be added to the link in the home.account.gov.uk/your-services page. When we go to /email/manage?from=your-services, the app knows that we came from One Login and are therefore probably logged in, so attempts a silent login.
KludgeKML
added a commit
to alphagov/email-alert-frontend
that referenced
this pull request
Jul 20, 2023
In order to improve the logged-in experience, in alphagov/frontend#3670 we are redirecting /account directly to home.account.gov.uk. This means that we are skipping session creation. It improves the general logged in behaviour, but means that if someone goes to /account and logs in, then follows the link to /email/manage, email-alert-frontend will not know that the user is logged in (because no session will exist), and they'll be prompted for their email address. To get around this, we add support for a hint parameter (from=your-services) which will be added to the link in the home.account.gov.uk/your-services page. When we go to /email/manage?from=your-services, the app knows that we came from One Login and are therefore probably logged in, so attempts a silent login.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Redirect requests to /account directly to home.account.gov.uk if there is no redirect param supplied.
Why
Request from the OneLogin team - redirecting here prevents a problem where rather than being asked to sign in with 2FA to begin with, an uplift scenario starts (where the user logs in without 2FA, then the 2FA is requested later). This is leading to confusing differences in 2FA prompts, and a situation where people resetting their password are asked for their 2FA twice consecutively.
Trello card