-
Notifications
You must be signed in to change notification settings - Fork 20
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Single redirect /account to home.account.gov.uk rather than session start if no redirect param passed #3670
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
KludgeKML
force-pushed
the
account-redirect
branch
from
June 28, 2023 15:19
95dd10f
to
7413dda
Compare
KludgeKML
changed the title
TEST: Single redirect to home.account.gov.uk rather than session start.
Single redirect /account to home.account.gov.uk rather than session start if no redirect param passed
Jun 28, 2023
KludgeKML
force-pushed
the
account-redirect
branch
from
June 29, 2023 08:43
7413dda
to
35118f8
Compare
KludgeKML
force-pushed
the
account-redirect
branch
from
June 29, 2023 11:08
35118f8
to
696ae2d
Compare
…tart. - Currently /account/home redirects to home.account.gov.uk, but /account is the session creation start, which bounces to the acount api signin URL (on oidc.account.gov.uk) - This is causing odd behaviour when people log in to check emails (accounts with 2FA are logged in then sent for an uplift to 2FA to get to their account homepage - especially awkward when they reset their password, at which point they end up putting in 3 2FA codes - one to change the password, then twice to log in to their account). - DI have asked that we redirect /account directly to home.account.gov.uk to avoid this problem. This should be okay, although this endpoint also takes redirects. To keep current behaviour, we bounce to home.account.gov.uk only if no valid redirect params are passed.
KludgeKML
force-pushed
the
account-redirect
branch
from
July 11, 2023 09:36
696ae2d
to
6451136
Compare
KludgeKML
added a commit
to alphagov/email-alert-frontend
that referenced
this pull request
Jul 13, 2023
In order to improve the logged-in experience, in alphagov/frontend#3670 we are redirecting /account directly to home.account.gov.uk. This means that we are skipping session creation. It improves the general logged in behaviour, but means that if someone goes to /account and logs in, then follows the link to /email/manage, email-alert-frontend will not know that the user is logged in (because no session will exist), and they'll be prompted for their email address. To get around this, we add support for a hint parameter (from=your-services) which will be added to the link in the home.account.gov.uk/your-services page. When we go to /email/manage?from=your-services, the app knows that we came from One Login and are therefore probably logged in, so attempts a silent login.
KludgeKML
added a commit
to alphagov/email-alert-frontend
that referenced
this pull request
Jul 13, 2023
In order to improve the logged-in experience, in alphagov/frontend#3670 we are redirecting /account directly to home.account.gov.uk. This means that we are skipping session creation. It improves the general logged in behaviour, but means that if someone goes to /account and logs in, then follows the link to /email/manage, email-alert-frontend will not know that the user is logged in (because no session will exist), and they'll be prompted for their email address. To get around this, we add support for a hint parameter (from=your-services) which will be added to the link in the home.account.gov.uk/your-services page. When we go to /email/manage?from=your-services, the app knows that we came from One Login and are therefore probably logged in, so attempts a silent login.
KludgeKML
added a commit
to alphagov/email-alert-frontend
that referenced
this pull request
Jul 19, 2023
In order to improve the logged-in experience, in alphagov/frontend#3670 we are redirecting /account directly to home.account.gov.uk. This means that we are skipping session creation. It improves the general logged in behaviour, but means that if someone goes to /account and logs in, then follows the link to /email/manage, email-alert-frontend will not know that the user is logged in (because no session will exist), and they'll be prompted for their email address. To get around this, we add support for a hint parameter (from=your-services) which will be added to the link in the home.account.gov.uk/your-services page. When we go to /email/manage?from=your-services, the app knows that we came from One Login and are therefore probably logged in, so attempts a silent login.
KludgeKML
added a commit
to alphagov/email-alert-frontend
that referenced
this pull request
Jul 19, 2023
In order to improve the logged-in experience, in alphagov/frontend#3670 we are redirecting /account directly to home.account.gov.uk. This means that we are skipping session creation. It improves the general logged in behaviour, but means that if someone goes to /account and logs in, then follows the link to /email/manage, email-alert-frontend will not know that the user is logged in (because no session will exist), and they'll be prompted for their email address. To get around this, we add support for a hint parameter (from=your-services) which will be added to the link in the home.account.gov.uk/your-services page. When we go to /email/manage?from=your-services, the app knows that we came from One Login and are therefore probably logged in, so attempts a silent login.
KludgeKML
added a commit
to alphagov/email-alert-frontend
that referenced
this pull request
Jul 20, 2023
In order to improve the logged-in experience, in alphagov/frontend#3670 we are redirecting /account directly to home.account.gov.uk. This means that we are skipping session creation. It improves the general logged in behaviour, but means that if someone goes to /account and logs in, then follows the link to /email/manage, email-alert-frontend will not know that the user is logged in (because no session will exist), and they'll be prompted for their email address. To get around this, we add support for a hint parameter (from=your-services) which will be added to the link in the home.account.gov.uk/your-services page. When we go to /email/manage?from=your-services, the app knows that we came from One Login and are therefore probably logged in, so attempts a silent login.
1pretz1
approved these changes
Jul 20, 2023
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Redirect requests to /account directly to home.account.gov.uk if there is no redirect param supplied.
Why
Request from the OneLogin team - redirecting here prevents a problem where rather than being asked to sign in with 2FA to begin with, an uplift scenario starts (where the user logs in without 2FA, then the 2FA is requested later). This is leading to confusing differences in 2FA prompts, and a situation where people resetting their password are asked for their 2FA twice consecutively.
Trello card