Abort SSO cause endless loop

Question

Abort SSO cause endless loop

rizlas opened this issue 8 months ago · 6 comments

Hi,
currently testing with:

oidcwarden/vaultwarden-oidc:1.30.1-11 and override web-vault_button with latest release of https://github.com/Timshel/oidc_web_builds/releases/tag/v2024.1.2-4.

The aim is to have an environment that correspond to content of dani-garcia#3899

Aborting single-sign on with a simple back page when your provider page is displayed, shows the user a page (https://vaultwarden-test.domain.tld/#/sso?email=your@sso.email) that says loading infinitely.

Steps to reproduce:

Write your email and click continue
Click on Enterprise single sign on
When asked for SSO credentials click page back
Page with loading is shown

This of course doesn't happen when a session with your SSO is already in place.

Answer 1 · 2024-02-02T10:52:00.000Z

this only happens before login with sso, when you click back?

Answer 2 · 2024-02-02T11:07:20.000Z

When your SSO provider present his login form, click back.
Click back twice and you'll be back to https://vaultwarden-test.domain.tld/#/login.

Imho it's preferred to be back immediately to https://vaultwarden-test.domain.tld/#/login.

Answer 3 · 2024-02-02T13:59:20.000Z

if that's the case, i am not sure if its generally an issue with the implementation of the script,

though as cosmetic improvement i think a rate limit could be implemented on how many login attempts until it fails,
so basically a kind of sessions timeout

but generally, that's how it would work.

you are on the login screen of sso provider, and you click to go back to the login screen, which takes you back to SSO provider page.

Answer 4 · 2024-02-03T10:38:23.000Z

Hey,

So yeah testing it, it send you back to the loading page (url for me is http://10.42.0.242:8000/#/sso?email=test@mailtm.org), and if you refresh, it send you again to the SSO,

This is not great but as you mention going back twice bring you back to the login screen. So I don't think it's worth trying to make a custom patch for it (which probably would not be integrated by VaultWarden).

I was afraid if the override version was even worse but in fact it works better since it sends you back to the #/sso page (even if it's a bit meaningless since you can only go back to the sso ^^).

Answer 5 · 2024-02-03T12:12:42.000Z

i am so looking forward to the official integration of SSO into vault warden by the vaultwarden team, i think its one of those features that everyone wants, and that's long overdue.

Answer 6 · 2024-02-03T14:10:52.000Z

Yeah, main objective was to make you aware of the behaviour. For sure any further patch is going to be rejected at this time.

Override version works very well, but unfortunately it'll not be merged. I'm focusing only on "button" version.