Bug Report: "Not you?" Button Cancels Authentication Flow for Applications

Question

Bug Report: "Not you?" Button Cancels Authentication Flow for Applications

cdmx1 opened this issue 4 months ago · 3 comments

Describe the bug
When attempting to log in to an application via authentik-2024.04.02, clicking the "Not you?" button on the top right cancels the authentication flow. However, after continuing to login with the different or same credentials, instead of returning the user to the application's login page, it redirects them to the authentik dashboard.

To Reproduce
Steps to reproduce the behavior:

Go to the login page of any application integrated with authentik.
Begin the login process.
On the login page, locate and click the "Not you?" button on the top right.
Continue to Login with same/different credentials
Observe the redirection behavior.

Expected behavior
Clicking the "Not you?" button should cancel the current authentication flow and return the user to the application's login page, allowing another user to attempt login without being redirected to the authentik dashboard.

Version and Deployment:
authentik version: 2024.04.02
Deployment: docker-compose

Additional context
This issue disrupts the user experience by taking users away from the intended application, causing confusion and requiring additional steps to navigate back to the application’s login page.

Answer 1 · 2024-06-04T06:53:41.000Z

This happens due to the Not you? button cancelling the flow execution by removing the currently planned flow, which also contains the final URL that the user should be sent to

Answer 2 · 2024-06-04T09:32:10.000Z

Hi @BeryJu, but that creates a flow break for the user, could you please provide guidance or a potential solution on how we can preserve the final URL of the application during the flow cancellation? This would ensure that users are redirected back to the application's login flow rather than the authentik dashboard.

Answer 3 · 2024-06-04T09:36:49.000Z

I'm not saying that I dont agree with your point, this was just for context of why the current behaviour happens as it does.

I think this might be also fixable by ensuring the correct ?next url is set for all those flows, as in that case the redirect from authz flow -> cancel -> invalidation -> authentication should keep the correct final next parameter, which would also solve this issue, and wouldn't require us to decide which flow plan items should be deleted and which shouldn't