"Remember me" can lock a user into OAuth flow
Opened this issue · 2 comments
P3 uses a popup OAuth window for users to authenticate with OSM.
If the user clicks "Remember me" on osm.org when first authenticating, then that login becomes a long-living cookie (which AIR stores in the system cookie store, i.e. as used by IE or Safari).
If the user subsequently clicks "Log out" from P3's Connection prefs, then P3 deletes the OAuth user token/secret and won't use them to authenticate next time.
However, when the user next tries to save and the popup OAuth window opens, the "Remember me" cookie is still there. So osm.org goes straight to the "Authorize access to your account" page and says "The application Potlatch 3 is requesting access to your account, Richard." Which is a problem if what you actually wanted to do is log in with another account.
Couple of possible solutions:
- Drop the "Remember me" box from the OAuth login page
- Provide a "Log in as a different user" link on the "Authorize access" page
There is no "OAuth login page" as far as I know, there is just the normal login page, and not being asked to login if you're already logged in is entirely normal and expected.
All that "remember me" does is to extend the life time of the cookie - even without that you might still be considered logged in on a future visit.
You really shouldn't be deleting the OAuth token anyway - the whole point is to cache those client side otherwise you wind up with piles of duplicate authorisations on the OSM end.
Is this still relevant now that P3 has moved to OAuth 2? (Sorry, can’t try this out atm)