kratos: test all scenarios with SSO and documentate
Closed this issue · 3 comments
SSO has to be fully tested, that means:
A. Happy paths
- New user clicks login with SSO and gets an account
- Existing SSO user clicks login with SSO and gets logged in
B. Sad paths
- User register but has a missing attribute (v.g. change jsonnet mapper to only accept claims.email if email exists and try to register user without email). (It is expected that user is prompted to fill the missing fields. After that it should work.)
- User unique identifier already exists in serlo (v.g. email is already registered at serlo.org and try to register again with same email)
- SSO user tries to login with password now
Please documentate here the results.
Add also other scenarios and unexpected behaviors.
A.1. New user [for Serlo] clicks login with SSO and gets a [Serlo] account
-> Works as expected except the user is not getting a profile because of not working hook to database-layer.
A.2. Existing SSO user clicks login with SSO and gets logged in
-> Works as expected.
B.1 User register but has a missing attribute (v.g. change jsonnet mapper to only accept claims.email if email exists and try to register user without email). (It is expected that user is prompted to fill the missing fields. After that it should work.)
->
{
"id": "998a4a71-9d65-405d-8470-fb4ddc5b27ca",
"error": {
"code": 500,
"status": "Internal Server Error",
"message": "Error: failed to evaluate snippet: RUNTIME ERROR: Field does not exist: email\n\tfile:///etc/config/kratos/data_mapper.jsonnet:28:14-26\tobject <anonymous>\n\tField \"email\"\t\n\tField \"traits\"\t\n\tField \"identity\"\t\n\tDuring manifestation\t\n\nUsage:\n kratos jsonnet [flags]\n\nFlags:\n -h, --help help for jsonnet\n\nfailed to evaluate snippet: RUNTIME ERROR: Field does not exist: email\n\tfile:///etc/config/kratos/data_mapper.jsonnet:28:14-26\tobject <anonymous>\n\tField \"email\"\t\n\tField \"traits\"\t\n\tField \"identity\"\t\n\tDuring manifestation\t\n\n: exit status 1"
},
"created_at": "2023-03-28T00:14:50.65718Z",
"updated_at": "2023-03-28T00:14:50.65718Z"
}
B.2. User unique identifier already exists in serlo (v.g. email is already registered at serlo.org and try to register again with same email)
-> user is forwarded to normal sign up page with message 'Ein Account mit der selben E-Mailadresse oder dem selben Benutzernamen existiert schon."' being displayed
B.3. SSO user tries to login directly on Serlo with password now
-> 'Der Benutzername, die E-Mail-Adresse oder das Passwort stimmen so nicht. Bitte überprüfe deine Eingabe.'
B.4. username contains an invalid character like '/' or '.'
-> user is forwarded to normal sign up page with message 'does not match pattern "^[\w\-]+$"' being displayed under the username field.
B1 is quite frustrating and we should work on it.
I see as very probable that not all users are going to consent to give their email address.
"Error: failed to evaluate snippet: RUNTIME ERROR: Field does not exist: email\n\tfile:///etc/config/kratos/data_mapper.jsonnet:28:14-26
This error message makes me suppose you changed the mapper to the following line
[if 'email' in claims then 'email' else null]: claims.email,
Please try something as the following:
email: [if 'email' in claims then claims.email else ""]: ,
If such a change leads to the redirect to the registration form, as expected, it is a much better result. You can commit it and push directly into main.
Changes about email are not necessary anymore, since we got new info from stakeholder.
By the way, if we omit in the data_mapper.jsonnet any necessary field, like email and username, we are prompted to the registration form to complete data.
Thanks!