search

IdentityServer / IdentityServer3

OpenID Connect Provider and OAuth 2.0 Authorization Server Framework for ASP.NET 4.x/Katana
https://identityserver.github.io/Documentation/
Apache License 2.0
2.01k stars 763 forks source link

Why not just render the login page in the first login requst? #3902

Closed Farwell-Liu closed 6 years ago

Farwell-Liu commented 7 years ago

I have used identityserver3 more than 2 years. Because I have came across serveral problem about redirecting the first login request, I asked a question about 2 years ago here issues/3006. I list the possible problem scenarios as below:

  1. Many users like to add the web application site url to the his favorites. However, in fact they just saved the "http://login.mysite.com/core/login?signin=3f01171050d21f03dd612e5180d89ab1". There is no problem to login firstly. But when they used the url to login again, the idsrv3 will throw exception. issues/2392
  2. User A ask User B for CMS system url, and then User A access http://cms.mysite.com and the browser redirect to the "http://login.mysite.com/core/login?signin=3f01171050d21f03dd612e5180d89ab1". At last, User A copy this url and send to User B. When User B login with this url, it will failed.
  3. For some reason like forgeting something, the user will open the login page twice in differenct tab. when he return to the first tab to login, then it will failed. issues/2695
  4. when user open a login page but he donot login immediately. After one hour later, he may login faild. Because user may use some security software will clear his cookie and browsing history in this one hour.
  5. When we do the performance test. We found that since the first login request need to access database (or cache) and need to redirect to second page, the performance is always much lower than redering the login page in first request.

And there may some other scenarios that I cannot remember now. If these scenarios happens only 0.1%, the login system give users unstable impression. According to the leastprivilege said in issues/3006, I think if it just because of technology reason of separation of concerns, Why not just render the login page in the first login requst? And then we will never encounter the problems above.

brockallen commented 7 years ago

Many users like to add the web application site url to the his favorites

That still would not work because of the nonce in OIDC protocol.

Farwell-Liu commented 7 years ago

I havn't read the OIDC protocol and I don't know too much about OIDC. But I found that some oauth provider just render the login page in the first login request. for example: chinese tencent QQ OAuth service. Didn't they conform to the OAuth protocol strictly? Or Is it possible that idsrv3 didn't conform to the protocol strictly?

The oauth serivce of qq render the login page in first login request. and It seems that I can add this url to my favoriates. https://graph.qq.com/oauth2.0/show?which=Login&display=pc&client_id=123456&scope=wl.basic&response_type=code&redirect_uri=http%3A%2F%2Flogin.mysite.com%2Fcore%2FQQLoginCallback&state=XwRj6I8fgcpeRhk-f5wWVr1vjHTyoKJHLpk1UBRvt1yzE4ADdq_Ri52GZoUBqA5hVRnObsh8d22hBGeyhRjvi68IjgCZ3OdBnJdjrXgxtf8-UG6S4bp_5-IoUmadfcLMDV7i__8uOasKBkSGR3VYYm2yO-hn_BSbKAtPqPWA4cfLEO58J8h5vCOKaD8SWlUMLO_maDA6OhY8krers78OnC0VH1ZvyW7pmTOIgXtWyCYYKhLte1H5ObZIOeaQz7nWG4JDlNxDsereTEbDSg-Sjs_cSeja5CnYyA-D2l1h