Cancelling The Things ID login leads to "Forbidden" error

[nejraselimovic]

Summary

Cancelling login via The Things ID leads to "Forbidden" error

What do you see now?

If you click Cancel, you get:

What do you want to see instead?

Instead of this error, a user should probably be redirected to the login page

Environment

TTS Community Edition

Can you do this yourself and submit a Pull Request?

@kschiffer?

[kschiffer]

So I've spent some time looking into other services that use OpenID Connect (our auth flow in TTID) and from what I can see, Google, Facebook, and Apple do not even provide a cancel option when using their services to login. This makes me wonder if we even need such functionality when the user can just as well use the browser's back button.

Technically, the only difference I would see is that the state cookie would remain stored but I don't believe this is problematic, since every newly initiated login would invalidate the cookie anyway.

UX-wise I don't believe removing the cancel button would be problematic in any way.

[kschiffer]

I'd like to open this up for discussion. @htdvisser @bafonins @NicolasMrad

[NicolasMrad]

I just visited random websites to check the log-in process and none of them have a cancel button, so in my opinion users presses or going back is sufficient without having a cancel button.

[htdvisser]

I don't think a cancel button makes sense when a user actively tries to login. However, if a user gets automatically redirected to TTID, I think the UI should show them that they have a choice between continuing and cancelling. Especially if pressing "back" simply redirects them to the login page again, I think it's better to explicitly tell the OAuth client "no".

[kschiffer]

What should happen then, upon clicking cancel?

[kschiffer]

See also https://discuss.thethingsindustries.com/t/ttsce-and-ttid-login-ux/655

[htdvisser]

Conclusion after discussion: we just need to catch the error, show a nicer message and a button to the solution (go to login page)