Cannot stay logged out when only sign in provider is a single SSO

[andrew-mantha-rcgt]

Describe the issue

When there is no anonymous access and the only sign in provider is a single SSO, Weblate helpfully redirects users to the SSO Login Portal. Assuming their SSO Login creds are still cached, the login will succeed and the user is redirected back at Weblate.

This is helpful when opening the first page, but not helpful when a user attempts to log out. They cannot easily end the session, as the logout page will redirect the user back into the SSO provider, which will log them back in.

I already tried

• [X] I've read and searched the documentation.
• [X] I've searched for similar issues in this repository.

Steps to reproduce the behavior

1. Configure a single SSO Provider and disable the email login provider.
2. Log in via the SSO Provider.
3. Click the Log Out button
4. User is automatically redirected back into their SSO Login Provider. If the SSO Provider has a cached login, they will be fully logged back in to Weblate.

Expected behavior

User lands on a page that tells them they've successfully logged out. They are not automatically logged back in.

This allows a user to specifically end their session and reduce exposure to things like Session hijacking attacks.

Screenshots

No response

Exception traceback

No response

How do you run Weblate?

Docker container

Weblate versions

• django-crispy-forms: 2.0
• oauthlib: 3.2.2
• django-compressor: 4.4
• djangorestframework: 3.14.0
• django-filter: 23.2
• django-appconf: 1.0.5
• user-agents: 2.2.0
• filelock: 3.12.4
• rapidfuzz: 3.3.1
• openpyxl: 3.1.2
• celery: 5.3.4
• django-celery-beat: 2.5.0
• kombu: 5.3.2
• translation-finder: 2.15
• weblate-language-data: 2023.5
• html2text: 2020.1.16
• pycairo: 1.25.0
• PyGObject: 3.46.0
• diff-match-patch: 20230430
• requests: 2.31.0
• django-redis: 5.4.0
• hiredis: 2.2.3
• sentry-sdk: 1.31.0
• Cython: 3.0.3
• misaka: 2.1.1
• GitPython: 3.1.37
• borgbackup: 1.2.6
• pyparsing: 3.1.1
• ahocorasick_rs: 0.17.1
• python-redis-lock: 4.0.0
• charset-normalizer: 3.3.0
• Python: 3.11.5
• Git: 2.30.2
• psycopg2: 2.9.9
• phply: 1.2.6
• ruamel.yaml: 0.17.35
• tesserocr: 2.6.1
• boto3: 1.28.61
• zeep: 4.2.1
• aeidon: 1.12
• iniparse: 0.5
• mysqlclient: 2.2.0
• Mercurial: 6.5.2
• git-svn: 2.30.2
• git-review: 2.3.1
• PostgreSQL server: 15.4
• Database backends: django.db.backends.postgresql
• Cache backends: default:RedisCache, avatar:FileBasedCache
• Email setup: django.core.mail.backends.smtp.EmailBackend: localhost
• OS encoding: filesystem=utf-8, default=utf-8
• Celery: redis://cache:6379/1, redis://cache:6379/1, regular
• Platform: Linux 6.2.0-1014-azure (x86_64)

Weblate deploy checks

SystemCheckError: System check identified some issues:

CRITICALS:
?: (weblate.E003) Cannot send e-mail ([Errno 99] Cannot assign requested address), please check EMAIL_* settings.
    HINT: https://docs.weblate.org/en/weblate-5.0.2/admin/install.html#out-mail

INFOS:
?: (weblate.I021) Error collection is not set up, it is highly recommended for production use
    HINT: https://docs.weblate.org/en/weblate-5.0.2/admin/install.html#collecting-errors
?: (weblate.I028) Backups are not configured, it is highly recommended for production use
    HINT: https://docs.weblate.org/en/weblate-5.0.2/admin/backup.html

System check identified 3 issues (1 silenced).

Additional context

No response

[github-actions[bot]]

This issue has been added to the backlog. It is not scheduled on the Weblate roadmap, but it eventually might be implemented.

In case you need this feature soon, please consider helping or push it by funding the development.