search

getsentry / sentry

Developer-first error tracking and performance monitoring
https://sentry.io
Other
39.01k stars 4.19k forks source link

SSO misconfiguration - wrong redirection after successful login with root credentials #41601

Open headincl0ud opened 1 year ago

headincl0ud commented 1 year ago

Environment

SaaS (https://sentry.io/)

Version

Latest

Steps to Reproduce

  1. Create a personal account
  2. Create an organization
  3. Configure SSO for organization, eg.: Google SSO
  4. Remove/lost SSO configuration (eg.: remove SSO configuration from your GCP account / AWS Cognito)
  5. Login with your root credentials to your account.
  6. XYZ (organization) requires signing in with Google.

Expected Result

The user should be able to access the root account and be able to remove the impacted organization from its own account.

Actual Result

After successful login with credentials (user/password) Sentry.io is redirecting to auth/login/XYZ/?next=%2Forganizations%2FXYZ%2Fissues%2F .

It is a misconfiguration and egg-chicken issue. After removing the SSO configuration in AWS / GCP, you cannot log in to your account because of redirection. The same issue can happen in the case of changing employers. After leaving typically you can't access your corporate email, which results in blocked access to the root account.

image

NOTE: It is my own organization created and destroyed during Terraform destroy process. I can't access the account, I can't use the previous configuration/state.

getsentry-release commented 1 year ago

Routing to @getsentry/ecosystem for triage. ⏲️

getsentry-release commented 1 year ago

Routing to @getsentry/enterprise for triage. ⏲️

leedongwei commented 1 year ago

@headincl0ud Can you email support@sentry.io with a link to this GitHub issue and include your organization slug or user email? With that information, I can unblock the bad state on your user account.

We're looking into improving the UX of our login flow, so this is valuable feedback.

headincl0ud commented 1 year ago

@headincl0ud Can you email support@sentry.io with a link to this GitHub issue and include your organization slug or user email? With that information, I can unblock the bad state on your user account.

We're looking into improving the UX of our login flow, so this is valuable feedback.

@leedongwei done!

leedongwei commented 1 year ago

I think there's 2 possible solutions for this scenario:

  1. have a "test" function to validate new SSO configurations
  2. allow organization owners to log into Sentry with email + password, even if Require SSO is turned on for the entire organization.

This would let folks identify bad configs before they are saved, and/or rescue themselves from a bad config without waiting for Sentry support to unblock them. The team is planning to improve our auth experience next year, we'll put this on the list of user pain-points to address.