Autologin works second time after enabling it

[viorelaioia-zz]

STR:

1. Navigate to sso.allizom.org
2. Verify Auto-login is disabled
3. Login with Ldap
4. Click user avatar and select “Enable / Disable Auto-login” menu item
5. Enable the auto-login
6. Navigate to mozillians staging
7. Click Login button

Expected: Verify user is auto-logged in

Actual: User is not auto-logged in. If trying to login to another RP after I enter credentials and login to mozillians staging, auto-login works as expected. So auto-login doesn't work first time after enabling only, only second time.

I'm not sure if this behavior can be changed, but maybe we can add a note for the users about this.

[viorelaioia-zz]

CC @hidde , @m-branson

[mbransn]

Thanks for flagging this @viorelaioia ... preference is that it work as expected, rather than providing a note to the users. @hidde is there a reason why this isn't working after initial enable?

[hidde]

Yes! The reason for it is that we're not saving people's login method when they have auto-login turned off. So when they turn it on, they don't have a saved login method yet.

Two scenarios I could build:

• We always save the user's last login method, even with auto-login turned off. Whenever a user turns it back on, they'll have a method to be auto-logged in with.
  • Benefit: it works immediately after turning it on
  • Downside: user might not expect the method they last used to become their auto-login method, they have no choice
• We keep it as is, and add a note clarifying
  • Benefit: user can make intentional choice about which method they'll use for auto-login
  • Downside: maybe cognitive load?

What do you both think is best?

[mbransn]

• We always save the user's last login method, even with auto-login turned off. Whenever a user turns it back on, they'll have a method to be auto-logged in with.
  • Benefit: it works immediately after turning it on
  • Downside: user might not expect the method they last used to become their auto-login method, they have no choice

To clarify this case, there are two flows I can think of:

• when a user re-enables from the auto-login settings screen they could assume it will utilize their last login method as they are unable to select a new one
• when a user re-enables from the 'default' screen (eg: https://auth.mozilla.auth0.com/login?client=) they will then choose a login method

In both cases I believe this is the best way to move forward; e.g. using the last login method. Thoughts both? cc @gene1wood because we've been diving deep into multi-identities today. :)

[hidde]

Thanks and agreed — I'll go and save last input method so that users can make use of their new preference straight away.

[gene1wood]

I think we should be doing option 1 as long as the recorded login method is the login method the user used most recently (not the last one used before auto-login was disabled).