V14-RC3 - Navigation back to /umbraco/login lets me login twice but results in logout

[nikcio]

Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)

14.0.0-rc3

Bug summary

If you login to Umbraco but then navigate back to the login page at /umbraco/login you are prompted to login again but in doing so you are signed out 🤔

Then after logging in again the session is recovered.

https://github.com/umbraco/Umbraco-CMS/assets/24605285/d8a44954-264b-4960-ab2b-eb0ceb221d11

Also this screen flashes at login.

I can see that this is shown as a dialog window elsewhere.

Specifics

No response

Steps to reproduce

1. Create a clean Umbraco install
2. Login with a user
3. Navigate to /umbraco/login
4. Login again

Expected result / actual result

I would expect that if a user navigates to the login page after being signed in they would be redirected to the backoffice or any other redirect URL present in the request URI.

[github-actions[bot]]

Hi there @nikcio!

Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.

We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.

• We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
• If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
• We'll replicate the issue to ensure that the problem is as described.
• We'll decide whether the behavior is an issue or if the behavior is intended.

We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.

Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:

[andr317c]

Hey!

Thanks a lot for reporting this issue! I was able to reproduce it 😄

[iOvergaard]

Hi @nikcio

Thanks for reporting this. I appreciate the thought behind remembering if you are logged in:

I would expect that if a user navigates to the login page after being signed in they would be redirected to the backoffice or any other redirect URL present in the request URI.

However, the "backend" only knows you are logged in if we set a cookie, and for other reasons, this cookie is very shortlived (30 seconds by default). Therefore, if you navigate back to the login screen, we most likely don't know that you are logged in unless you do it right after logging in.

You can always go to /umbraco/login and log in (that was also available in V13), however if the client doesn't know that you intend to log in (which requires a state in the local storage of the client to be set), you will end up logging in twice because the first time sends you to the client, that then sets its state sending you back to the login page (this time with a state). The login page now acts as an OpenID provider with PKCE enabled, so there needs to be certain things fulfilled on the client as well as the server. This is the equivalent of going to something like "accounts.google.com/signin" and expecting it to know which app to send you back to after log in.

That being said, we should be able to detect on the login screen if there is an active "auth state" and thereby potentially informing you if your visit is allowed or not. I will bring this up with the team to discuss.

[nikcio]

Hey,

I think I follow your description. But shouldn't it be possible on the backend to detect if a user is logged in when they hit /Umbraco/login and already there be able to redirect to the backoffice if their auth session is valid. You must be doing something along the same lines to do the opposite (redirect to the login page) when going directly to /Umbraco without being logged in?

[iOvergaard]

Yes, but we have to account for the two pages being on two separate domains, so we don't have access to read the local storage (where we store the session/token) on the login screen.

We need to make the experience better, that is for sure. There should be another way to detect this.