Fix form/anonymous authentication when SSO is enabled (!393) · Merge requests · ICAT / Datahub

Axel Bocciarelli requested to merge fix-auth into master Aug 17, 2020

I've just noticed a problem:

Make sure you're logged out of SSO.
Sign in as anonymous.
Refresh the page.
➡ you get logged out and redirected to the /login page.

This is because matchAuthStateToSSO detects that you're logged in to ICAT but logged out of SSO, so it thinks you need to be logged out of ICAT.

if (!keycloak.authenticated && sessionId) {
  store.dispatch(doLogOut());
}

You need to be logged out only if your session was created via SSO; if you logged in as anonymous or via a login form, your SSO login status is irrelevant.

Knowing that the user has a sessionId is not sufficient. We need to make sure that the session was created via SSO, which can be done with username === null.

After adding this condition, another related problem appeared: when a user logged in as anonymous or via a login form, if they clicked on "Log out", they weren't being logged out. That's because keycloak.logout() was being called instead of dispatch(doLogOut()). The same username check fixes the problem.

Edited Aug 17, 2020 by Axel Bocciarelli

Fix form/anonymous authentication when SSO is enabled

Merge request reports