Should a 403 on login clear oauth state? #973
Comments
|
Ah interesting - I ran into the same behavior as well. In my opinion, if you try to log-in but you hit an "unauthorized" error, you should immediately be logged out. At a minimum, I think there should be a link displayed like "To log in with a different account, click here". Is there a way we can change this behavior here, or does it require a change in JupyterHub? |
I am a little bit worried about automatically redirecting to logout and "missing" the error...
I like that idea (probably with another message).
Maybe a button in the very same template referenced above and pointing to |
Yeah I agree - a better way to describe this is "if you log in, and you're unauthorized, you should see the error page but JupyterHub shouldn't treat you as 'logged in' in the future"
If this were possible, I think it would be nice. Just a quick "here's a next step to take" message would be a big help at reducing confusion, I think |
|
Thanks @damianavila and @choldgraf! I really like the idea of guiding users to the hub logout endpoint through a button so |
Description of problem and opportunity to address it
Context to understand the problem
When a users logins into a hub using an account that isn't allowed, they will get a 403 error message that looks like this and it's configured from https://github.com/2i2c-org/pilot-homepage/blob/master/templates/error.html
Problem
If a user that got a 403 want to try login with another account, then they must navigate themselves to the hub logout endpoint
htttps://<hub-address>/hub/logoutthat will clear any cookies saved, otherwise they will just be redirected to the403page until I think theoauthenticator_statecookie expires.How to reproduce video:
Cookies for the request that resolves to a 403
Implementation guide and constraints
No response
Updates and ongoing work
No response
The text was updated successfully, but these errors were encountered: