DOCS: Document logging out of CILogon #974
Conversation
|
Can we maybe rephrase this along the lines of "If a user mistakenly provides an incorrect email when logging in, they will need to... before doing...". Or maybe "If a user wishes to change which email address they login with,...". I'm having trouble keeping track between the "first" and "second" attempts. |
Sure! There's a bit of a mess in my head right now 🤯 Two thoughts:
So, with CILogon, the login process looks like this: Hub login page ➡️ Auth0 Login screen presenting the CILogon option ➡️ CILogon IDP selection page ➡️ IDP login page ➡️ hub access If on the screen in bold (IDP login page), the same identity provider is used, let's say Google, then a logout must happen before using another email account. But if one chooses the berkeley Identity Provider, then they will be able to login with their berkeley email address without logging out.
Hope I didn't create more confusion 😓 |
Ok, let's definitely say something general like "account information"
Ah, so do we have to do something in the hub at this point? (I will check the issue in case you've answered it there) Most likely wait til the cookie expires or scrub the cookie ourselves from within the hub |
|
Thanks @sgibson91! I tried to rephrase the note a bit. LTMK if I managed to be more clear and shorter than in the novel above 😅 |
|
You already answered ❤️ Thank you!!!! |
|
So just to make sure I understand, there are two "things to log out of": If a user logs into the hub with CILogon, but they use the wrong institutional address. Then they'll need to log out of two things:
When that is done, they will be able to "start fresh" and choose a new CILogon provider and/or account name. Is that right? If so, I think we should also document this in our user docs as well, since I suspect this will happen to people. |
I agree with this thought. |
Yep. Checkout 2i2c-org/default-hub-homepage#8 for a possible "documentation" of this step
Almost. So, they're asked to select an institution regardless of they go to https://cilogon.org/logout. But if they want to use the same institution, but just another address, then in order to be asked which institutional address to use, they will need to go to https://cilogon.org/logout.
What do you think if we go with the button in 2i2c-org/default-hub-homepage#8 for the first one and the note in this PR for the second one? Do you think we need to add more details in other places of the docs? |
|
I took a pass at the language to try and clarify things a little bit in these docs - however I think we will need to iterate a little bit because the instructions didn't quite work for me, so I likely got something wrong :-) Could you take a look at my latest commit and let me know what I messed up? I think that your strategy sounds good to me as long as we can document the full "how to log out" process here as a start. In the future if the button isn't enough and people are still confused, we can make an addition to the user docs |
There was a problem hiding this comment.
Thanks for clarifying the docs @choldgraf. I left a couple of comments with my thoughts, but also added a commit to modify things a bit again. Sorry for not providing suggestions directly, but I wanted to add images too to make things more clear. LTMK what you think and if they work
|
|
||
| There are two details for CILogon accounts worth mentioning: | ||
|
|
||
| - **Institutional connection**. This is the direct connection with CILogon, negotiated by each institution. When a user logs in via CILogon, they first may choose from a variety of institutions (e.g. `UC Berkeley` or `Australia National University`). There is also a fall-back for "Google OAuth". |
There was a problem hiding this comment.
I've seen CILogon docs referencing these as IdentityProviders, so I suggest we use the same language as they do, so that if someone checks out the CILogon docs directly it's clear we're talking about the same thing. What do you think>
| **To switch user accounts**, a user can go to the URL endpoing `https://{hub-name}/hub/logout`. | ||
| The next time they go to the hub's landing page, they'll be asked to re-authenticate. | ||
|
|
||
| **To switch CILogon institutions**, a user must go to the [CILogon logout page](https://cilogon.org/logout) and click the button to log out of their institutional account. When they try to log back in they should be directed to a page to select institutions once again. |
There was a problem hiding this comment.
I believe these are actually the other way around. In practice I've havn't seen switching institution require logging out of CILogon.
GeorgianaElena
changed the title
GeorgianaElena
added
🏷️ authentication
Enhancement
|
Ah thanks for those updates @GeorgianaElena - I think they are good! I pushed a commit with some minor cleanups and clarifications as well. What do you think? However, following the instructions didn't quite work for me. Here are the steps I followed and what happened. Can you help me debug?
I would have expected that step 4 would have then asked me to choose an identity provider, but this didn't happen. Can you clarify? |
I was able to reproduce your workflow if I check the If so, then probably you need to clear the cookies. It doesn't have to do with the logout process, but it's probably worth mentioning in the docs here.
I don't see any new commit from you @choldgraf 👀 Maybe you forgot to push it? |
|
I clarified the docs a bit more and mentioned this scenario when clearing the cookies is required |
|
@GeorgianaElena the cookie fix worked! Thanks for clarifying, and sorry that I forgot to push my commit before! I've just pushed another commit to clean up the language a bit. I added |
|
|
||
| When a user logs in via CILogon, they are first presented with a list of various institutions and organization that they may choose from (e.g. `UC Berkeley` or `Australia National University`). | ||
| Identity Provider | ||
| : The authentication service available through the CILogon connection. |
There was a problem hiding this comment.
Had no idea about this syntax, but super cool 👍
|
Thanks @choldgraf 🎉 |
|
OK I am merging this one in! I think these are nice changes and we can continue updating them as we use CILogon more and learn! |
choldgraf
changed the title
Does @2i2c-org/tech-team agree that adding this note to the docs is acceptable for fixing #957?
Note this comment in the original issue that gives more details about it.