Authentication issues


(Leo McArdle) #1

Recently the number of topics I’ve seen, and messages/emails I’ve received from users confused or annoyed at the login experience on Discourse has skyrocketed. This is a little odd because we’ve been using Auth0 with only LDAP and Passwordless for a while now, but it’s obvious there’s now a significant number of users who are having a baaaaad time.

To somewhat remedy this I’ve had Google and GitHub enabled as authentication options, which means we support all the authentication methods which IAM supports. While this won’t make the experience better for all users, it will for some, and makes further authentication experience problems a problem with IAM itself.

I’ve also reached agreement with @gene that it makes sense to extend the validity window of the link sent with Passwordless, despite the bad user experience it creates, because it does at least still allow them to log in at the end of it.

Finally, at the All Hands we’ve started some discussions within the IAM team to support additional authentication methods, as a way to improve the user experience even further. These will continue to happen going forward.


Allow usual mail+password login
(Peter Gervai) #2

Apologies if it’s rude to comment here, I am not familar with your discourse expectations. It took me 20 minutes and two browsers to be able to log in here with my preferred email, and wanted to share the pain a bit. :slight_smile:

First of all: the more fancy you get with javascript black magic the more the chances that something going to interfere. I mean the auth page buttons. Right now I have a problem with uMatrix, which has been broken by recent FF nightly, so I came here to discuss it, which requires login, which would require (as it turned out using chrome) some specific externally hosted javascript not to be blocked even to see that there would be an authentication which would be broken.
My result was that I got redirected to a login page which offered google and github (which both works, to reference your comment above, so it was really smart to enable them, but they’re using a different email I wanted to use), and asked for email and password below them. As later it turned out this “email” uses some LDAP, which is very secret, since there is no signup link and there is no link where this particular ldap should be found, or info about it. So it kept failing, for obvious reasons. No, there wasn’t plain email button since it would be created by the external script (jquery from some external cdn I guess).

But then I was able to see the hidden prompt on chrome and I was able to actually login with my email (which surprisingly worked), but I do not have a password (and button isn’t present in firefox anyway), since it’s a one-time-only login, as it seems.

The inherent problem is that “FAQ” is actually a ToS, and doesn’t really cover much abolut login, auth systems, and/or problems with them, including bugzilla accounts, mozillians accounts, discourse accounts, ldap account, sync accounts, or god knows what accounts I have lying around which all mozilla something. I’ve been around for a few decades but surprisingly this mess was able to confuse even me.

It would be nice if there was a FAQ about login (since FAQ is readable without registration). Listing the methods (so people may notice if seome of them is missing). Describing the methods, or dismissing confusion with other accounts, or actually telling that yes, this account is the same as the other account. And some explanation about how to register, or what methods doesn’t provide it at all.


Allow usual mail+password login
(Leo McArdle) #3

Not at all, thanks for the feedback.

It seems like quite a lot of that pain is self-inflicted, though. If you weren’t blocking arbitrary javascript, I reckon it would’ve taken under a minute.

I can understand why things were a little confusing if you weren’t loading jquery, I don’t want to imagine what the authentication page looks like without it.

This is a problem we’re trying to fix in the IAM project - ultimately we’re moving towards a more singular Mozilla identity for users.

We have a guide:


(Peter Gervai) #4

Well it doesn’t help that Bug 1324499 is not fixed for half a year and that Nightly recently have killed off the XUL based uMatrix so here I am, coming to report an issue which turns out to interfere with your javascript wizardry since I would be aware not to block your externally referenced javascript if Firefox would be so kind as to let me scroll down to see that I would. :slight_smile: But apart from your harsh judgement about “arbitrary blocking” indeed it was obvious, after the fact, that blocking has caused it.
What my feedback was really about is that if you expect lots of people blocking various javascripts (which you really should, security-wise; one of the most popular addons are noScript, uMatrix and ublockO) then the login page is designed in a way that there is no visual clue that something’s missing.
I usually consider dynamically built up pages bad idea (you know, back in the days we said “real pages are readable under lynx”), and this has been a nice sample - for me. I understand that you have a distinctively different approach to UI design, so consider this just a hint about the other side of the fence. You can keep it this way, I won’t complain, but maybe it could be considered a good idea to avoid complicated code for a rather simple problem (of displaying a two-field form; and that hiding should be done by javascript and not unhiding).

I find this comment amusing; you should sometimes ponder about those, and let your curiousity roam free. Disable javascript and check the pages you have created, or have been involved in. Most of them should work just fine. Believe me, I do it daily. :wink:
There are cases where javascript indeed impossible to avoid, and there are cases where javascript code can add a nice touch to the otherwise working page, but designing a page which is absolutely broken without javascript while it doesn’t have to be is a sad way of “progress”.

I have tried to identify how this project have been progressing but failed to find an univocal source. Is there a central page of progress?

Yes, and I have read it, along other pages, the FAQ, and various search results, and still weren’t able to readily figure out what’s happened. Most of the sources are using different wording, and it isn’t clear, as I mentioned, that there’s a difference between LDAP name/password and email name/password.

Thank you for the reply.


(Henrik Mitsch) #5

Most of it can be found in the #participationsystems category. More specifically, we publish our progress in the fortnightly Sprint Review posts and quarterly OKR articles.

Hope this helps.
Best regards,
Henrik


(rugk) #6

See also: