Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

OIDC signin: skip the "Continue to your account" page #11290

Closed
azmeuk opened this issue Nov 10, 2021 · 3 comments
Closed

OIDC signin: skip the "Continue to your account" page #11290

azmeuk opened this issue Nov 10, 2021 · 3 comments
Labels
T-Other Questions, user support, anything else.

Comments

@azmeuk
Copy link

azmeuk commented Nov 10, 2021
edited
Loading

Hi. OIDC login works like a charm. Thank you for this hard work.

I would like the "Continue to your account" page to be automatically skipped on a first login, as it adds up to the consent page of the identity provider with a very similar message. I think this is not clear for the end users what is going on on this screen.

Screenshot 2021-11-10 at 10-36-50 Continue to your account

I suggest implementing a parameter to skip this screen, turned off by default.

I volunteer to provide a patch if this is OK for you.

What do you think?
@anoadragon453 anoadragon453 added the T-Other Questions, user support, anything else. label Nov 10, 2021
@anoadragon453
Copy link
Member

Hi @azmeuk. The config option you are describing is already available through sso.client_whitelist in Synapse's config file. The sample config file contains some documentation on how it works:

synapse/docs/sample_config.yaml

Lines 1974 to 1991 in 86a497e

# A list of client URLs which are whitelisted so that the user does not
# have to confirm giving access to their account to the URL. Any client
# whose URL starts with an entry in the following list will not be subject
# to an additional confirmation step after the SSO login is completed.
#
# WARNING: An entry such as "https://my.client" is insecure, because it
# will also match "https://my.client.evil.site", exposing your users to
# phishing attacks from evil.site. To avoid this, include a slash after the
# hostname: "https://my.client/".
#
# The login fallback page (used by clients that don't natively support the
# required login flows) is whitelisted in addition to any URLs in this list.
#
# By default, this list contains only the login fallback page.
#
#client_whitelist:
# - https://riot.im/develop
# - https://my.custom.client/

If you add the address of your client to the whitelist, then this warning page should not appear.

Out of interest, is there anywhere in the documentation we could improve to make this option more discoverable?

Thanks!

@azmeuk
Copy link
Author

azmeuk commented Nov 10, 2021

Thank you. This is exactly the option I needed.
I am not sure where in the documentation should this option be mentionned, but client_whitelist only appears in the sample configuration file, so I suppose there is no documentation paragraph about it:

Screenshot 2021-11-10 at 13-55-00 Welcome and Overview - Synapse

Maybe somewhere on this page is a good idea?

@anoadragon453 anoadragon453 mentioned this issue Nov 10, 2021
Open
@anoadragon453
Copy link
Member

@azmeuk Glad to hear, and yes this would be good to include on the documentation website. Note that sso.client_whitelist actually works for all Single Sign-On authentication methods, not just OIDC. So it should probably live on a generic SSO docs page -- which has yet to be written!

I've created an issue to track this specific addition (#11294), and will now close this one. Thanks!

@matrixbot matrixbot mentioned this issue Dec 21, 2023
Open
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
T-Other Questions, user support, anything else.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@azmeuk @anoadragon453