I have a question about login/logout when removing all roles from a user (see Loom for full flow).
I have a user with access to my app. When I remove all roles, it looks like the user is logged out and redirected to the Appfarm login page. If I then add the roles back and refresh the app, the user is taken straight back into the app without logging in again.
Two questions:
I’ve created a public custom login app and set it as default under Environments and as the default login app. Why is the user still redirected to the Appfarm login page in this scenario, and how can I fix it?
When roles are removed and the user is sent to the login screen, it seems like they’re logged out. But since they don’t need to log in again after roles are added back, I assume they’re not actually logged out. What’s happening in the background here?
I do not have a clear answer to you on this one, so I’ll follow up internally.
Within security, we separate authentication from authorization. When the user logs in we authenticate who that user is. What the user is able to access after being logged in is based on authorization (i.e. which roles the user has).
When you revoke the login for the user, we still know who the user is as we do not abort the user session, but it has no longer access to any resources as it has no valid login role, and is presented with the default login screen.
When you grant the roles again, the user, who still has a valid session, is given access to resources again and is able to continue without having to re-authenticate themself.
Great — I’m looking forward to hearing how to fix this.
I understand, but I’m still a bit confused about why a logged-in user is redirected to the login screen instead of the Access Denied page (see screen shot). In Appfarm, I’m used to an authenticated user who doesn’t have access being shown the Access Denied view, with the option to log out. To me, that seems more intuitive and like a better flow.
Is there a way to force the end of a session when the user loses all roles? Right now, I have a workaround with a “Deactivated user” role that handles this.
The user feedback could definitely be better in these cases.
I’ve created a feature request to improve feedback in cases where the user loses its login privileges and has no access to the environment (but is still authenticated). It is currently not possible to terminate a user session using actions.
Unfortunately, we do not have a clear timeframe on when this feature will be available, so as of now, your workaround is probably the best approach.
Nothing more explanatory than that it is a bug/missing feature, unfortunately.
The user is authenticated/logged in before the permission is revoked, so the redirect to your default login app would have made sense if the session was terminated.
As the user is still authenticated, but without any permissions in the environment, we enter a state where we end up with the default login dialog. So ideally you should be redirected to a more informatory page in this scenario (such as the Access Denied page as you pointed out).
If anyone ends up in the same situation, here’s a short explanation of what I did:
I created a new “Deactivated” role. This role only has access to my default login app — no access to data, services, or any other apps.
When removing all roles from a user, I add this new role instead. That redirects them to the login app, where I can terminate their session and log them out.
