Continue with SSO button redirects to /_matrix/static/client/login/ instead of /_matrix/client/r0/login/sso/redirect

[BillCarsonFr]

No description provided.

[bmarty]

This is specified here: https://matrix.org/docs/spec/client_server/latest#login-fallback

Where do you see we should use sso/redirect?

[BillCarsonFr]

@babolivier Can you please give back some context

[babolivier]

I was initially confused because the login fallback is expected to be used when a client doesn't recognise a login flow. But RiotX showing the "Continue with SSO" button did lead me to believe that RiotX did recognise the SSO flow, but still acted as if it didn't. This caused UX issues with a previous version of the login fallback, because then the user would have needed to click "Continue with SSO" twice as the fallback also showed a similar button (this has been fixed but only on Synapse, it's not given that other upcoming homeservers will use a login fallback with the same logic).

GET /_matrix/client/r0/login/sso/redirect is the route clients should redirect to when logging in with SSO. This route will itself redirect the user to the authentication portal, and then redirect them back to the client (using a provided redirect URL). Though the spec mentions "A web-based Matrix client", but then Riot Desktop also uses it, so not sure what the best thing to do is here.

[bmarty]

Ok, thanks @babolivier for the clarification, I think I've understand the point :)

In the PR #1277, I use the fallback login page to handle the redirection after SSO login. Do you think it is acceptable?

It works well, but I will be more confident if you confirm it to me. Thanks!

Edit: Also now I see the sso/redirect url in the CS API docs, I think it has been added recently, or else it means that I'm totally blind :)

[manuroe]

Kamino cloned this issue to vector-im/riot-ios

[babolivier]

In the PR #1277, I use the fallback login page to handle the redirection after SSO login. Do you think it is acceptable?

I think it is as long as the server serves a fallback page that includes sensible enough logic around SSO (Synapse has that as of matrix-org/synapse#7152) and has a sensible enough auth configuration (in the case of Synapse, not allow anything other than SSO). In any other case, e.g. if the server also allows password login, or if the server isn't Synapse and uses a less elaborate fallback, it will likely create a confusing UX.

So it's probably good enough for now though not ideal.

Edit: Also now I see the sso/redirect url in the CS API docs, I think it has been added recently, or else it means that I'm totally blind :)

It's been added in the release r0.5.0 of the CS API, so around 10 months ago. Note that this endpoint existed before but was named cas/redirect instead, and has been extended to include all type of SSO (see this note) ;)

[bmarty]

Ok, thanks @babolivier for the feedback. I merge the PR

[bmarty]

FTR the behavior on RiotX has been updated in #1451