SSO UIA doesn't work

[turt2live]

Apparently we didn't have an issue to track this, so here's a blob of (lightly edited) out of context text from internal discussions:

The list is much smaller than I anticipated. The things we care about are:

• Account deactivation (currently at the bottom of the first tab in settings)
• 3PID (email, phone) adding
• Deleting devices (both in bulk and individually)

The other things the backend team might want is a way to test "fallback auth", which is Riot just opening a page instead of using a native UI for the auth step. In theory this could be a dialog within Riot or just opening a new tab.

At risk of over-explaining it: User-Interactive Authentication (UIA) is a framework for requiring arbitrary steps to be completed before an action can be taken. The spec defines a few possibilities, but the server could request anything (in theory). In practice, we can be reasonably sure which steps (also known as flows in the UIA world) will be offered by the server so we don't need to design for every single eventuality here (yet). We currently support password auth on those endpoints, but the bug is that Mozilla and other SSO users don't have passwords and can't do certain things with their accounts.

The backend team is also currently working on supporting the feature, so the last few stages of it are still somewhat undefined (how we get info from the SSO system into Riot so it can shove it over to the server).

---

Related issues:

• Can't close your account if you've logged in with SSO #10847
• use the fallback if a user-interactive-auth type is unknown #12638

[turt2live]

Synapse issue: matrix-org/synapse#5667

[turt2live]

Rough UX after talking with Nad: Button to start SSO, do the SSO stuff, then a confirm dialog saying something like "You've been authed, click to continue". Proper copy/design coming soon.

[nadonomy]

@turt2live I've written up copy specific to each journey the user is taking, detailed below. I've also quickly thrown together some UI comps in Figma here to indicate how we should decorate the more destructive actions: https://www.figma.com/file/0x3jONAjbrzNutZnW89h6x/SSO-Auth?node-id=0%3A1

If any of this doesn't make sense, probably best to DM me for us to iterate on together.

---

Account deactivation

Before auth:

Use Single Sign On to continue

Confirm your account deactivation by using Single Sign On to prove your identity.
[Cancel] [Single Sign On]

After auth:

Confirm account deactivation

Are you sure you want to deactivate your account? This is irreversible.
[Cancel] [Confirm account deactivation]

---

Adding an email address

Before auth:

Use Single Sign On to continue

Confirm adding this email address by using Single Sign On to prove your identity.
[Cancel] [Single Sign On]

After auth:

Confirm adding email address

Click the button below to confirm adding this email address.
[Cancel] [Add email]

---

Adding a phone number

Before auth:

Use Single Sign On to continue

Confirm adding this phone number by using Single Sign On to prove your identity.
[Cancel] [Single Sign On]

After auth:

Confirm adding phone number

Click the button below to confirm adding this phone number.
[Cancel] [Add email]

---

Deleting a device

Before auth:

Use Single Sign On to continue

Confirm deleting this session by using Single Sign On to prove your identity.
[Cancel] [Single Sign On]

After auth:

Confirm deleting this session

Click the button below to confirm deleting this session.
[Cancel] [Delete session]

[turt2live]

Synapse implementation: matrix-org/synapse#7102
MSC: matrix-org/matrix-spec-proposals#2454

[turt2live]

Will fix #12028