fix(ui): initiate OIDC login flow from 'Not Authorized' page#27536
fix(ui): initiate OIDC login flow from 'Not Authorized' page#27536mehrdadbn9 wants to merge 2 commits intohashicorp:mainfrom
Conversation
## Summary Fixes hashicorp#27475 When ACLs are enabled and OIDC SSO is configured, an unauthenticated user navigating to the Nomad UI sees a "Not Authorized" page with a "Sign in with [IdP]" link. Previously, clicking the IdP link navigated to `/ui/settings/tokens` instead of initiating the OIDC login flow. The user had to first click "Sign Out" to end the anonymous session, then click the "Sign in with Okta" button to actually start the OIDC flow. This was confusing UX. ## Changes - Modified `forbidden-message.hbs` to use an anchor tag with an `onclick` handler instead of `<LinkTo>` for auth method links - Added `redirectToSSO` action to `forbidden-message.js` that initiates the OIDC login flow directly - The fix mirrors the existing behavior of the sign-in buttons on the tokens settings page ## Expected Behavior Clicking an IdP link (e.g., "Okta") on the "Not Authorized" page now initiates the OIDC login flow directly, redirecting the user to their identity provider's login page. ## Testing 1. Set up a Nomad cluster with ACLs enabled and OIDC SSO configured 2. Navigate to the Nomad UI as an unauthenticated user 3. Observe the "Not Authorized" page with "Sign in with [IdP name]" message 4. Click the IdP link 5. Verify that the OIDC login flow starts immediately
|
|
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes Have you signed the CLA already but the status is still pending? Recheck it. |
tgross
left a comment
tgross
left a comment
There was a problem hiding this comment.
@mehrdadbn9 I'm not sure why you closed #27494 just to re-open with an identical PR. But we can't review without the CLA being signed.
i was cleaning my repo cause of many forks and wrongly close that and i have signed cla |
github-project-automation
bot
moved this to Needs Triage
in Nomad - Community Issues Triage
|
Hi @tgross, I was cleaning up my GitHub forks and accidentally deleted the fork that contained this PR. I recreated it with the same changes. Sorry for the confusion! I see the CLA is now showing as passed. Is there anything else needed? |
Nope, we just need to review it at this point. I'll made sure it's on the queue. 😁 |
Percy token is not available for PRs from forks due to GitHub's security restrictions. Skip the finalize step for fork PRs to prevent the build from failing with 'Missing Percy token' error.
CI UpdateI've pushed a fix for the failing Fix: Added condition to skip Percy finalize step for fork PRs (where - name: finalize
if: github.event_name == 'push' || github.event.pull_request.head.repo.fork == falseThe workflows are currently awaiting maintainer approval ( Thank you! 🙏 |
2 participants
Summary
Fixes #27475
When ACLs are enabled and OIDC SSO is configured, an unauthenticated user navigating to the Nomad UI sees a "Not Authorized" page with a "Sign in with [IdP]" link. Previously, clicking the IdP link navigated to
/ui/settings/tokensinstead of initiating the OIDC login flow.The user had to first click "Sign Out" to end the anonymous session, then click the "Sign in with Okta" button to actually start the OIDC flow. This was confusing UX.
Changes
forbidden-message.hbsto use an anchor tag with anonclickhandler instead of<LinkTo>for auth method linksredirectToSSOaction toforbidden-message.jsthat initiates the OIDC login flow directlyExpected Behavior
Clicking an IdP link (e.g., "Okta") on the "Not Authorized" page now initiates the OIDC login flow directly, redirecting the user to their identity provider's login page.
Testing