Soft Logout does not play well on servers with multiple login flows #717
Assignees
Labels
improvement
An idea/future MSC for the spec
Comments
|
As an aside, if Element Web/Desktop encounters such a server and is soft-logged out it will only show the first flow in the order. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
If your Matrix Homeserver has SSO and Username + Password support then Soft Logout will give both options to the user, when in fact there is only one that will work and the other will butcher their local data.
This is because as far as the spec is concerned, Soft Logout docs don't tell clients to send any identifying marks along with the GET
/loginso the flows that the server returns cannot be at all personalised/scoped.Expected behavior
Clients should tell Servers their soft-logged-out user-id or something of that nature to allow the server to personalise the flows to only the ones that make sense for that user. Using user-id is probably a bad idea as it'd open a door for anyone to find out what flow a user used to log in and make their account that 1% more vulnerable.
The text was updated successfully, but these errors were encountered: