✨(auth) Add silent login #1690
✨(auth) Add silent login #1690
Conversation
arnaud-robin
force-pushed
the
silent-login
branch
2 times, most recently
from
2d5d759 to
9b6703f
Compare
|
This implementation is heavily copied from @lebaudantoine work. |
|
Size Change: +132 B (0%) Total Size: 4.19 MB
|
arnaud-robin
added
the
FAST
|
@AntoLC fyi |
AntoLC
left a comment
AntoLC
left a comment
There was a problem hiding this comment.
We need a test to assert that it is working, the tests don't seem happy btw.
If I understand correctly, even if our cookies is dead (frontend side), if the SSO recognize the user it will not prompt the user again, isn't it ?
|
Yes, I’ll update the tests accordingly. I also plan to make this option configurable so that self-hosted instances using identity providers that don’t support this parameter don’t end up with a broken login flow. But you're right, the goal is that even if the user has never logged into Docs before, or if the Docs session has expired, we still try to reuse an existing IdP session so the user doesn’t have to click the login button. |
AntoLC
force-pushed
the
silent-login
branch
2 times, most recently
from
5f85107 to
29c29bc
Compare
AntoLC
force-pushed
the
silent-login
branch
2 times, most recently
from
9793d16 to
b66f40b
Compare
|
Size Change: +239 B (+0.01%) Total Size: 4.19 MB
|
AntoLC
force-pushed
the
silent-login
branch
2 times, most recently
from
3cbd12f to
102dc2c
Compare
|
🚀 Preview will be available at https://1609-docs.ppr-docs.beta.numerique.gouv.fr/ You can use the existing account with these credentials:
You can also create a new account if you want to. Once this Pull Request is merged, the preview will be destroyed. |
AntoLC
force-pushed
the
silent-login
branch
2 times, most recently
from
89b3c90 to
f1efc67
Compare
Ovgodd
left a comment
Ovgodd
left a comment
There was a problem hiding this comment.
just a proposal in the useEffect on index.tsx
Currently users already logged in to the SSO have to click on the login button again to be connected. This extra step should not be necessary. This commit uses the "silent=true" parameter to the login endpoint to avoid the extra step.
Not every project requires silent login. This commit adds a new feature flag FRONTEND_SILENT_LOGIN_ENABLED to enable or disable silent login functionality.
Problem
Right now users already logged in to the SSO have to click on the login button again to be connected. This extra step should not be necessary and some partners have complained
Proposed solution
This PR uses the "silent=true" parameter in the lasuite login endpoint to avoid showing the IdP login screen if user already have an active session.
Demo
Enregistrement.2026-01-22.171342.mp4
This feature does not work in development mode (localhost:3000 / localhost:8071).
When frontend and backend are on different origins (and/or IdP is another origin), silent auth is much more likely to fail due to browser privacy rules and cookie context.
Same-domain setups tend to “just work” because everything is first-party and the IdP session is more reliably available.
To activate this feature: