fix(login): ignore select_account in case there aren't any session to choose (#7981)

# Which Problems Are Solved When poviding `select_account` in an OIDC auth request, ZITADEL would always show the account selection page even if there aren't any user sessions to choose and the user would then need to click the `Other User` button to be presented the login page. # How the Problems Are Solved This PR changes the behavior and ignores the `select_account` prompt in case there aren't any existing user sessions and will directly present the login page. # Additional Changes None # Additional Context Closes #7213
2024-12-12 02:54:20 +00:00 · 2024-05-21 14:53:31 +02:00 · 2024-05-21 14:53:31 +02:00 · 07f91e4f16
commit 07f91e4f16
parent d55aae5160
2 changed files with 10 additions and 7 deletions
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request.go
@ -1113,19 +1113,24 @@ func (repo *AuthRequestRepo) nextStepsUser(ctx context.Context, request *domain.
 	if len(request.Prompt) > 0 && !domain.IsPrompt(request.Prompt, domain.PromptSelectAccount) {
 		return append(steps, new(domain.LoginStep)), nil
 	} else {
-		// if no user was specified, no prompt or select_account was provided,
+		// if no user was specified, either select_account or no prompt was provided,
 		// then check the active user sessions (of the user agent)
 		users, err := repo.usersForUserSelection(ctx, request)
 		if err != nil {
 			return nil, err
 		}
-		if domain.IsPrompt(request.Prompt, domain.PromptSelectAccount) {
+		// in case select_account was specified ignore it if there aren't any user sessions
+		if domain.IsPrompt(request.Prompt, domain.PromptSelectAccount) && len(users) > 0 {
 			steps = append(steps, &domain.SelectUserStep{Users: users})
 		}
+		// If we get here, either no sessions were found for select_account
+		// or no prompt was provided.
+		// In either case if there was a specific idp is selected (scope), directly redirect
 		if request.SelectedIDPConfigID != "" {
 			steps = append(steps, &domain.RedirectToExternalIDPStep{})
 		}
-		if len(request.Prompt) == 0 && len(users) == 0 {
+		// or there aren't any sessions to use, present the login page (https://github.com/zitadel/zitadel/issues/7213)
+		if len(users) == 0 {
 			steps = append(steps, new(domain.LoginStep))
 		}
 		// if no prompt was provided, but there are multiple user sessions, then the user must decide which to use
--- a/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
+++ b/internal/auth/repository/eventsourcing/eventstore/auth_request_test.go
@ -466,7 +466,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			nil,
 		},
 		{
-			"user not set, prompt select account, no active session, select account step",
+			"user not set, prompt select account, no active session, login step",
 			fields{
 				userSessionViewProvider: &mockViewUserSession{
 					Users: nil,
@ -475,9 +475,7 @@ func TestAuthRequestRepo_nextSteps(t *testing.T) {
 			},
 			args{&domain.AuthRequest{Prompt: []domain.Prompt{domain.PromptSelectAccount}}, false},
 			[]domain.NextStep{
-				&domain.SelectUserStep{
-					Users: []domain.UserSelection{},
-				}},
+				&domain.LoginStep{}},
 			nil,
 		},
 		{