During our UX research project we received feedback that the log in is confusing and annoying to have to login frequently. Currently whenever a user logs in, we retrieve two different credentials: 1) User data from our IAM/auth0 service that's used for session management and for any actions that write to our database (classifications or adding notes). The access token is stored as `user` and `userSession` in local storage. 2) Taskcluster credentials are retrieved via its third party login service. These are required for any actions performed on jobs (like retriggering jobs) and the access tokens are stored as `userCredentials` in local storage, indexed by root url (firefox-ci and community). The changes to be made are (which could be broken out into separate bugs or pull requests): 1) Currently if a user retriggers a job, we'll first check if the userCredentials access token for that root url is still valid. If it isn't, they will be retrieved then the retriggering action will be performed. However, it doesn't actually log the user in or retrieve the auth0 token - that's why users are confused. 2) I think we are currently using the implicit flow method for authentication, which means that a user is logged out after 2 hours of no activity. This should be switched to authorization flow if possible, which means a user will be logged out after 24 hours.
Bug 1643117 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
During our UX research project we received feedback that the log in is confusing and annoying to have to login frequently. Currently whenever a user logs in, we retrieve two different credentials: 1) User data from our IAM/auth0 service that's used for session management and for any actions that write to our database (classifications or adding notes). The access token is stored as `user` and `userSession` in local storage. 2) Taskcluster credentials are retrieved via its third party login service. These are required for any actions performed on jobs (like retriggering jobs) and the access tokens are stored as `userCredentials` in local storage, indexed by root url (firefox-ci and community). The changes to be made are (which could be broken out into separate bugs or pull requests): 1) Currently if a user retriggers a job, we'll first check if the userCredentials access token for that root url is still valid. If it isn't, they will be retrieved then the retriggering action will be performed. However, it doesn't actually log the user in or retrieve the auth0 token - that's why users are confused. 2) I think we are currently using the OAuth implicit flow method for authentication, which means that a user is logged out after 2 hours of no activity. This should be switched to authorization flow if possible, which means a user will be logged out after 24 hours.
During our UX research project we received feedback that the log in is confusing and annoying to have to login frequently. Currently whenever a user logs in, we retrieve two different credentials: 1) User data from our IAM/auth0 service that's used for session management and for any actions that write to our database (classifications or adding notes). The access token is stored as `user` and `userSession` in local storage. 2) Taskcluster credentials are retrieved via its third party login service. These are required for any actions performed on jobs (like retriggering jobs) and the access tokens are stored as `userCredentials` in local storage, indexed by root url (firefox-ci and community). The changes to be made are (which could be broken out into separate bugs or pull requests): 1) Currently if a user retriggers a job, we'll first check if the userCredentials access token for that root url is still valid. If it isn't, a new token will be retrieved then the retriggering action will be performed. However, it doesn't actually log the user in to Treeherder or retrieve the auth0 token - that's why users are confused. 2) I think we are currently using the OAuth implicit flow method for authentication, which means that a user is logged out after 2 hours of no activity. This should be switched to authorization flow if possible, which means a user will be logged out after 24 hours.
During our UX research project we received feedback that the log in is confusing and annoying to have to login frequently. Currently whenever a user logs in, we retrieve two different credentials: 1) User data from our IAM/auth0 service that's used for session management and for any actions that write to our database (classifications or adding notes). The access token is stored as `user` and `userSession` in local storage. 2) Taskcluster credentials are retrieved via its third party login service. These are required for any actions performed on jobs (like retriggering jobs) and the access tokens are stored as `userCredentials` in local storage, indexed by root url (firefox-ci and community). The changes to be made are (which could be broken out into separate bugs or pull requests): 1) Currently if a user retriggers a job, we'll first check if the userCredentials access token for that root url is still valid. If it isn't, a new token will be retrieved then the retriggering action will be performed. However, it doesn't actually log the user in to Treeherder or retrieve the auth0 token - that's why users are confused. 2) I think we are currently using the OAuth implicit flow method for authentication, which means that a user is logged out after 2 hours of no activity. This should be switched to authorization code flow if possible, which means a user will be logged out after 24 hours.