Self Service Account Management Login Bug - Unchecking "Keep me signed in" prevents user access
-
When using FusionAuth's Self Service Account Management system for user login, I discovered a bug I would like to raise.
I created an application in a tenant for a user to log into to edit their profile using FusionAuth's Self Service Account Management tool.
My relevant OAuth configuration for the application is as follows:
client_id: <application id>
client_secret: <obscured>
Client Authentication: "Not required when using PCKE"
PKCE: "Not required when using client authentication"I created a user and assigned the user to my application within my tenant. I then used the Account URL (found when inspecting the application that takes the form of <subdomain>.fusionauth.io/account/?client_id=<application id>) to attempt to log in, unchecking "Keep me signed in". FusionAuth reported a successful log in on the user's page in the console, but a network trace shows that I was routed back to the log in page, which appears to the user that they did not successfully log in.
However, when I leave the "Keep me signed in" checkbox checked, and log in, I am authenticated properly and can view my user edit page.
Reported issue on GitHub: https://github.com/FusionAuth/fusionauth-issues/issues/1546
-
Interestingly, we are also looking at using this self service module as an "embedded" page in our application. If the user doesn't select "remember me", how would one pass the authentication information from the logged in application to this module?
Is embedding / using this page inside another page (without requiring a second login) a use case for it?