As designed XenForo SSO does not work for admin panel login

Kirby

Well-known member
Affected version
2.3.0 Beta 4
I've set up an OAuth client in one XenForo instance ("XenForo A") and configured another instance ("XenForo B") with a connected account type "XenForo"

This does work jsut fine for public pages.

But as soon as I try to use the admin panel on "XenForo B" I am not logged in via my connected account and I don't see an option to log in - the admin panel login screen just gives options for username and pasword or passkey.

I don't have a password or a passkey - just my conneted account.

As this is advertised as Single Sign-On I should be able to access the admin panel with just my connected account.
 
Feel free to suggest it, but I don't see how this is a bug. We have never supported connected accounts as a login method for the admin control panel and honestly I'm not sure it's sensible to.

We wouldn't want to see a situation where people's admin panels are being broken into via login methods that could less secure.

In situations where a password is required and one isn't set, one can be set by resetting the password under account.
 
We have never supported connected accounts as a login method for the admin control panel and honestly I'm not sure it's sensible to.
Well, until now XenForo had no Single Sign On feature.

But now it has one:

Your XenForo installation will be able to act as an OAuth2 server and this opens up a whole array of advanced use cases:
Single sign on between your forum and another XenForo installation
Single sign on between your forum and another software

To me, the current implementation is not really SSO - it's more like "Frontend Only SSO" so I feel that this is a bug (or a documentation issue and the advertising of the feature needs to be refined to make it clear that it is "limited SSO").

Especially in a corporate environment it IMHO certainly makes sense to have "true" SSO (with a IdP like Azure, Google Workspace, Keycloak, etc.) and maybe not even allow "local login".

We wouldn't want to see a situation where people's admin panels are being broken into via login methods that could less secure.
Totally agreed, I certainly wouldn't want admin accouts to log in via Facebook where I have not control how the user is authenticated by the IdP.
But I probably would also like them to be able to log in via a connected account on our internal "main" XenForo instance.

In situations where a password is required and one isn't set, one can be set by resetting the password under account.
Sure, but as said before - there might be setups where admin accounts should not even have a password.
 
Last edited:
To me it is a bug as the advertised SSO feature does not fully work as I would expect SSO to work.

But we can agree to disagree here.

At least (as already mentioned) it would be nice to make it clear that "XenForo Single-Sign On" is limited to the frontend.
 
Back
Top Bottom