As designed XenForo SSO does not work for admin panel login

[Kirby]

Affected version

2.3.0 Beta 4

I've set up an OAuth client in one XenForo instance ("XenForo A") and configured another instance ("XenForo B") with a connected account type "XenForo"

This does work jsut fine for public pages.

But as soon as I try to use the admin panel on "XenForo B" I am not logged in via my connected account and I don't see an option to log in - the admin panel login screen just gives options for username and pasword or passkey.

I don't have a password or a passkey - just my conneted account.

As this is advertised as Single Sign-On I should be able to access the admin panel with just my connected account.

 

[Chris D]

Feel free to suggest it, but I don't see how this is a bug. We have never supported connected accounts as a login method for the admin control panel and honestly I'm not sure it's sensible to.

We wouldn't want to see a situation where people's admin panels are being broken into via login methods that could less secure.

In situations where a password is required and one isn't set, one can be set by resetting the password under account.

 

[Kirby]

We have never supported connected accounts as a login method for the admin control panel and honestly I'm not sure it's sensible to.

Well, until now XenForo had no Single Sign On feature.

But now it has one:

XF 2.3 Thread 'Single sign on and more with OAuth2 in XenForo 2.3'

Nov 7, 2023

We're approaching the conclusion of the 'Have you seen...?' series for XenForo 2.3. While it may seem like a bittersweet moment, we've intentionally saved one of the most exciting revelations until last. In the upcoming weeks, we might delve into a few more miscellaneous changes and improvements and provide a more developer-centric round up. However, our primary goal is to have XenForo 2.3 up and running on XenForo.com by the end of November. Beyond that milestone, we're excited to share a couple more surprises with you, which will include an overview of the latest enhancements...

• Chris D
• Replies: 155
• Forum: Have you seen...?

• 
• 

Your XenForo installation will be able to act as an OAuth2 server and this opens up a whole array of advanced use cases:
Single sign on between your forum and another XenForo installation
Single sign on between your forum and another software

To me, the current implementation is not really SSO - it's more like "Frontend Only SSO" so I feel that this is a bug (or a documentation issue and the advertising of the feature needs to be refined to make it clear that it is "limited SSO").

Especially in a corporate environment it IMHO certainly makes sense to have "true" SSO (with a IdP like Azure, Google Workspace, Keycloak, etc.) and maybe not even allow "local login".

We wouldn't want to see a situation where people's admin panels are being broken into via login methods that could less secure.

Totally agreed, I certainly wouldn't want admin accouts to log in via Facebook where I have not control how the user is authenticated by the IdP.
But I probably would also like them to be able to log in via a connected account on our internal "main" XenForo instance.

In situations where a password is required and one isn't set, one can be set by resetting the password under account.

Sure, but as said before - there might be setups where admin accounts should not even have a password.

 

[Chris D]

This is a suggestion, not a bug.

 

[Kirby]

To me it is a bug as the advertised SSO feature does not fully work as I would expect SSO to work.

But we can agree to disagree here.

At least (as already mentioned) it would be nice to make it clear that "XenForo Single-Sign On" is limited to the frontend.