diff --git a/CHANGELOG.md b/CHANGELOG.md
index e4b044602..589747154 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,5 +1,10 @@
# Changelog
+## Upcoming
+* Do not automatically log in (e.g. via OIDC) after logout
+* OIDC: use preferred_username as login_hint for re-authentication
+
+
## v2025.4 - 2025-01-14
* Plugin projectnumber: Add manage.py command to reset projectnumber
* Add plugin: renderfindings - Render single finding to PDF
diff --git a/api/src/reportcreator_api/conf/settings.py b/api/src/reportcreator_api/conf/settings.py
index fde21f362..0c37a0342 100644
--- a/api/src/reportcreator_api/conf/settings.py
+++ b/api/src/reportcreator_api/conf/settings.py
@@ -269,7 +269,7 @@ def remove_empty_items(lst=None):
if OIDC_AZURE_CLIENT_ID and OIDC_AZURE_CLIENT_SECRET and OIDC_AZURE_TENANT_ID:
AUTHLIB_OAUTH_CLIENTS |= {
'azure': {
- 'label': 'Azure AD',
+ 'label': 'Microsoft Entra ID',
'client_id': OIDC_AZURE_CLIENT_ID,
'client_secret': OIDC_AZURE_CLIENT_SECRET,
'server_metadata_url': f'https://login.microsoftonline.com/{OIDC_AZURE_TENANT_ID}/v2.0/.well-known/openid-configuration',
diff --git a/api/src/reportcreator_api/users/views.py b/api/src/reportcreator_api/users/views.py
index b0d7f8bfe..3e837b0b2 100644
--- a/api/src/reportcreator_api/users/views.py
+++ b/api/src/reportcreator_api/users/views.py
@@ -463,7 +463,7 @@ def login_oidc_complete(self, request, oidc_provider, *args, **kwargs):
can_reauth = (timezone.now() - timezone.make_aware(datetime.fromtimestamp(auth_time))) < timedelta(minutes=1)
res = self.perform_login(request, identity.user, can_reauth=can_reauth)
request.session['authentication_info'] |= {
- f'oidc_{oidc_provider}_login_hint': token['userinfo'].get('login_hint'),
+ f'oidc_{oidc_provider}_login_hint': token['userinfo'].get('preferred_username') or token['userinfo'].get('login_hint'),
}
return res
diff --git a/docs/docs/setup/configuration.md b/docs/docs/setup/configuration.md
index bfc21ed0b..b3c171b1b 100644
--- a/docs/docs/setup/configuration.md
+++ b/docs/docs/setup/configuration.md
@@ -103,7 +103,7 @@ Make sure all users have SSO identities configured before enabling this option.
LOCAL_USER_AUTH_ENABLED=false
```
-Configuration of the default authentication provider when multiple authentication providers are enabled (e.g. OIDC via Azure AD and username/password).
+Configuration of the default authentication provider when multiple authentication providers are enabled (e.g. OIDC via Microsoft Entra ID and username/password).
This setting will redirect users to the default authentication provider, skipping the selection. Other authentication providers can still be used if login via the default provider fails.
Possible values: `azure`, `google`, `remoteuser`, `local` (username/password authentication)
diff --git a/docs/docs/users/oidc-azure-active-directory.md b/docs/docs/users/oidc-entra-id.md
similarity index 86%
rename from docs/docs/users/oidc-azure-active-directory.md
rename to docs/docs/users/oidc-entra-id.md
index 0764e0a70..d863958ff 100644
--- a/docs/docs/users/oidc-azure-active-directory.md
+++ b/docs/docs/users/oidc-entra-id.md
@@ -1,10 +1,10 @@
---
-title: Azure Active Directory OIDC Configuration
+title: Microsoft Entra ID OIDC Configuration
---
-# Azure Active Directory OIDC Configuration
+# Microsoft Entra ID OIDC Configuration
:octicons-heart-fill-24: Pro only
-## Configuration in Azure AD
+## Configuration in Microsoft Entra ID
1. Open [Microsoft Entra Admin Center](https://entra.microsoft.com){ target=_blank }
2. Select Applications -> App registrations -> New registration
3. In following menu:
@@ -30,7 +30,7 @@ You should now have the following values:
* Client ID
* Client secret
-* Azure tendant ID
+* Entra tendant ID
## Cloud Setup
@@ -45,12 +45,12 @@ You are lucky. Just send the values from the previous steps to us and we'll take
The values from the previous steps need to be passed as environment variables to the SysReptor docker container.
You can add them to `/deploy/app.env`:
```env
-OIDC_AZURE_TENANT_ID=
-OIDC_AZURE_CLIENT_ID=
-OIDC_AZURE_CLIENT_SECRET=
+OIDC_AZURE_TENANT_ID=
+OIDC_AZURE_CLIENT_ID=
+OIDC_AZURE_CLIENT_SECRET=
```
-The OIDC client needs to be able to establish a network connection to Azure AD.
+The OIDC client needs to be able to establish a network connection to Microsoft Entra ID.
Make sure to not block outgoing traffic.
Restart the docker container by going to `sysreptor/deploy` and:
diff --git a/docs/docs/users/oidc-setup.md b/docs/docs/users/oidc-setup.md
index 23f9d432c..c65538106 100644
--- a/docs/docs/users/oidc-setup.md
+++ b/docs/docs/users/oidc-setup.md
@@ -2,7 +2,7 @@
:octicons-heart-fill-24: Pro only
1. Configure your Identity Provider (IDP) and add configuration details to your `app.env`
- * [Azure Active Directory](../users/oidc-azure-active-directory.md)
+ * [Microsoft Entra ID](../users/oidc-entra-id.md)
* [Google Workplace/Google Identity](../users/oidc-google.md)
* [Keycloak](../users/oidc-keycloak.md)
* [Generic OIDC setup](../users/oidc-generic.md)
diff --git a/docs/mkdocs.yml b/docs/mkdocs.yml
index be4f81c7d..bd012de09 100755
--- a/docs/mkdocs.yml
+++ b/docs/mkdocs.yml
@@ -40,7 +40,7 @@ nav:
- Single Sign-On:
- SSO Setup: users/oidc-setup.md
- Keycloak: users/oidc-keycloak.md
- - Azure AD: users/oidc-azure-active-directory.md
+ - Microsoft Entra ID: users/oidc-azure-active-directory.md
- Google: users/oidc-google.md
- Generic: users/oidc-generic.md
- Forgot Password: users/forgot-password.md
@@ -139,7 +139,8 @@ plugins:
"setup/user-permissions.md": "users/user-permissions.md"
"setup/oidc-setup.md": "users/oidc-setup.md"
"setup/oidc-keycloak.md": "users/oidc-keycloak.md"
- "setup/oidc-azure-active-directory.md": "users/oidc-azure-active-directory.md"
+ "setup/oidc-azure-active-directory.md": "users/oidc-entra-id.md"
+ "users/oidc-azure-active-directory.md": "users/oidc-entra-id.md"
"setup/oidc-google.md": "users/oidc-google.md"
"setup/oidc-generic.md": "users/oidc-generic.md"
"setup/proxy.md": "setup/configuration.md"
diff --git a/packages/frontend/src/pages/login/index.vue b/packages/frontend/src/pages/login/index.vue
index 6814f798f..84981b443 100644
--- a/packages/frontend/src/pages/login/index.vue
+++ b/packages/frontend/src/pages/login/index.vue
@@ -26,14 +26,15 @@ const auth = useAuth();
const apiSettings = useApiSettings();
useLazyAsyncData(async () => {
- // Do not auto-login after logout
- if (!route.query?.logout) {
- const authProviders = apiSettings.settings!.auth_providers;
- let defaultAuthProvider = authProviders.find(p => p.id === apiSettings.settings!.default_auth_provider);
- if (!defaultAuthProvider && authProviders.length === 1) {
- defaultAuthProvider = authProviders[0];
- }
- if (defaultAuthProvider) {
+ const authProviders = apiSettings.settings!.auth_providers;
+ let defaultAuthProvider = authProviders.find(p => p.id === apiSettings.settings!.default_auth_provider);
+ if (!defaultAuthProvider && authProviders.length === 1) {
+ defaultAuthProvider = authProviders[0];
+ }
+
+ if (defaultAuthProvider) {
+ // Do not auto-login after logout
+ if (!route.query?.logout || (authProviders.length === 1 && defaultAuthProvider.type === AuthProviderType.LOCAL)) {
await auth.authProviderLoginBegin(defaultAuthProvider);
}
}
diff --git a/packages/nuxt-base-layer/src/composables/auth.ts b/packages/nuxt-base-layer/src/composables/auth.ts
index 4040179b1..5d935351a 100644
--- a/packages/nuxt-base-layer/src/composables/auth.ts
+++ b/packages/nuxt-base-layer/src/composables/auth.ts
@@ -95,7 +95,7 @@ export function useAuth() {
} catch {
// Ignore errors
}
- await navigateTo('/login/');
+ await navigateTo('/login/?logout=true');
store.user = null;
}