Users don't realise that they must link their account
Closed, InvalidPublic

Description

Apologies if my understanding of how the auth / registration process works, I haven't actually been through this workflow myself because my account was created a few years ago.

I manage a Phabricator installation for our company with probably 300-400 user accounts (just a guess, I don't have a list of users in front of me). Roughly once per week I get a request for help from a new user who is unable to login to their account.

We have Phabricator configured with Google authentication. Registration is disabled, so the process for new starters is that an admin creates an account for them, which senda them a welcome email containing a link to login. I think that what happens is that new users don't realise that they need to explicitly link their Google account to Phabricator (perhaps they assume it was done automatically). At some point in time, their session expires and they are forced to login, which they cannot be as they never linked their account.

As I remember before, my understanding of the NUX process might be wrong, but our users do seem to hit this issue regularly.

To provide some additional context, we originally allowed users to register their own accounts, but we eventually disabled this because we ended up with around 30 duplicate accounts (users with more than one account). I think that this happened because users had listed an alias address in their Phabricator settings, but Google was using a canonical email address to authenticate, which didn't map to any existing user accounts (we have a lot of users that have aliases set up. For example, abraham@mycompany.com would be an alias for the canonical alincoln@mycompany.com address).

Why is registration disabled?

(I would expect you to allow registration with Google and use auth.email-domains and/or auth.require-approval to control registrations.)

If the only way to register is Google, it should be impossible to create more than one account per Google account.

That didn't seem to be the case. It might have been because we only enforced Google authentication around one year ago, before that users could use a password for authentication. I can check later today, but perhaps the users that ended up with duplicate accounts never setup Google Auth.

epriestley closed this task as Invalid.Apr 7 2017, 1:19 PM

(Just closing this since we haven't seen an update in ~4 months and it isn't actionable.)