After login, application needs to show user date and time of last login
Description
Attachments
is related to
Activity
Hey @Nguyen Phung Chi, thanks for clearly stating the limitations! Looks cool to me.
@Yan , would this be sufficient for now? I think we could also consider implementing this for the Sso-connector module, which might be a very common way our clients use to manage their users. However, I would do that in a subsequent ticket and after a discussion with Services about how to best implement it for the connector modules.
What we have implemented in this ticket might however already be enough to pass the audit and already covers Self-hosted and SaaS (through magnolia-sso module).
Some important notes for this ticket:
The scope and solutions applied for this ticket are MgnlUser (Mgnl default login) and SSO (using magnolia-sso module from version 3.1.2 and above) only.
Technically, we have 2 concrete types of concrete users in Magnolia Core, which is "MgnlUser" and "ExternalUser" (is extended by SsoUser). So, besides "magnolia-sso" module which is implemented the approach mentioned in the description, there are some other types of authentication which are not supported yet, means it won't display the last login time on Admincentral , which are listed as below:
An client custom authentication (with a custom type of user extended from "ExternalUser")
LDAP connector module (https://git.magnolia-cms.com/projects/ENTERPRISE/repos/ldap/browse)
Sso-connector module (https://git.magnolia-cms.com/projects/SERVICES/repos/sso-connector/browse)
cc @Yan, @Matt Rajkovic, @Bertrand Renuart, @Evzen Fochr
Please let me know your concern about this. thank you.
For the record as clarifying with @Yan
Question: What we are trying to achieve is to show the timestamp of “previous login” (may use this term to distinct them), am I correct?
Answer from Yan:
That is correct. Upon login, we are showing user when was it last time they logged into the system. So eg if I login on monday and then again on Wednesday and then again on friday, system needs to show me on wednesday that my last login day was monday, but on friday that my last login was wednesday.
I got that info from your Slack message "applies to both SaaS and onprem".
Yeah, that was the message i sent before i saw the other issues we had related to saas. In the end we only certify onprem and paas, because we wouldn't be able to implement all that is necessary on saas in time. Plus we are not offering it to customers yet, so there is still time. Sorry for the confusion nonetheless.
Hey @Yan , I got that info from your Slack message "applies to both SaaS and onprem".
I've updated the ticket after your clarification that we can only fix self-hosted first.
Goal
Inform the end-user about the date and time of last login immediately after logging in.
This requirement comes from a minor nonconformity we have received from both SOC2 and ENS audits.
This applies to both SaaS and DX core products, although the non-conformity was detected on self-hosted version of Magnolia. Therefore, to keep the audit, this is needed just for self-hosted. So if you need to implement it differently for self-hosted and for SaaS, you can prioritize Self-hosted first.
Further context
From @Yan :
Design ideas
This could be implemented as simple text somewhere in the interface right after login, i.e. "Your last recorded login: 2023-02-22, 08:43 GMT"
Example from Gmail (similar functionality):
Some UI options have been proposed here: https://magnolia-cms.slack.com/archives/C02R765REB0/p1677174441582829?thread_ts=1677070089.382899&cid=C02R765REB0. See the discussion in the thread for more information.
Discovery
Proposal solution:
For Mgnl user (JCR - Magnolia Default login)
Define new property
previousAccess
for user node (e.g "superuser" node) to store the timestamp of previous login in "users" repositorypreviousAccess = lastaccess
, then updatelastaccess
to current timestamp when there is a new logic occurredFor External user (SSO)
We can use the
auth_time
attribute from Oidc Id Token - Oidc spec https://openid.net/specs/openid-connect-core-1_0.html#RefreshTokenResponse“if the ID Token contains an auth_time Claim, its value MUST represent the time of the original authentication - not the time that the new ID token is issued”
Define and save two new properties
last_login
andprevious_login
under user profile node in "profiles"
repository which is using to store user preference (e.g Favorites app config) - the user profile node is created for each authenticated user.Set last_login
will value fromauth_time
attribute of Id TokenIf
previous_login
is null or not exist, set the value fromauth_time
attribute of Id Token as wellUpdate the
previous_login
when there is a new login from another session or even when theauth_time
is different with thelast_login
Basically the same mechanism like Mgnl user above.
For the UI, we have to implement the text label to show the last login time on Admincentral Home.