EW: Direct to MAS for sign-out in OIDC-aware mode

[hughns]

In the case of OIDC-aware clients, you cannot sign out of other sessions via the device manager in EW anymore. Instead, users will need to be guided towards the MAS UI to take this actions.

MSC3824 now describes this requirement and proposes the convention of ?action=session_end&device_id=<device_id>.

ACs

• When the HS has a MAS deployment configured:
  • Clicking the sign-out button in the EW device manager for sessions other than the current redirects to MAS
  • There is an interstitial dialog that explains that the user will be redirected to perform the action on MAS
  • The redirection lands the user on a deep-link (query hash as per the MSC)
    • Making the deep link URL actually work / perform the sign-out is covered in DM: Session end deep-link matrix-org/matrix-authentication-service#1550
  • Multi-session signout is disabled
• Otherwise, things stay as they are

[kerryarchibald]

EW doesn't currently have a way to open settings/device manager using a URL. Will MAS redirect after sign out is complete?

[hughns]

EW doesn't currently have a way to open settings/device manager using a URL. Will MAS redirect after sign out is complete?

There is no redirection after the user takes an action.

For Element Web I suggest that the URL is opened in a new tab (e.g. target="_blank").

For Element Desktop where I don't believe we have an in-app browser I suggest that the URL is opened in the native browser.

[hughns]

FYI - MAS is stripping the query params when doing it's redirect from /account to /account/ which might hamper testing. But if you right click and inspect the URL that EW has created it looks good 👍