Treeherder New Login Flow

Hi,

I am writing to inform you about Treeherder=E2=80=99s new login flow.  In t=
he past, logging in with Treeherder meant being redirected to the login.tas=
kcluster.net service. This had a couple of drawbacks, but one of the main a=
nnoyance was that credentials expired every 3 days. You are probably alread=
y familiar with the following error: "Your credentials are expired. They mu=
st expire every 3 days (Bug 1328434). Log out and back in again to refresh =
your credentials."

The new login flow now uses Auth0 instead of login.taskcluster.net for SSO.=
 Some relevant information to note:

- When you login for the first time, you will get a prompt asking permissio=
n for treeherder.mozilla.org to access =E2=80=9Cfull-user-credentials=E2=80=
=9D. It=E2=80=99s not something to be worried about. This is simply a reque=
st to access your taskcluster credentials. Bug 1437116 was created to chang=
e that to "taskcluster-credentials=E2=80=9D.

- Treeherder session will stay alive as long as access to the site happens =
once every 24 hours. 3 days session expiry is no longer in effect.

- If an email is associated with multiple login providers, then the most se=
cure login method should be used (LDAP > GitHub 2FA > GitHub > Google > Pas=
swordless).

Thanks,
Hassan
0
haali
2/9/2018 5:30:23 PM
mozilla.dev.platform 6344 articles. 0 followers. Post Follow

4 Replies
42 Views

Similar Articles

[PageSpeed] 6

On 2/9/18 9:30 AM, haali@mozilla.com wrote:
> - Treeherder session will stay alive as long as access to the site
> happens once every 24 hours. 3 days session expiry is no longer in
> effect.

This doesn't seem to be the case: I'm logged in when I go to bed, and 7
hours later when I get up I'm logged out; I'm logged in when I leave for
work, and 4.5 hours later when I get home on my lunch hour I'm logged out.
0
Phil
2/9/2018 9:28:53 PM
On 2/9/18 12:30 PM, haali@mozilla.com wrote:
> - Treeherder session will stay alive as long as access to the site happens once every 24 hours. 3 days session expiry is no longer in effect.

This seems to not be working at all.  I just carefully recorded the last 
time I logged in to treeherder: 8:39pm, on Feb 12, 2018, US/Eastern time.

It is now 9:27pm on the same day.  I just loaded treeherder.  It's 
showing me logged out.

The login didn't even last for 1 hour.

Login was done via LDAP.

-Boris
0
Boris
2/13/2018 2:28:19 AM
For both this and Phil's issue, I've filed:
https://bugzilla.mozilla.org/show_bug.cgi?id=1437824

0
emorley
2/13/2018 11:30:59 AM
The switch from `full-user-credentials` to `taskcluster-credentials` has no=
w occurred, meaning users will see a one-off Auth0 scopes prompt for the ne=
w permissions next time they log into Treeherder.

The cause of the frequent log-outs is also believed to be fixed - please co=
mment on bug 1437824 if experiencing otherwise. (Sessions will be maintaine=
d as long as the site has been visited once every 24 hours; bug 1439858 is =
filed for seeing if that can be raised to extend over weekends etc)

Best wishes,

Ed

On Friday, 9 February 2018 17:30:26 UTC, ha...@mozilla.com  wrote:
> Hi,
>=20
> I am writing to inform you about Treeherder=E2=80=99s new login flow.  In=
 the past, logging in with Treeherder meant being redirected to the login.t=
askcluster.net service. This had a couple of drawbacks, but one of the main=
 annoyance was that credentials expired every 3 days. You are probably alre=
ady familiar with the following error: "Your credentials are expired. They =
must expire every 3 days (Bug 1328434). Log out and back in again to refres=
h your credentials."
>=20
> The new login flow now uses Auth0 instead of login.taskcluster.net for SS=
O. Some relevant information to note:
>=20
> - When you login for the first time, you will get a prompt asking permiss=
ion for treeherder.mozilla.org to access =E2=80=9Cfull-user-credentials=E2=
=80=9D. It=E2=80=99s not something to be worried about. This is simply a re=
quest to access your taskcluster credentials. Bug 1437116 was created to ch=
ange that to "taskcluster-credentials=E2=80=9D.
>=20
> - Treeherder session will stay alive as long as access to the site happen=
s once every 24 hours. 3 days session expiry is no longer in effect.
>=20
> - If an email is associated with multiple login providers, then the most =
secure login method should be used (LDAP > GitHub 2FA > GitHub > Google > P=
asswordless).
>=20
> Thanks,
> Hassan
0
emorley
2/21/2018 11:23:17 AM
Reply: