Orchard Core intermittently displays login options when only one external provider is configured

[dturska]

Describe the bug

When using Orchard Core with a single external identity provider configured for login and the option "Use external provider for login" enabled in the admin settings, the login screen intermittently displays a choice between the external provider and the standard username/password login. It is expected that the system should automatically redirect to the external provider for authentication without showing the login screen.

Orchard Core version

2.1.2

To Reproduce

1. Go to Settings > External Login in the Orchard Core admin dashboard.
2. Enable the "Use external provider for login" checkbox.
3. Ensure only one external provider is configured (e.g., Github).
4. Access the login page repeatedly using the same URL (e.g., https://localhost:5001/admin).

Expected behavior

The login screen should consistently redirect to the external provider for authentication without presenting the choice between username/password login and the external provider.

Actual behavior

The behavior is inconsistent and alternates between the following:

• On the first page load, it redirects to the external provider as expected.
• On subsequent page loads (odd vs. even attempts), the login screen displays a choice between the external provider and the standard login.

For example:

• First load of https://localhost:5001/admin works and redirects.
• Second load shows the login screen with options.
• Subsequent attempts alternate between the two behaviors.

Logs and screenshots

Settings Configuration:

Login Screen:

Steps to Mitigate/Workaround

No workaround identified.

Suggested Fix

Update the logic in the login flow to ensure consistent behavior when the "Use external provider for login" option is enabled, particularly when only one external provider is configured. The system should always redirect to the external provider without showing the login screen.

References

N/A

[github-actions]

Thank you for submitting your first issue, awesome! 🚀 We're thrilled to receive your input. If you haven't completed the template yet, please take a moment to do so. This ensures that we fully understand your feature request or bug report. On what happens next, see the docs.

If you like Orchard Core, please star our repo and join our community channels.

[github-actions]

We triaged this issue and set the milestone according to the priority we think is appropriate (see the docs on how we triage and prioritize issues).

This indicates when the core team may start working on it. However, if you'd like to contribute, we'd warmly welcome you to do that anytime. See our guide on contributions here.

[hishamco]

It would be nice if we give the first-time authors to start 1st PR in OC

[MikeAlhayek]

It would be nice if we give the first-time authors to start 1st PR in OC

Yes that would be super awesome! But, the author should show interest into providing a fix first :)

[dturska]

I am still encountering this issue in version 2.1.3. While I noticed that the update added code to the LoggedInAsync event, I am reproducing this error without logging in.

Scenario:

1. Without logging in, if I navigate to https://localhost/admin, it initially redirects as expected to the Identity Provider.

2. However, if I then paste https://localhost/admin into the browser and press Enter (without logging in), the OrchardCore login screen appears. It shows the local login option along with the external provider button.

3. Repeating this process alternates between redirecting to the external provider and showing the OrchardCore login screen with the local and external login options.

Workaround:
Locally, I’ve implemented a workaround by overriding the ExternalLoginFormEvents and clearing the tempData with the key ExternalLoginAutoRedirectKeyName every time. This doesn't seem like the proper fix though.

[MikeAlhayek]

You don't want to remove that key every time as it could cause an infinite loop for your users.

I think we need to change how we store that key to something that will be removed on the next request.