InseeFrLab
Terms and conditions empty if cache not loaded
Hi, In order to manage the creation of account for specific users, we encountered a potential problem.
In Keycloak, when creating a user account, we ask the user to reset their password by validating their email, as well as accepting the terms and conditions.
However, when the user receives the email with the link to complete these actions and opens it in a browser that has never accessed our Datalab (and therefore has no cache related to the Datalab), they are redirected to the default Onyxia theme, and the terms and conditions fail to load properly (the page displays a request to accept the conditions, but they are "empty").
To reproduce this issue, we open the email link in a private browsing window.
We therefore suspect there is an issue with the theme loading. Even though that is an unlikely event, as it concerns the terms and conditions we need to resolve it.
Hello @Eldrile,
Thank you for pointing this out—this is indeed an issue.
The terms are provided at the Onyxia configuration level and passed via a URL parameter to the Keycloak theme. Under normal circumstances, as long as the user navigates at least once from your Onyxia instance to the login page, the terms should appear.
However, I hadn't anticipated this specific case. If the user opens their email on a phone and tries to validate it there, the terms won't be displayed.
I’ll address this and keep you updated once it's resolved. I hope it's not too urgent, as I've paused further development until I finish #827. I need to push that out as soon as possible.
Thanks for your patience.
By the way, which team are you with?
Thanks ! It's Chloé from Mercator. We have modified our process for new members until this is resolved so It will be okay.
Hey @Eldrile,
I looked into the issue, and there’s a pretty straightforward solution:
You can reorder the required actions by moving the "Accept Terms and Conditions" before the "Verify Email" action. You can easily do this by dragging the handle to adjust the order.
This way, after users fill out the form and click "Register," they will need to accept the terms first, then validate their email.
This seems like the most practical approach. Any alternative would require configuring the terms on the Keycloak side, which is arguably less convenient since we already need the link to the conditions in the Onyxia instance’s footer:
Let me know if you have any thoughts!
Hi @garronej , I thought we already tried that, but I will check it ! Thanks
Hi again, It doesn't work for us because we are creating ourselves their account. So they potentially never went to the datalab when resetting their password and in this case the terms of conditions are effectively placed before setting the password but without having ever loaded the datalab page, they appear "empty". We would need to find another way to invite them to the datalab, I will think about it.
@Eldrile,
Ah okay that makes sense.
Well the only solution then will be to make you provide the URL to the TOS in the Keycloak configuration.
Like here:
https://github.com/InseeFrLab/onyxia-ops/blob/45c12d6e7d6256b82c9e77ab27b7a8360ea584d1/apps/keycloak/values.yaml#L57-L58
It would look something like:
apps/keycloak/values.yaml
extraEnvVars:
- name: ONYXIA_RESOURCES_ALLOWED_ORIGINS
value: "https://your-datalab.fr, http://localhost, http://127.0.0.1"
- name: ONYXIA_TERMS_OF_SERVICES
value: "{ en: 'https://your-datalb.fr/custom-resources/tos_en.md', fr: 'https://your-datalb.fr/custom-resources/tos_en.md' }"
I'll let you know when it's implemented.
That would be great ! Thanks @garronej, we will do it as soon as it's available. In the meantime we are only white listing them.
It's been implemented. https://docs.onyxia.sh/admin-doc/readme/user-authentication