SSO auth cannot be used to logout of sessions

[exodrifter]

If you have only SSO authentication, you cannot logout of sessions. This is because if you try to log out of a session the user will be asked to do password authentication, but the account doesn't have a password. I believe this may happen because the only advertised authentication flows are password and jwt:

tuwunel/src/api/router/auth/uiaa.rs

Lines 19 to 22 in 6c91aa1

	let flows = [
	AuthFlow::new([AuthType::Password].into()),
	AuthFlow::new([AuthType::Jwt].into()),
	];

My expectation is that if the server uses single sign on, when you try to log out of a session (or any other action which requires re-authenticating), these actions would do SSO authentication.

Related:

• SSO user can't terminate/logout existing sessions element-hq/element-web#20733

[hatomist]

should be fixed by #313; but old registrations on SSO only might need migration, as the origin for those is already set to "password" instead of "sso"

though it is a partial fix I believe, with correct origin tuwunel would fall through "no auth required" for removing the sessions; instead of requiring an SSO login. which is potentially a security risk, but I'm not that familiar with how reference clients do that. assume it should ask for SSO login as shown on the screenshot in the related link, and server should check sso response instead of no auth

[alaviss]

For some more context, this is Tuwunel missing an implementation of MSC2454.