UX issues related to Identity

[Eilon]

From @SteveSandersonMS on May 9, 2016 16:32

It's debatable to what extent any of these are "bugs", since the template is just a starting point and not meant to be a finished, polished app. But many of them can be fixed easily.

1. Default "External Logins" UX is confusing

   It says "External logins: 0 [Manage]". When you click 'Manage', it takes you to a blank page (there's just a heading - no content). What's an end user supposed to do with this? There should at least be some instructions here for the developer, like on other pages.

2. Default 'Manage your account' layout is bad

   Screenshot:
   

   The text "Two-Factor Authentic..." is truncated for no good reason, and its counterpart in the next column isn't correctly vertically aligned with it.

3. Change password UI is rough

   The heading "Change Password." is inconsistently capitalised (on other pages like "Log in." and "Forgot your password?" we don't capitalise the first letter of each word). The subheading, "Change Password Form", is completely pointless. Suffixing headings like "Change Password." with period characters is weird and ugly in my option, though that's just a matter of personal preference.

4. The account management page is hard to discover

   To reach it, you have to click the part of the heading that says "Hi [username]!". There's no clear indication that this is how to manage your account.

5. When using confirmation URLs, the registration flow provides no indication of what's going on

   If you set up account confirmation as per the docs, then when the user registers an account, they just get redirected back to the home page. They are not logged in, and there's no message to say their registration succeeded. It would be nice to display some sort of message like "Please check your email and click the link we sent to you.", otherwise the user may think their registration was rejected.

6. Login failed message is unhelpful

   When you enter the wrong username or password, it says "Login attempt failed", without indicating whether it's a bad username or password. I know from reading the code that this is deliberate, but I don't know what sort of benefit it's supposed to provide. An attacker who wants to know whether a given username is registered can easily find out (just try to register a new account with it), so why withhold genuinely useful information from legit users?

7. Account-not-confirmed error message makes little sense

   If you try to log in before confirming your account, it says "You must have a confirmed email to log in". That won't make any sense to normal users. What's a "confirmed email"? A better message would be "Please check your email and click the link we sent to you."

8. No way to resend confirmation email

   If you somehow didn't receive (or accidentally deleted, etc.) your confirmation email, then your account is dead forever, because there's no way to resend it. It's worse still if v1 of your site didn't implement confirmation emails, but v2 does, because then all existing users lose their accounts.

9. Set password page when you login with external authentication provider
   Delete this line as it looks ugly in the markup: https://github.com/aspnet/Templates/blob/dev/src/Rules/StarterWeb/IndividualAuth/Views/Manage/SetPassword.cshtml#L6

Copied from original issue: aspnet/Templates#551

[Eilon]

From @peterblazejewicz on May 9, 2016 19:29

Default 'Manage your account' layout is bad

To help to visualize that problem: here is a pen: http://codepen.io/blazejewicz/full/972a6dae4af0b0fe5d22421535130635/ that uses static markup to provide insight on current markup:
If/else are removed and their relevant content is rendered. remark: The Two-Form Authentication is cropped by default BS rendering for data list titles (nowrap, ellipsis)

[Eilon]

From @rustd on May 9, 2016 20:13

Thank you for the feedback. #6 is by design. If you have a suggestion for fixing #2 then please do send a PR for it.
I agree that we can improve upon the rest.

[Eilon]

From @phenning on May 17, 2016 18:42

I'm working on some of these issues along with some other UI improvements.

[Eilon]

From @SteveSandersonMS on June 16, 2016 18:35

Some more observations from the current round of verification:

Forgot password flow doesn't send emails to people whose emails aren't confirmed, but doesn't tell them that
It acts as if it has sent the email, but hasn't. This would be extremely confusing for a user who didn't realise they had to click the original confirmation link and was trying to fix the problem by resetting their password.

Forgot password page gives a confusing error if you mistype your email address
Instead of something like "Sorry, we don't recognise that email address", it says "Invalid token". Normal humans will have no idea what that means. A better message would be "Sorry, that email address doesn't match the link you clicked. Did you sign up with a different email address?"

[Eilon]

From @Rick-Anderson on April 22, 2017 0:16

Can we address many of these issues by documenting this page? You could add a fwlink to the management page. Let me know if I should create an issue in https://github.com/aspnet/Docs to document how all this works and maybe some tips on customizing it.

[Eilon]

From @Ponant on June 9, 2017 7:30

OK, a template is a template but if a template is to be given it should at least be self-consistent from a-z, otherwise the lack of consistency in identity/security mgt will backfire on MS sooner or later.
Here is a list of issues which could be gathered here (at least for the purpose of cleaning up things in the repos):
aspnet/Templates#365
aspnet/Templates#832
aspnet/Templates#804
aspnet/Templates#686
https://github.com/aspnet/Identity/issues/1265
aspnet/Identity#1138
https://github.com/aspnet/Identity/issues/1079
aspnet/Identity#1209
aspnet/Templates#723 (UI)

[Eilon]

This issue was moved to aspnet/Identity#1662