Rebrand user access denied page

[janagombitova]

With moving to Auth0 and creating a new login page that follows the new Akvo brand, we also need to make sure that this page follows the same style guide too.

This page shows if a user signs up to Flow but is not a user on Flow.

The user set up works like this:

1. Organisation admin creates a new user (with a name, email, and permissions)
2. Organisation admin informs the new user about her having access to Flow
3. She goes to the Flow url and clicks to log in (if using a google account) or to # (if she is using a different account, to create a password)
4. She enters Flow and sees what she has access to

To do:

• rebrand to match the new login page New UI for Auth0 log in  #3130
• revise the text to ensure it is clear to the user what she needs to do
• ensure unity with Lumen's user access denied page User access denied page  akvo-lumen#2248
• ensure page behaves and works the same for when logging in with an Auth0 account or when using a Google email

[Kiarii]

@janagombitova correct me if I am wrong, where in the login workflow would the user see this page? Would it be if they attempted to reset their password and Flow would recognize that the email is not registered to some account?

[janagombitova]

@Kiarii I will try my best to explain below, but I think we should have a call too ;)

To be able to access Flow (or Lumen) your user (email) needs to exist in the Flow instance. So the organisational admin first needs to add your user email to Flow (in the Users tab). Only then you can log in.

You can log in in two ways
1. Using Google.

Your organisational admin added your google email to create your user account in the Flow instance. You come to the Flow instance URL and hit to log in with Google. In this case, if your email exists in the Flow instance, you access the survey list. If your organisational admin did not add this email to Flow, you land on the page we are talking about.

In this case, we do not know anything about your password. So if you put in a wrong password, this is handled by Google.

2. Using an account created in Auth0
In this case, your organisational admin has created your Flow user using any non-Google email. Note: Just because your user account exists in Flow it does not exist in Auth0 yet, until you #.

You come to the Flow instance URL and cannot log in with your email and password, as you did not set up your password yet. So you hit the Sign-up option. Here you fill in the email (same as the one your organisation admin added to Flow) and define your password. Now your account also exists in Auth0. And you enter Flow, as your email already exists in Flow.

In this case, we will show the page this issue is about if:

1. You try to login with an email and password (you have already set up in Auth0 for another Flow instance) but this email does not exist in the Flow instance. So the organisational admin did not add it in yet.
2. You # and create a password (so you create an account in Auth0) but the email is not added to the Flow instance you are trying to access.

I do not know how Auth0 handles cases when you try to log in with a wrong password. I still need to test that out.

[Kiarii]

UX requirements:

• what exactly do we want to say in the "no access" screen?
• if we include a "request permission" button or link on this screen, where does it take the user or do?
• If by any chance the user sends a permission request how should they be notified that their request was a) granted or b) denied?
• and in regards, to the previous point, how is the admin notified of the request, and how do they respond to it?
• Can the user by any chance (maybe this doesnt apply for now but might in the future) is logged in to multiple accounts, is he able to switch between those accounts when trying to see which has access to the desired instance?

If we go by sth like this: should we consider the possibility of one user having multiple accounts and if so, how should that be handled, should the user have to logout to switch accounts or can they do so without having to logout?

[Kiarii]

For the first iteration am assuming the user will have to request permission manually, in which case the no permission screen might look as follows:

[janagombitova]

Checked on uat2 all works well.