Self deleting an account with SSO only login does not redirect to `logout redirect` but the auth url causing a loop

CONTEXT: With local login disabled, anonymous access disabled and an OAuth2 provider added via the Basic OAuth plugin the logout redirect url is respected when user clicks to logout.

BUG: When a user tries to self-delete their account, they are however not redirected to logout redirect url but back to the forum base url, which in turn redirects to the SSO auth url without any prompt given anonymous viewing is disabled.
Since the user is still logged into the SSO provider that immediately results in their account being recreated.

I think the most immediate fix would be to simply obey the logout redirect setting after account self-deletion.
An further enhancement would be to retain a list of users who self-deleted and on subsequent account recreation with same details, display them a prompt explaining that they are attempting to recreate an account that was previously deleted, allowing them to avoid it. Even better if the admin could opt in to requiring manual activation of such recreated accounts by staff.

just to verify - this is the plugin in question here?

Also - getting my head back into Oauth - but I’m guessing I need to be setting up a local Oauth2 provider to test this? Is that right? And is there one you recommend? @nat

Yeah!

The readme on that plugin you shared here looks like a good place to start.

Hi Chris,

Yes in my case I was using the plugin you mentioned with Authentik as provider specifically and it all works as intended except getting re-enrolled on an account delete due to the redirect loop described.

Cheers

this is merged. redirect to /login after account delete to prevent recreation of sso account by marstall · Pull Request #22575 · discourse/discourse · GitHub