Unable to login from the form page (ee.*), while it works from the main KoboToolbox one (kf.*)

There is in my opinion a major UX bug when creating users.

The use case is simple; as an entity, I created a form that will be used by a select group of third party people.
Those people (more than 200) will then use the form to enter data that are tied to them (hence I add the username in the metadata).
They won’t have permission to view the submissions of others (so I had to prevent the ‘View submissions’ since there are no ‘View own submissions’ permission that I know of).

In order to simplify the account creation difficulties, I created a script to batch create those third party accounts in Kobotoolbox.
I checked and those accounts can log in KoboToolbox; everything is working fine.
Since I do not want anonymous submissions for this form, I updated the account settings for the account that created the form to force the authentification to view the forms and submit data.

Now, here is the problem I encounter: using the account that created the form, I give the “Add submissions/view submissions” permissions to 2 accounts whose username are user92 and user93.

To test that the permissions are ok I followed 2 testing paths:

  • Use a browser with no cookies nor any storage data for the KoboToolbox domain (ie. https://ee.mydomain.com/)
  • Go to https://kf.mydomain.com/, then login with user92.
  • Then from there, open the form https://ee.mydomain.com/x/Foobar ; everything is working as intended.
  • Use a browser with no cookies nor any storage data for the KoboToolbox domain (ie. https://ee.mydomain.com/)
  • Since the third party users are not really tech-savvy, I want to send them the direct form url, so that they just have to login to see the form
  • So I paste the form url https://ee.mydomain.com/x/Foobar in the browser
  • I can see that the form is not displayed, and a login/password is asked (great!)
  • I enter the credentials for user93, then hit Submit
  • Then UX-wise it fails spectacularly since the login page is just reloaded and cleared; the user is stuck in an infinite loop where login in never gets him out of the login page! (the url in the browser is https://ee.mydomain.com/login?return_url=https%3A%2F%2Fee.mydomain.com%2Fx%2FFoobar)
  • Trying to force the url to https://ee.mydomain.com/x/Foobar redirects the user to the login page

The expected result should be that login successfully should :

  • login successfully, and
  • return the user to the form, not the login page

To give more technical details, I checked the network tab when trying to login, and I see

  • login?return_url… POST → 302 Found
  • Foobar GET → 200 OK
  • lots of successfull woff/css/svg requests
  • Foobar POST → 401 Unauthorized
  • then loop again

It seems the login via ee.mydomain does not work.