[kayman]

The reason your username and password are on different pages is to handle federated identities. Take a typical saas product. Initially you build your own login username and password. As you grow your users ask to login using gmail, LinkedIn or Microsoft so they don’t have to remember multiple usernames and passwords. If you enable third party login it means you have to redirect the site to the third party login page to authenticate.

To accomodate that you design your page so the user first enters username. In your system you check based on email who the identity provider is and redirect to that login journey.

For e.g. if Microsoft you redirect to Microsoft login page to authenticate.

If successful the third party login provider will send you back to your app with a JWT. In your app you check if the JWT is valid - if so allow access.

On first entering email on login, If your login provider is your own app, you redirect to your own login password page.

[enchiridion]

JWT == JSON Web Token

I had to look it up.

https://en.m.wikipedia.org/wiki/JSON_Web_Token

[woutr_be]

That seems like a strange flow, it means the user first has to input his email on your app, then you redirect to Microsoft, user will have to input his Microsoft email and password, and redirect back to your app.

This means the user now has to remember which email he used on your app, which is not very different from remembering which third party provider you used before.

Maybe I'm missing something, but how would you explain why Google does this two step login process?

[aliswe]

You often don't have to put in the email again, thanks to eg. the username hint.

And then, if you're already logged in according to the auth provider, you don't have to type your password either.

A good thing about tgis is that the providers can require different kinds of MFA at their discretion though.

But, what would happen to that poor app if I have a live account associated with my gmail and a google account associated with my o365 mail? ....

Come to think of it, I have an email account to which I have associated an ms live account AND an o365 corporate account, and a google account ... Very confusing ...

[ThePhysicist]

Typically you don't even ask a user for an e-mail for an OAuth based login. I think you're talking about OpenID Connect, where you indeed need the e-mail to know which login provider is used. I haven't seen that in the wild for a long time though, most sites that offer "Login via X" use an OAuth 2.0 based login flow, either with server-side tokens (e.g. Github) or JWT token (e.g. Google).

[aliswe]

Nitpick, OIDC is built on OAuth

[jonplackett]

THere are many websites without the option of federated identities - the 2 main supermarkets here in the UK do it for example (tesco.com, sainsburys.co.uk).

Maybe they're just joining a trend that they don't realise has benefits to others but not themselves?