Immediately logged out when using password reset form

On a site using 7.x...beta2 series:

I just went through the process with a trusted browser (logged in directly) and without a trusted browser (required input of totp code) and both flowed as expected.

My account does have tfa-totp setup but it is not required for any of my roles.

Can you provide more information about your configuration and user so it's possible to reproduce the issue?

FWIW, I see this same behaviour, but do not have OpenID enabled. This is on a vanilla D7, installed with the Standard profile and nothing special enabled except this module and tfa_basic. This *is* with a user who has not set up TFA yet. Basically, I'm trying to figure out what a sane workflow would be for creating a new user, with a role that requires TFA. I was also considering to open an issue about that, but wanted to see what happens when trying to use the reset password (or the reset link in the welcome email). I hoped the user would be forced to setup TFA, I suppose.

I think that it would be generally useful if we took this discussion on a general level that would constitute a "best practise" behaviour and guideline for other module developers that are also figuring out such workflow and cross-module compatibilities.

The following modules have similar/related considerations and "reported bugs" up for discussion and needs to play nicer together, including (perhaps especially) with this module. (I will check and post related issue links back here.)

https://www.drupal.org/project/issues/legal (compatibility/workflow challenge when incidentally required to accept new Terms-of-service version at the same time as having a login problem and using a reset link)
https://www.drupal.org/project/issues/yubikey
https://www.drupal.org/project/issues/passwordless
https://www.drupal.org/project/issues/login_destination

@eelkeblok can you please detail the steps to repeat?

• Create a new user in admin, asign them a role that requires TFA. Let the system send an email to notify the user of the new account.
• Follow the reset password link in the email
• You will be presented with the one time login form. Click the button.
• Note how you are immediately logged out again.

The same sort of thing seems to happen when you enable requiring TFA on a role that already has users, when a user with that role tries to log in (I actually locked my self out of my development system doing that for the admin role). It's basically a catch-22, where you need to be logged in in your account to be able to set up TFA, but you can not log in because TFA is required for your role and you don't have it set up.

The list turns up empty (like I said, fresh install of the "Standard" install profile, plus tfa and tfa_basic modules, and now devel to execute the code). My issue is similar in that I see the same behaviour. Root cause might well be different. I am using a role that has mandatory TFA, which causes a problem for accounts that do not have TFA set up yet.

I am facing the same issue. As Leeteq said we should took this to general level discussion. Can anybody tell me where and how can I find the solution and contribute to solution for this issue.

I traced my problem back to how tfa_basic and tfa work together to implement the tfa required functionality. I've created a new issue: #2564813: UI feedback ("Login disallowed") can disappear

IMO it's not safe to neglect all hook_user_logout() implementations.

edit: removed most of my comment after looking into OpenID's code