providers/oauth2: fix double login required when prompt=login

Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
Jens Langhammer 2021-05-19 23:34:27 +02:00
parent a74419214c
commit acf1ad91d9
4 changed files with 10 additions and 1 deletions

View File

@ -28,6 +28,7 @@ from authentik.core.api.providers import ProviderSerializer
from authentik.core.models import Application from authentik.core.models import Application
from authentik.events.models import EventAction from authentik.events.models import EventAction
from authentik.policies.engine import PolicyEngine from authentik.policies.engine import PolicyEngine
from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED
LOGGER = get_logger() LOGGER = get_logger()
@ -130,6 +131,7 @@ class ApplicationViewSet(ModelViewSet):
) )
def list(self, request: Request) -> Response: def list(self, request: Request) -> Response:
"""Custom list method that checks Policy based access instead of guardian""" """Custom list method that checks Policy based access instead of guardian"""
self.request.session.pop(USER_LOGIN_AUTHENTICATED, None)
queryset = self._filter_queryset_for_list(self.get_queryset()) queryset = self._filter_queryset_for_list(self.get_queryset())
self.paginate_queryset(queryset) self.paginate_queryset(queryset)

View File

@ -54,6 +54,7 @@ from authentik.stages.consent.stage import (
PLAN_CONTEXT_CONSENT_PERMISSIONS, PLAN_CONTEXT_CONSENT_PERMISSIONS,
ConsentStageView, ConsentStageView,
) )
from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED
LOGGER = get_logger() LOGGER = get_logger()
@ -437,6 +438,10 @@ class AuthorizationFlowInitView(PolicyAccessView):
if ( if (
PROMPT_LOGIN in self.params.prompt PROMPT_LOGIN in self.params.prompt
and SESSION_NEEDS_LOGIN not in self.request.session and SESSION_NEEDS_LOGIN not in self.request.session
# To prevent the user from having to double login when prompt is set to login
# and the user has just signed it. This session variable is set in the UserLoginStage
# and is (quite hackily) removed from the session in applications's API's List method
and USER_LOGIN_AUTHENTICATED not in self.request.session
): ):
self.request.session[SESSION_NEEDS_LOGIN] = True self.request.session[SESSION_NEEDS_LOGIN] = True
return self.handle_no_permission() return self.handle_no_permission()

View File

@ -367,7 +367,7 @@ if _ERROR_REPORTING:
environment=CONFIG.y("error_reporting.environment", "customer"), environment=CONFIG.y("error_reporting.environment", "customer"),
send_default_pii=CONFIG.y_bool("error_reporting.send_pii", False), send_default_pii=CONFIG.y_bool("error_reporting.send_pii", False),
) )
set_tag("authentik:build_hash", os.environ.get(ENV_GIT_HASH_KEY, "")) set_tag("authentik:build_hash", os.environ.get(ENV_GIT_HASH_KEY, "tagged"))
set_tag( set_tag(
"authentik:env", "kubernetes" if "KUBERNETES_PORT" in os.environ else "compose" "authentik:env", "kubernetes" if "KUBERNETES_PORT" in os.environ else "compose"
) )

View File

@ -12,6 +12,7 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
LOGGER = get_logger() LOGGER = get_logger()
DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend" DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"
USER_LOGIN_AUTHENTICATED = "user_login_authenticated"
class UserLoginStageView(StageView): class UserLoginStageView(StageView):
@ -43,5 +44,6 @@ class UserLoginStageView(StageView):
flow_slug=self.executor.flow.slug, flow_slug=self.executor.flow.slug,
session_duration=self.executor.current_stage.session_duration, session_duration=self.executor.current_stage.session_duration,
) )
self.request.session[USER_LOGIN_AUTHENTICATED] = True
messages.success(self.request, _("Successfully logged in!")) messages.success(self.request, _("Successfully logged in!"))
return self.executor.stage_ok() return self.executor.stage_ok()