providers/oauth2: fix double login required when prompt=login
Signed-off-by: Jens Langhammer <jens.langhammer@beryju.org>
This commit is contained in:
parent
dcf074650e
commit
92f2a82c03
|
@ -23,6 +23,7 @@ from authentik.core.api.providers import ProviderSerializer
|
||||||
from authentik.core.models import Application
|
from authentik.core.models import Application
|
||||||
from authentik.events.models import EventAction
|
from authentik.events.models import EventAction
|
||||||
from authentik.policies.engine import PolicyEngine
|
from authentik.policies.engine import PolicyEngine
|
||||||
|
from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
|
||||||
|
@ -122,6 +123,7 @@ class ApplicationViewSet(ModelViewSet):
|
||||||
)
|
)
|
||||||
def list(self, request: Request) -> Response:
|
def list(self, request: Request) -> Response:
|
||||||
"""Custom list method that checks Policy based access instead of guardian"""
|
"""Custom list method that checks Policy based access instead of guardian"""
|
||||||
|
self.request.session.pop(USER_LOGIN_AUTHENTICATED, None)
|
||||||
queryset = self._filter_queryset_for_list(self.get_queryset())
|
queryset = self._filter_queryset_for_list(self.get_queryset())
|
||||||
self.paginate_queryset(queryset)
|
self.paginate_queryset(queryset)
|
||||||
|
|
||||||
|
|
|
@ -54,6 +54,7 @@ from authentik.stages.consent.stage import (
|
||||||
PLAN_CONTEXT_CONSENT_PERMISSIONS,
|
PLAN_CONTEXT_CONSENT_PERMISSIONS,
|
||||||
ConsentStageView,
|
ConsentStageView,
|
||||||
)
|
)
|
||||||
|
from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
|
|
||||||
|
@ -437,6 +438,10 @@ class AuthorizationFlowInitView(PolicyAccessView):
|
||||||
if (
|
if (
|
||||||
PROMPT_LOGIN in self.params.prompt
|
PROMPT_LOGIN in self.params.prompt
|
||||||
and SESSION_NEEDS_LOGIN not in self.request.session
|
and SESSION_NEEDS_LOGIN not in self.request.session
|
||||||
|
# To prevent the user from having to double login when prompt is set to login
|
||||||
|
# and the user has just signed it. This session variable is set in the UserLoginStage
|
||||||
|
# and is (quite hackily) removed from the session in applications's API's List method
|
||||||
|
and USER_LOGIN_AUTHENTICATED not in self.request.session
|
||||||
):
|
):
|
||||||
self.request.session[SESSION_NEEDS_LOGIN] = True
|
self.request.session[SESSION_NEEDS_LOGIN] = True
|
||||||
return self.handle_no_permission()
|
return self.handle_no_permission()
|
||||||
|
|
|
@ -353,7 +353,7 @@ if _ERROR_REPORTING:
|
||||||
environment=CONFIG.y("error_reporting.environment", "customer"),
|
environment=CONFIG.y("error_reporting.environment", "customer"),
|
||||||
send_default_pii=CONFIG.y_bool("error_reporting.send_pii", False),
|
send_default_pii=CONFIG.y_bool("error_reporting.send_pii", False),
|
||||||
)
|
)
|
||||||
set_tag("authentik:build_hash", os.environ.get(ENV_GIT_HASH_KEY, ""))
|
set_tag("authentik:build_hash", os.environ.get(ENV_GIT_HASH_KEY, "tagged"))
|
||||||
set_tag(
|
set_tag(
|
||||||
"authentik:env", "kubernetes" if "KUBERNETES_PORT" in os.environ else "compose"
|
"authentik:env", "kubernetes" if "KUBERNETES_PORT" in os.environ else "compose"
|
||||||
)
|
)
|
||||||
|
|
|
@ -12,6 +12,7 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND
|
||||||
|
|
||||||
LOGGER = get_logger()
|
LOGGER = get_logger()
|
||||||
DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"
|
DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend"
|
||||||
|
USER_LOGIN_AUTHENTICATED = "user_login_authenticated"
|
||||||
|
|
||||||
|
|
||||||
class UserLoginStageView(StageView):
|
class UserLoginStageView(StageView):
|
||||||
|
@ -43,5 +44,6 @@ class UserLoginStageView(StageView):
|
||||||
flow_slug=self.executor.flow.slug,
|
flow_slug=self.executor.flow.slug,
|
||||||
session_duration=self.executor.current_stage.session_duration,
|
session_duration=self.executor.current_stage.session_duration,
|
||||||
)
|
)
|
||||||
|
self.request.session[USER_LOGIN_AUTHENTICATED] = True
|
||||||
messages.success(self.request, _("Successfully logged in!"))
|
messages.success(self.request, _("Successfully logged in!"))
|
||||||
return self.executor.stage_ok()
|
return self.executor.stage_ok()
|
||||||
|
|
Reference in a new issue