From 92f2a82c0377dddd810b6b26964fecbf0f04a92e Mon Sep 17 00:00:00 2001 From: Jens Langhammer Date: Wed, 19 May 2021 23:34:27 +0200 Subject: [PATCH] providers/oauth2: fix double login required when prompt=login Signed-off-by: Jens Langhammer --- authentik/core/api/applications.py | 2 ++ authentik/providers/oauth2/views/authorize.py | 5 +++++ authentik/root/settings.py | 2 +- authentik/stages/user_login/stage.py | 2 ++ 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/authentik/core/api/applications.py b/authentik/core/api/applications.py index bcbb29b8c..9172ae3b1 100644 --- a/authentik/core/api/applications.py +++ b/authentik/core/api/applications.py @@ -23,6 +23,7 @@ from authentik.core.api.providers import ProviderSerializer from authentik.core.models import Application from authentik.events.models import EventAction from authentik.policies.engine import PolicyEngine +from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED LOGGER = get_logger() @@ -122,6 +123,7 @@ class ApplicationViewSet(ModelViewSet): ) def list(self, request: Request) -> Response: """Custom list method that checks Policy based access instead of guardian""" + self.request.session.pop(USER_LOGIN_AUTHENTICATED, None) queryset = self._filter_queryset_for_list(self.get_queryset()) self.paginate_queryset(queryset) diff --git a/authentik/providers/oauth2/views/authorize.py b/authentik/providers/oauth2/views/authorize.py index 5823631a6..5319ce40d 100644 --- a/authentik/providers/oauth2/views/authorize.py +++ b/authentik/providers/oauth2/views/authorize.py @@ -54,6 +54,7 @@ from authentik.stages.consent.stage import ( PLAN_CONTEXT_CONSENT_PERMISSIONS, ConsentStageView, ) +from authentik.stages.user_login.stage import USER_LOGIN_AUTHENTICATED LOGGER = get_logger() @@ -437,6 +438,10 @@ class AuthorizationFlowInitView(PolicyAccessView): if ( PROMPT_LOGIN in self.params.prompt and SESSION_NEEDS_LOGIN not in self.request.session + # To prevent the user from having to double login when prompt is set to login + # and the user has just signed it. This session variable is set in the UserLoginStage + # and is (quite hackily) removed from the session in applications's API's List method + and USER_LOGIN_AUTHENTICATED not in self.request.session ): self.request.session[SESSION_NEEDS_LOGIN] = True return self.handle_no_permission() diff --git a/authentik/root/settings.py b/authentik/root/settings.py index a10276c06..cbca48760 100644 --- a/authentik/root/settings.py +++ b/authentik/root/settings.py @@ -353,7 +353,7 @@ if _ERROR_REPORTING: environment=CONFIG.y("error_reporting.environment", "customer"), send_default_pii=CONFIG.y_bool("error_reporting.send_pii", False), ) - set_tag("authentik:build_hash", os.environ.get(ENV_GIT_HASH_KEY, "")) + set_tag("authentik:build_hash", os.environ.get(ENV_GIT_HASH_KEY, "tagged")) set_tag( "authentik:env", "kubernetes" if "KUBERNETES_PORT" in os.environ else "compose" ) diff --git a/authentik/stages/user_login/stage.py b/authentik/stages/user_login/stage.py index 5f82e7ac1..e6e521e11 100644 --- a/authentik/stages/user_login/stage.py +++ b/authentik/stages/user_login/stage.py @@ -12,6 +12,7 @@ from authentik.stages.password.stage import PLAN_CONTEXT_AUTHENTICATION_BACKEND LOGGER = get_logger() DEFAULT_BACKEND = "django.contrib.auth.backends.ModelBackend" +USER_LOGIN_AUTHENTICATED = "user_login_authenticated" class UserLoginStageView(StageView): @@ -43,5 +44,6 @@ class UserLoginStageView(StageView): flow_slug=self.executor.flow.slug, session_duration=self.executor.current_stage.session_duration, ) + self.request.session[USER_LOGIN_AUTHENTICATED] = True messages.success(self.request, _("Successfully logged in!")) return self.executor.stage_ok()