providers/oauth2: fix infinite loops when prompt=login

2020-12-27 15:23:26 +01:00 · 2020-12-27 15:23:26 +01:00 · e8debce9c8
parent bcd0686a33
commit e8debce9c8
1 changed files with 6 additions and 1 deletions
--- a/authentik/providers/oauth2/views/authorize.py
+++ b/authentik/providers/oauth2/views/authorize.py
@ -56,6 +56,7 @@ LOGGER = get_logger()

 PLAN_CONTEXT_PARAMS = "params"
 PLAN_CONTEXT_SCOPE_DESCRIPTIONS = "scope_descriptions"
+SESSION_NEEDS_LOGIN = "authentik_oauth2_needs_login"

 ALLOWED_PROMPT_PARAMS = {PROMPT_NONE, PROMPT_CONSNET, PROMPT_LOGIN}

@ -398,7 +399,11 @@ class AuthorizationFlowInitView(PolicyAccessView):
            if current_age.total_seconds() > self.params.max_age:
                return self.handle_no_permission()
        # If prompt=login, we need to re-authenticate the user regardless
-        if PROMPT_LOGIN in self.params.prompt:
+        if (
+            PROMPT_LOGIN in self.params.prompt
+            and SESSION_NEEDS_LOGIN not in self.request.session
+        ):
+            self.request.session[SESSION_NEEDS_LOGIN] = True
            return self.handle_no_permission()
        # Regardless, we start the planner and return to it
        planner = FlowPlanner(self.provider.authorization_flow)