BB2-4961: Switch Account Link#1649
Open
JamesDemeryNava wants to merge 14 commits into
Open
Conversation
… missing code_verifier
…ith switch account
bwang-icf
reviewed
Jul 10, 2026
| 'state': self.request.GET.get('state'), | ||
| 'code_challenge': self.request.GET.get('code_challenge'), | ||
| 'code_challenge_method': self.request.GET.get('code_challenge_method'), | ||
| } |
Contributor
There was a problem hiding this comment.
We could consider using a list here to cut down on the repeated request.get calls here. Maybe something like
params = ['client_id', 'redirect_uri', 'response_type', 'scope', 'state', 'code_challenge', 'code_challenge_method']
oauth_params = {}
for param in params:
oauth_params[param] = self.request.GET.get(param)
self.request.session['oauth_params'] = oauth_params
bwang-icf
reviewed
Jul 10, 2026
| def _get_oauth2_session_with_redirect(request: HttpRequest) -> OAuth2Session: | ||
| client_id = request.session['client_id'] | ||
| redirect_uri = request.session['redirect_uri'] | ||
| if request.session.get('client_id'): |
Contributor
There was a problem hiding this comment.
Looks like a similar retrieval pattern as from dot_ext/authorization with trying to grab a key/parameter from the session and then possibly falling back to a different key. I think a helper in utils.py that can be generalized for both spots could be helpful.
Contributor
|
This can be followed up on in a future ticket, but I believe it would make sense to add this workflow to selenium tests. |
Contributor
Author
Definitely, I will write up a ticket for that |
Contributor
|
Validation:
|
Contributor
|
Did you hear back from @sb-benohe on the security question? |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
JIRA Ticket:
BB2-4961
What Does This PR Do?
Ensures that a beneficiary on the v3 permissions screen can click the Switch account link, and be redirected back to the CSPs landing page, where they can then re-authorize and get an access token. This works via Postman and the testclient, though some extra code was needed for it to work for the testclient.
Some minor styling changes to the v3 permissions screen as well.
What Should Reviewers Watch For?
If you're reviewing this PR, please check for these things in particular:
Validation
Styling changes:
Switch account changes:
In Postman, go through a v3 auth flow. Log in as a user (BBUser00100), then click the switch account link at the top of the page
You will be redirected to the CSPs landing page, click Medicare.gov, and enter the credentials for BBUser00575
Click Share on the v3 permissions screen.
Run a v3 patient search call for your newly created token. If you used BBUser00575, the fhir_id_v3 should be a specific value that I can share with you (don't want to include in a PR)
In the testclient, go through a v3 auth flow. Log in as a user (BBUser00100), then click the switch account link at the top of the page
You will be redirected to the CSPs landing page, click Medicare.gov, and enter the credentials for BBUser00575
Click Share on the v3 permissions screen.
Click through every link on the testclient landing page to ensure they all work
Also go through testclient flows for v2/v3 without clicking switch account to ensure they still work. Do the same for Postman.
What Security Implications Does This PR Have?
Please indicate if this PR does any of the following:
None of the above apply necesarily, but @sb-benohe, curious if you have any concerns about logging a user out and then maintaining the oauth_params so another user can login.
security engineer's approval.
Any Migrations?
etc)