fix: prevent silent errors during SSO (account settings)#38673
Conversation
openedx-webhooks
added
the
open-source-contribution
|
Thanks for the pull request, @Gi-ron! This repository is currently maintained by Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review. 🔘 Get product approvalIf you haven't already, check this list to see if your contribution needs to go through the product review process.
🔘 Provide contextTo help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:
🔘 Get a green buildIf one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green. 🔘 Update the status of your PRYour PR is currently marked as a draft. After completing the steps above, update its status by clicking "Ready for Review", or removing "WIP" from the title, as appropriate. Where can I find more information?If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources: When can I expect my changes to be merged?Our goal is to get community contributions seen and reviewed as efficiently as possible. However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:
💡 As a result it may take up to several weeks or months to complete a review and merge your PR. |
mphilbrick211
added
the
needs test run
mphilbrick211
moved this from Waiting on Author
to Needs Tests Run or CLA Signed
in Contributions
|
Hi @Gi-ron! It looks like you're contributing on behalf of eduNEXT. In order to have your CLA check turn green, please have your manager reach out to oscm@axim.org to have you added to our existing entity agreement. |
Thank you! I appreciate it. I've already been enrolled in the CLA, so I'll keep an eye on the PR and wait for the status to update. Thanks again for your comments! |
mphilbrick211
removed
the
needs test run
jignaciopm
left a comment
jignaciopm
left a comment
There was a problem hiding this comment.
Could you check why there're some issues with CI/CD?
Gi-ron
changed the title
Gi-ron
changed the title
felipemontoya
left a comment
felipemontoya
left a comment
There was a problem hiding this comment.
I think the underlying error is clear and needs to be fixed, but the current approach requires some refactor.
|
@Gi-ron also, this PR needs at least one test |
mphilbrick211
added
needs test run
mphilbrick211
moved this from Needs Tests Run or CLA Signed
to In Eng Review
in Contributions
Gi-ron
force-pushed
the
sgb/render-tpa-account-mfe-error
branch
3 times, most recently
from
8e90bec to
8ec0a58
Compare
Gi-ron
force-pushed
the
sgb/render-tpa-account-mfe-error
branch
from
20c06b5 to
a1a4b00
Compare
I added two tests: one for the cases where exceptions are processed in the middleware, and another for the cases where legacy_urls constructs the redirect URL. |
|
Hi @igobranco, @felipemontoya @bra-i-am, @jignaciopm I’ve added some changes to enable rendering error messages in the Account MFE, along with additional tests. The main idea is to capture as many python-social-auth exceptions as possible. Unfortunately, at the moment the Account MFE only renders a user-facing message for duplicate_provider. Could you please take a look at the changes and give me your feedback? It would be really helpful. Thanks in advance! |
Gi-ron
changed the title
|
|
||
| params = {'tpa_error_code': error_code} | ||
|
|
||
| if error_code == 'duplicate_provider' and backend_name: |
There was a problem hiding this comment.
Why do we send the params only on this error occurrence? Could we just send the params for any error type? The error should land in the list defined by TPA_ERROR_CODES
6 participants
Description
When a user tries to link a third-party identity (SAML, OAuth2, LTI) that is already linked to a different Open edX account, the backend raises
AuthAlreadyAssociated.SocialAuthExceptionMiddlewarerecords this as a Django message and redirects to/account/settings.That URL was a plain
RedirectViewthat forwards straight toACCOUNT_MICROFRONTEND_URL— it doesn't carry over Django messages or query params. The error is lost, and the user lands on the Account MFE with no explanation.Fix
Replace the
RedirectViewat/account/settingswith a small view,account_settings_redirect_view, that:pipeline.get_duplicate_provider).?duplicate_provider=<provider name>, which the MFE already knows how to render as an alert.Works for any backend (SAML, OAuth2, LTI), since it only depends on the existing message left by python-social-auth's middleware.
Files changed
common/djangoapps/third_party_auth/views.py: addedaccount_settings_redirect_view.openedx/core/djangoapps/user_api/legacy_urls.py: swapped theRedirectViewfor the new view.Screenshots
Testing
Setup
user_a@example.comanduser_b@example.com.user_aand complete the SAML login flow to link the IdP identity touser_a.Reproduce the error
user_b.