Redirect loop while using OAuth strategy (with temp_oauth_email) and 2FA Required
Summary
When OAuth strategy is enabled which does not store email IDs of the users e.g. UltraAuth with 2FA required for all users, we get "Too many redirects" error.
This is quite similar to https://gitlab.com/gitlab-org/gitlab-ce/issues/28141
Steps to reproduce
- Enable UltraAuth strategy with
allow_single_sign_on
option. - Enable "Require all users to set up Two-factor authentication" option from Settings > General > Sign-up restrictions
- Try to login using UltraAuth strategy
What is the current bug behavior?
If the OAuth identity provider does not return the email address, and allow_single_sign_on
is enabled, then GitLab provides temporary email address to the newly created user. When this new user signs in, GitLab does not allow the user to access any part of the application until the email ID is provided by the user. So, the user will be redirected to /profile page when he/she tries to visit any page.
Ref: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/application_controller.rb#L25
Now, if "Require all users to set up Two-factor authentication" option is enabled, then the GitLab will try to redirect the user to /profile/two_factor_auth page to enable the 2FA.
Because of this, the redirect loop gets created and the application throws the error.
Possible fixes
The following condition restricts the user to the 2FA page.
We can include, !current_user.temp_oauth_email?
, in the condition to allow users to set their emails first.