Redirect loop while using OAuth strategy (with temp_oauth_email) and 2FA Required

Summary

When OAuth strategy is enabled which does not store email IDs of the users e.g. UltraAuth with 2FA required for all users, we get "Too many redirects" error.

This is quite similar to https://gitlab.com/gitlab-org/gitlab-ce/issues/28141

Steps to reproduce

Enable UltraAuth strategy with allow_single_sign_on option.
Enable "Require all users to set up Two-factor authentication" option from Settings > General > Sign-up restrictions
Try to login using UltraAuth strategy

What is the current bug behavior?

If the OAuth identity provider does not return the email address, and allow_single_sign_on is enabled, then GitLab provides temporary email address to the newly created user. When this new user signs in, GitLab does not allow the user to access any part of the application until the email ID is provided by the user. So, the user will be redirected to /profile page when he/she tries to visit any page.

Ref: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/application_controller.rb#L25

Now, if "Require all users to set up Two-factor authentication" option is enabled, then the GitLab will try to redirect the user to /profile/two_factor_auth page to enable the 2FA.

Ref: https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/concerns/enforces_two_factor_authentication.rb#L14

Because of this, the redirect loop gets created and the application throws the error.

Possible fixes

The following condition restricts the user to the 2FA page.

https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/controllers/concerns/enforces_two_factor_authentication.rb#L14

We can include, !current_user.temp_oauth_email?, in the condition to allow users to set their emails first.

Edited May 05, 2019 by Kartikey Tanna