Endless automatic omniauth redirect loop if user doesn't exist
When a user tries to log in with their SAML account automatically, and omniauth controller finds no gitlab account, it goes through OmniauthCallbacksController#handle_signup_error
:
def handle_signup_error
label = Gitlab::Auth::OAuth::Provider.label_for(oauth['provider'])
message = [_("Signing in using your %{label} account without a pre-existing GitLab account is not allowed.") % { label: label }]
if Gitlab::CurrentSettings.allow_signup?
message << _("Create a GitLab account first, and then connect it to your %{label} account.") % { label: label }
end
flash[:notice] = message.join(' ')
redirect_to new_user_session_path
end
Then, it sends the user to new user session path. Then, auto_sign_in_with_provider
kicks in again:
def auto_sign_in_with_provider
return unless Gitlab::Auth.omniauth_enabled?
provider = Gitlab.config.omniauth.auto_sign_in_with_provider
return unless provider.present?
# If a "auto_sign_in" query parameter is set to a falsy value, don't auto sign-in.
# Otherwise, the default is to auto sign-in.
return if Gitlab::Utils.to_boolean(params[:auto_sign_in]) == false
# Auto sign in with an Omniauth provider only if the standard "you need to sign-in" alert is
# registered or no alert at all. In case of another alert (such as a blocked user), it is safer
# to do nothing to prevent redirection loops with certain Omniauth providers.
return unless flash[:alert].blank? || flash[:alert] == I18n.t('devise.failure.unauthenticated')
# Prevent alert from popping up on the first page shown after authentication.
flash[:alert] = nil
redirect_to omniauth_authorize_path(:user, provider)
end
This will go through omniauth authz again, because login error comes in flash[:notice]
instead of flash[:alert]
.
- Original fix: !3223 (merged)
- Regression appeared: !7445 (merged)