Redirect loop while using OAuth strategy (with temp_oauth_email) and 2FA Required
When OAuth strategy is enabled which does not store email IDs of the users e.g. UltraAuth with 2FA required for all users, we get "Too many redirects" error.
This is quite similar to https://gitlab.com/gitlab-org/gitlab-ce/issues/28141
Steps to reproduce
- Enable UltraAuth strategy with
- Enable "Require all users to set up Two-factor authentication" option from Settings > General > Sign-up restrictions
- Try to login using UltraAuth strategy
What is the current bug behavior?
If the OAuth identity provider does not return the email address, and
allow_single_sign_on is enabled, then GitLab provides temporary email address to the newly created user. When this new user signs in, GitLab does not allow the user to access any part of the application until the email ID is provided by the user. So, the user will be redirected to /profile page when he/she tries to visit any page.
Now, if "Require all users to set up Two-factor authentication" option is enabled, then the GitLab will try to redirect the user to /profile/two_factor_auth page to enable the 2FA.
Because of this, the redirect loop gets created and the application throws the error.
The following condition restricts the user to the 2FA page.
We can include,
!current_user.temp_oauth_email?, in the condition to allow users to set their emails first.