ENT-4383 fix the hinted login page experience when enterprise login enables hinted login (#27431)

* fix: 🐛 Correctly check that saml provider is available using tpa_hint in next param This fixes the issue of 404 when an enterprise customer sends a tpa_hint in next, but that param is not correctly checked to disable auth MFE. The hinted login page now works with this change. ENT-4383 * feat: comment update comment update ENT-4383
2021-04-27 11:33:00 -04:00
parent 39ffd01c12
commit 735d01283e
1 changed files with 14 additions and 3 deletions
--- a/openedx/core/djangoapps/user_authn/views/login_form.py
+++ b/openedx/core/djangoapps/user_authn/views/login_form.py
@@ -164,6 +164,7 @@ def login_and_registration_form(request, initial_mode="login"):
    # Our ?next= URL may itself contain a parameter 'tpa_hint=x' that we need to check.
    # If present, we display a login page focused on third-party auth with that provider.
    third_party_auth_hint = None
+    tpa_hint_provider = None
    if '?' in redirect_to:  # lint-amnesty, pylint: disable=too-many-nested-blocks
        try:
            next_args = urllib.parse.parse_qs(urllib.parse.urlparse(redirect_to).query)
@@ -186,16 +187,26 @@ def login_and_registration_form(request, initial_mode="login"):
        except (KeyError, ValueError, IndexError) as ex:
            log.exception("Unknown tpa_hint provider: %s", ex)

-    # Redirect to authn MFE if it is enabled or user is not an enterprise user or not coming from a SAML IDP.
+    # Redirect to authn MFE if it is enabled
+    # AND
+    #   user is not an enterprise user
+    # AND
+    #   tpa_hint_provider is not available
+    # AND
+    #   user is not coming from a SAML IDP.
    saml_provider = False
    running_pipeline = pipeline.get(request)
-    enterprise_customer = enterprise_customer_for_request(request)
    if running_pipeline:
        saml_provider, __ = third_party_auth.utils.is_saml_provider(
            running_pipeline.get('backend'), running_pipeline.get('kwargs')
        )

-    if should_redirect_to_authn_microfrontend() and not enterprise_customer and not saml_provider:
+    enterprise_customer = enterprise_customer_for_request(request)
+
+    if should_redirect_to_authn_microfrontend() and \
+            not enterprise_customer and \
+            not tpa_hint_provider and \
+            not saml_provider:

        # This is to handle a case where a logged-in cookie is not present but the user is authenticated.
        # Note: If we don't handle this learner is redirected to authn MFE and then back to dashboard