From ab9fedf8743b50a18143dc87cce01985e222661b Mon Sep 17 00:00:00 2001
From: Robert Raposa <rraposa@edx.org>
Date: Mon, 18 Oct 2021 12:17:20 -0400
Subject: [PATCH] fix: mark access token login user change

Since we may get a user change during access token
login, we mark it as expected so our Safe Session
protection won't be triggered.
---
 openedx/core/djangoapps/auth_exchange/views.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/openedx/core/djangoapps/auth_exchange/views.py b/openedx/core/djangoapps/auth_exchange/views.py
index 8c9d6c810f..adba25b72c 100644
--- a/openedx/core/djangoapps/auth_exchange/views.py
+++ b/openedx/core/djangoapps/auth_exchange/views.py
@@ -23,6 +23,7 @@ from rest_framework.views import APIView
 from openedx.core.djangoapps.auth_exchange.forms import AccessTokenExchangeForm
 from openedx.core.djangoapps.oauth_dispatch import adapters
 from openedx.core.djangoapps.oauth_dispatch.api import create_dot_access_token
+from openedx.core.djangoapps.safe_sessions.middleware import mark_user_change_as_expected
 from openedx.core.lib.api.authentication import BearerAuthenticationAllowInactiveUser
 
 
@@ -151,4 +152,6 @@ class LoginWithAccessTokenView(APIView):
             })
 
         login(request, request.user)  # login generates and stores the user's cookies in the session
-        return HttpResponse(status=204)  # cookies stored in the session are returned with the response
+        response = HttpResponse(status=204)  # cookies stored in the session are returned with the response
+        mark_user_change_as_expected(response, request.user.id)
+        return response