FEATURE: Add a site setting to control automatic auth redirect (#10732)

This allows administrators to stop automatic redirect to an external authenticator. It only takes effect when there is a single authentication method, and the site is login_required
This commit is contained in:
David Taylor 2020-09-24 17:06:07 +01:00 committed by GitHub
parent 6a5aeceee8
commit f1d64bbbe5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 23 additions and 2 deletions

View File

@ -707,11 +707,11 @@ class ApplicationController < ActionController::Base
def redirect_to_login def redirect_to_login
dont_cache_page dont_cache_page
if SiteSetting.enable_sso? if SiteSetting.external_auth_immediately && SiteSetting.enable_sso?
# save original URL in a session so we can redirect after login # save original URL in a session so we can redirect after login
session[:destination_url] = destination_url session[:destination_url] = destination_url
redirect_to path('/session/sso') redirect_to path('/session/sso')
elsif !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1 && !cookies[:authentication_data] elsif SiteSetting.external_auth_immediately && !SiteSetting.enable_local_logins && Discourse.enabled_authenticators.length == 1 && !cookies[:authentication_data]
# Only one authentication provider, direct straight to it. # Only one authentication provider, direct straight to it.
# If authentication_data is present, then we are halfway though registration. Don't redirect offsite # If authentication_data is present, then we are halfway though registration. Don't redirect offsite
cookies[:destination_url] = destination_url cookies[:destination_url] = destination_url

View File

@ -1622,6 +1622,7 @@ en:
block_common_passwords: "Don't allow passwords that are in the 10,000 most common passwords." block_common_passwords: "Don't allow passwords that are in the 10,000 most common passwords."
external_auth_skip_create_confirm: When signing up via external auth, skip the create account popup. Best used alongside sso_overrides_email, sso_overrides_username and sso_overrides_name. external_auth_skip_create_confirm: When signing up via external auth, skip the create account popup. Best used alongside sso_overrides_email, sso_overrides_username and sso_overrides_name.
external_auth_immediately: "Automatically redirect to the external login system without user interaction. This only takes effect when login_required is true, and there is only one external authentication method"
enable_sso: "Enable single sign on via an external site (WARNING: USERS' EMAIL ADDRESSES *MUST* BE VALIDATED BY THE EXTERNAL SITE!)" enable_sso: "Enable single sign on via an external site (WARNING: USERS' EMAIL ADDRESSES *MUST* BE VALIDATED BY THE EXTERNAL SITE!)"
verbose_sso_logging: "Log verbose SSO related diagnostics to <a href='%{base_path}/logs' target='_blank'>/logs</a>" verbose_sso_logging: "Log verbose SSO related diagnostics to <a href='%{base_path}/logs' target='_blank'>/logs</a>"

View File

@ -424,6 +424,8 @@ login:
external_auth_skip_create_confirm: external_auth_skip_create_confirm:
default: false default: false
client: true client: true
external_auth_immediately:
default: true
enable_sso: enable_sso:
client: true client: true
default: false default: false

View File

@ -45,6 +45,24 @@ RSpec.describe ApplicationController do
expect(response).to redirect_to("/login") expect(response).to redirect_to("/login")
end end
it "should not redirect to SSO when external_auth_immediately is disabled" do
SiteSetting.external_auth_immediately = false
SiteSetting.sso_url = 'http://someurl.com'
SiteSetting.enable_sso = true
get "/"
expect(response).to redirect_to("/login")
end
it "should not redirect to authenticator when external_auth_immediately is disabled" do
SiteSetting.external_auth_immediately = false
SiteSetting.enable_google_oauth2_logins = true
SiteSetting.enable_local_logins = false
get "/"
expect(response).to redirect_to("/login")
end
context "with omniauth in test mode" do context "with omniauth in test mode" do
before do before do
OmniAuth.config.test_mode = true OmniAuth.config.test_mode = true