Skip to content

feat: redirect to custom URL when third-party auth account is unlinked #1078

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

feat: redirect to custom URL when third-party auth account is unlinked #1078

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions .env
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ ORDER_HISTORY_URL=null
REFRESH_ACCESS_TOKEN_ENDPOINT=null
SEGMENT_KEY=''
SITE_NAME=null
TPA_UNLINKED_ACCOUNT_PROVISION_URL=''
INFO_EMAIL=''
# ***** Cookies *****
USER_RETENTION_COOKIE_NAME=null
Expand Down
6 changes: 5 additions & 1 deletion README.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,10 @@ The authentication micro-frontend also requires the following additional variabl
- Enables the image layout feature within the authn. When set to True, this feature allows the inclusion of images in the base container layout. For more details on configuring this feature, please refer to the `Modifying base container <docs/how_tos/modifying_base_container.rst>`_.
- ``true`` | ``''`` (empty strings are falsy)

* - ``TPA_UNLINKED_ACCOUNT_PROVISION_URL``
- URL to redirect to when the identity provided by third-party authentication is not yet linked to a platform account. This allows for redirecting to a custom sign-up flow handled by an external service to create the linked account. An empty string (the default) disables this feature.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies for holding this up, but it's still not clear to me how an account can get in this situation. It would be a big help if you could describe the logistration flow that benefits from this (maybe with a diagram?), and why one of the existing flows is not sufficient.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On a more general note, shouldn't this be a per-provider thing, as opposed to a single URL for everything?

Copy link
Author

@ArturGaspar ArturGaspar Jun 10, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@arbrandes In this particular use case, we don't want registration to be handled by Open edX from third-party auth (it will be handled by an external service distinct from the third-party auth provider which then creates the appropriate user account in the Open edX platform via API calls), so if the user tries to log in via the third-party auth we end up in the situation where Open edX has third-party auth but doesn't know which user account it should link to (because the account for this user was not created yet, and we don't want Open edX to create one automatically). Instead of the default behaviour of prompting the user to manually link an existing account, this would then redirect to the aforementioned external service.

While the concrete use case only has one provider, I think it still makes sense to have a single URL if there were more.

If this explanation is sensible enough, I can update the readme.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @arbrandes. Would you know when you might be able to look into my explanation?

- ``http://example.com/signup`` | ``''``


edX-specific Environment Variables
==================================
Expand Down Expand Up @@ -219,4 +223,4 @@ Please see `LICENSE <https://github.com/openedx/frontend-app-authn/blob/master/L
:target: https://github.com/openedx/edx-developer-docs/actions/workflows/ci.yml
:alt: Continuous Integration
.. |semantic-release| image:: https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg
:target: https://github.com/semantic-release/semantic-release
:target: https://github.com/semantic-release/semantic-release
1 change: 1 addition & 0 deletions src/config/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@
SEARCH_CATALOG_URL: process.env.SEARCH_CATALOG_URL || null,
TOS_AND_HONOR_CODE: process.env.TOS_AND_HONOR_CODE || null,
TOS_LINK: process.env.TOS_LINK || null,
TPA_UNLINKED_ACCOUNT_PROVISION_URL: process.env.TPA_UNLINKED_ACCOUNT_PROVISION_URL || null,

Check warning on line 25 in src/config/index.js

View check run for this annotation

Codecov / codecov/patch

src/config/index.js#L25 

Added line #L25 was not covered by tests
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@ArturGaspar Is the TPA_UNLINKED_ACCOUNT_PROVISION_URL required here and in the .env? I tested without setting the value in the .env and the change works fine as long as the MFE_CONFIG has this information.

I guess it doesn't hurt to have a default value here, maybe we could document this better somewhere?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@tecoholic, here it is necessary because someone might want to enable this feature without the MFE_CONFIG API. In .env it is not necessary (as this file defaults it to null) but it seemed appropriate to have it there for reference.

// Base container images
BANNER_IMAGE_LARGE: process.env.BANNER_IMAGE_LARGE || '',
BANNER_IMAGE_MEDIUM: process.env.BANNER_IMAGE_MEDIUM || '',
Expand Down
12 changes: 12 additions & 0 deletions src/login/LoginPage.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,18 @@ const LoginPage = (props) => {

const { provider, skipHintedLogin } = getTpaProvider(tpaHint, providers, secondaryProviders);

const unlinkedProvisionUrl = getConfig().TPA_UNLINKED_ACCOUNT_PROVISION_URL;

/**
* When currentProvider exists and we are in a login page, it is
* because the third-party authenticated account is not linked.
* See also ThirdPartyAuthAlert.jsx.
*/
if (currentProvider && unlinkedProvisionUrl) {
window.location.href = unlinkedProvisionUrl;
return null;
}

if (tpaHint) {
if (thirdPartyAuthApiStatus === PENDING_STATE) {
return <Skeleton height={36} />;
Expand Down
46 changes: 46 additions & 0 deletions src/login/tests/LoginPage.test.jsx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -830,4 +830,50 @@ describe('LoginPage', () => {
expect(container.querySelector('input#emailOrUsername').value).toEqual('john_doe');
expect(container.querySelector('input#password').value).toEqual('test-password');
});

it('should not redirect to provisioning URL when not configured', () => {
mergeConfig({
TPA_UNLINKED_ACCOUNT_PROVISION_URL: '',
});

store = mockStore({
...initialState,
commonComponents: {
...initialState.commonComponents,
thirdPartyAuthContext: {
...initialState.commonComponents.thirdPartyAuthContext,
currentProvider: ssoProvider.name,
},
},
});

delete window.location;
window.location = { href: getConfig().BASE_URL.concat(LOGIN_PAGE) };

render(reduxWrapper(<IntlLoginPage {...props} />));
expect(window.location.href).toEqual(getConfig().BASE_URL.concat(LOGIN_PAGE));
});

it('should redirect to provisioning URL on unlinked third-party auth account', () => {
mergeConfig({
TPA_UNLINKED_ACCOUNT_PROVISION_URL: 'http://example.com/signup',
});

store = mockStore({
...initialState,
commonComponents: {
...initialState.commonComponents,
thirdPartyAuthContext: {
...initialState.commonComponents.thirdPartyAuthContext,
currentProvider: ssoProvider.name,
},
},
});

delete window.location;
window.location = { href: getConfig().BASE_URL.concat(LOGIN_PAGE) };

render(reduxWrapper(<IntlLoginPage {...props} />));
expect(window.location.href).toEqual('http://example.com/signup');
});
});
Loading