OAuth for Auth0 that auto links existing users

I am trying to setup Auth0 and OAuth and I have succeeded in doing so.

But the problem arises for auto link.

In LMS Application, the configuration ENABLE_REQUIRE_THIRD_PARTY_AUTH=TRUE is used. While doing so, I am not able to use the API to create new users.

So instead of that, I tried using ENABLE_THIRD_PARTY_AUTH=TRUE
This helps in creating user through API but it doesn’t link existing user to their Openedx account while using OAuth login.

Here in the edx-platform/common/djangoapps/third_party_auth/pipeline.py, I see that the association with email is enabled only if the ENABLE_REQUIRE_THIRD_PARTY_AUTH is enabled.

Is there any way I could like make this work when ENABLE_THIRD_PARTY_AUTH is set to true instead?

Third party authentication is required to register. Username and password were received instead.

This is the 403 Response received while trying to create user using API after ENABLE_REQUIRE_THIRD_PARTY_AUTH is enabled.

Even if you were able to create a user via API, this user would not be able to login without having a third party auth account attached. What is your use-case, is it pre-seeding users?

We’re using the following config (its a tutor config plugin straight from our internal docs, but you can of course extract the required config) with SAML, users are then created automatically when they login the first time:

from tutor import hooks
  
hooks.Filters.ENV_PATCHES.add_item(
    (
        "common-env-features",
        "ALLOW_PUBLIC_ACCOUNT_CREATION: true"
    )
)
  
hooks.Filters.ENV_PATCHES.add_item(
    (
        "common-env-features",
        "ENABLE_COMBINED_LOGIN_REGISTRATION: true"
    )
)
  
hooks.Filters.ENV_PATCHES.add_item(
    (
        "common-env-features",
        "ENABLE_THIRD_PARTY_AUTH: true"
    )
)

hooks.Filters.ENV_PATCHES.add_item(
    (
        "openedx-lms-common-settings",
        'AUTHENTICATION_BACKENDS += ["common.djangoapps.third_party_auth.saml.SAMLAuthBackend", "django.contrib.auth.backends.ModelBackend"]'
    )
)
  
hooks.Filters.ENV_PATCHES.add_item(
    (
        "common-env-features",
        "ENABLE_BULK_ENROLLMENT_VIEW: true"
    )
)
  
# Private and public key for SAML
# Note that the lines must not be indented, otherwise they will also be in the YAML file
hooks.Filters.ENV_PATCHES.add_item(
    (
        "openedx-auth",
        """
SOCIAL_AUTH_SAML_SP_PRIVATE_KEY: "privkey"
SOCIAL_AUTH_SAML_SP_PUBLIC_CERT: "cert"
        """
    ),
)

Note that ALLOW_PUBLIC_ACCOUNT_CREATION must be enabled, otherwise the automatic creation of new users won’t work. We’ve created a custom MFE to hide the option to register your own account instead. That’s not an ideal solution, but works for us until the other issue is resolved.

@Wasabi , we do have a separate dashboard where we use API’s from Openedx. There, in the dashboard, while logging in, if the user doesn’t already have an account in Openedx, we make account for the user from our backend.
Since we enable ENABLE_REQUIRE_THIRD_PARTY_AUTH, we are able to let user login to their existing account while redirecting from our dashboard to Openedx.

The screenshot I had pasted in the question, which shows the associate_by_email_if_oauth function, that was before the last commit. It has been changed in Olive as you can see in here => edx-platform/pipeline.py at 3bacb42d2962977227915a3bdf0a06ada3502383 · openedx/edx-platform · GitHub

The function is not checking for ENABLE_REQUIRED_THIRD_PARTY_AUTH enabled now.

Upgrading our openedx instance to Olive solved my issue!

Thanks to whoever tried to help me in this!

1 Like

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.