This is a continuation of the discussion started at the edx slack. I’ll mention all the valuable data from that discussion here.
Preconditions:
- Studio is configured to use LMS SSO as described in the studio oauth guide.
- Studio has a separate
SESSION_COOKIE_NAMEdifferent from the LMS one.
The problem:
Registration started from the Studio leads to errors. The user isn’t logged in after the registration. The problem reproduces until the user logged into LMS as inactive (which is done automatically after registration).
Error logs:
Traceback (most recent call last):
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner
response = get_response(request)
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response
response = wrapped_callback(request, *callback_args, **callback_kwargs)
File "/usr/lib/python3.8/contextlib.py", line 75, in inner
return func(*args, **kwds)
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func
response = view_func(request, *args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view
return view_func(*args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_django/utils.py", line 46, in wrapper
return func(request, backend, *args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_django/views.py", line 31, in complete
return do_complete(request.backend, _do_login, user=request.user,
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/actions.py", line 45, in do_complete
user = backend.complete(user=user, *args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/backends/base.py", line 40, in complete
return self.auth_complete(*args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/auth_backends/backends.py", line 98, in auth_complete
user = super().auth_complete(*args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/utils.py", line 251, in wrapper
raise AuthCanceled(args[0], response=err.response)
social_core.exceptions.AuthCanceled: Authentication process canceled
11:58
2022-06-30 08:57:15,435 ERROR 4089285 [django.request] [user None] [ip 10.0.255.252] log.py:224 - Internal Server Error: /complete/edx-oauth2/
Traceback (most recent call last):
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/utils.py", line 248, in wrapper
return func(*args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/backends/oauth.py", line 382, in auth_complete
response = self.request_access_token(
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/backends/oauth.py", line 360, in request_access_token
return self.get_json(*args, **kwargs)
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/backends/base.py", line 242, in get_json
return self.request(url, *args, **kwargs).json()
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/backends/base.py", line 238, in request
response.raise_for_status()
File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/requests/models.py", line 960, in raise_for_status
raise HTTPError(http_error_msg, response=self)
requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://lms-maple-dev.raccoongang.com/oauth2/access_token
12:00
Additional Info:
- the problem reproduces on edx.org (proved by @Tim_McCormack );
- the problem disappears if to activate the user account;
- errors I’ve attached above are caused by recursion. There is a loop: LMS authorises user => getting the access_token => redirecting to CMS/complete/edx-oauth2 => CMS calls LMS/authorize endpoint again => …loop repeats… => LMS/oauth/access_token breaks the loop with 400 error (I suspect reaching the rate limit). Here is where a loop cause is - social-core/actions.py at master · python-social-auth/social-core · GitHub
- tried to reproduce the issue for other IDAs (e-commerce, credentials, discovery). Registered a new account in the LMS, got the logged-in session for the inactive user, and clicked the log-in button on the mentioned services => all works fine. The reason is that the user in that services is created as active regardless of active status in the LMS.
Proposal:
- PR to add the social-core settings to allow an inactive user to be logged in
- The PR adds the following settings:
INACTIVE_USER_LOGIN = True # Allow inactive users to be logged in
INACTIVE_USER_URL = 'http://localhost:18010' # If not set user will be redirected to /login after the login itself (loop)
- Tested mentioned settings on the stage env - the errors are eliminated, but after the registration user is not logged in to the Studio and has to click the “Sign In” button. This is because registration doesn’t start the SSO flow.
This could be fixed by modifying the “next=” parameter for the registration link (source) to trigger the SSO login (TBD):
?next=${current_url} ==>
?next=${request.build_absolute_uri(settings.LOGIN_URL)}
Results:
- With settings only:
- Settings + change the “next=” parameter:
Be welcome to help me find the best solution here! 