This is a continuation of the discussion started at the edx slack. I’ll mention all the valuable data from that discussion here.
- Studio is configured to use LMS SSO as described in the studio oauth guide.
- Studio has a separate
SESSION_COOKIE_NAMEdifferent from the LMS one.
Registration started from the Studio leads to errors. The user isn’t logged in after the registration. The problem reproduces until the user logged into LMS as inactive (which is done automatically after registration).
Traceback (most recent call last): File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/django/core/handlers/exception.py", line 47, in inner response = get_response(request) File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/django/core/handlers/base.py", line 181, in _get_response response = wrapped_callback(request, *callback_args, **callback_kwargs) File "/usr/lib/python3.8/contextlib.py", line 75, in inner return func(*args, **kwds) File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/django/views/decorators/cache.py", line 44, in _wrapped_view_func response = view_func(request, *args, **kwargs) File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/django/views/decorators/csrf.py", line 54, in wrapped_view return view_func(*args, **kwargs) File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_django/utils.py", line 46, in wrapper return func(request, backend, *args, **kwargs) File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_django/views.py", line 31, in complete return do_complete(request.backend, _do_login, user=request.user, File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/actions.py", line 45, in do_complete user = backend.complete(user=user, *args, **kwargs) File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/backends/base.py", line 40, in complete return self.auth_complete(*args, **kwargs) File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/auth_backends/backends.py", line 98, in auth_complete user = super().auth_complete(*args, **kwargs) File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/utils.py", line 251, in wrapper raise AuthCanceled(args, response=err.response) social_core.exceptions.AuthCanceled: Authentication process canceled 11:58 2022-06-30 08:57:15,435 ERROR 4089285 [django.request] [user None] [ip 10.0.255.252] log.py:224 - Internal Server Error: /complete/edx-oauth2/ Traceback (most recent call last): File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/utils.py", line 248, in wrapper return func(*args, **kwargs) File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/backends/oauth.py", line 382, in auth_complete response = self.request_access_token( File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/backends/oauth.py", line 360, in request_access_token return self.get_json(*args, **kwargs) File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/backends/base.py", line 242, in get_json return self.request(url, *args, **kwargs).json() File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/social_core/backends/base.py", line 238, in request response.raise_for_status() File "/edx/app/edxapp/venvs/edxapp/lib/python3.8/site-packages/requests/models.py", line 960, in raise_for_status raise HTTPError(http_error_msg, response=self) requests.exceptions.HTTPError: 400 Client Error: Bad Request for url: https://lms-maple-dev.raccoongang.com/oauth2/access_token 12:00
- the problem reproduces on edx.org (proved by @Tim_McCormack );
- the problem disappears if to activate the user account;
- errors I’ve attached above are caused by recursion. There is a loop: LMS authorises user => getting the access_token => redirecting to CMS/complete/edx-oauth2 => CMS calls LMS/authorize endpoint again => …loop repeats… => LMS/oauth/access_token breaks the loop with 400 error (I suspect reaching the rate limit). Here is where a loop cause is - social-core/actions.py at master · python-social-auth/social-core · GitHub
- tried to reproduce the issue for other IDAs (e-commerce, credentials, discovery). Registered a new account in the LMS, got the logged-in session for the inactive user, and clicked the log-in button on the mentioned services => all works fine. The reason is that the user in that services is created as active regardless of active status in the LMS.
- PR to add the social-core settings to allow an inactive user to be logged in
- The PR adds the following settings:
INACTIVE_USER_LOGIN = True # Allow inactive users to be logged in INACTIVE_USER_URL = 'http://localhost:18010' # If not set user will be redirected to /login after the login itself (loop)
- Tested mentioned settings on the stage env - the errors are eliminated, but after the registration user is not logged in to the Studio and has to click the “Sign In” button. This is because registration doesn’t start the SSO flow.
This could be fixed by modifying the “next=” parameter for the registration link (source) to trigger the SSO login (TBD):
- With settings only:
- Settings + change the “next=” parameter:
Be welcome to help me find the best solution here!