Social account not auto link

Duc_Trung_Mai · January 15, 2023, 5:05am

hi all,

I’m integrating Keycloak with Openedx,

After successfully login from Keycloak, when it redirects to openedx, it’s saying:

You have successfully signed into Keycloak, but your Keycloak account does not have a linked Openedx account. To link your accounts, sign in now using your Openedx password

I checked, and it’s because I manually click Unlink Keyloak account from my Openedx > Account

But then, when I test with fresh new deployment of Lilac (with Tutor), the linking is auto, even if after manually Unlink account

Felipe · January 16, 2023, 7:46pm

Hello,

The pipeline of steps that runs the whole third party authentication system is very flexible and there are many ways of configuring it.
If you have not changed the default settings, then the TPA pipeline should be governed by:

github.com

openedx/edx-platform/blob/master/common/djangoapps/third_party_auth/settings.py#L50


      
          django_settings.SOCIAL_AUTH_SANITIZE_REDIRECTS = False
          
          
# Adding extra key value pair in the url query string for microsoft as per request
          django_settings.SOCIAL_AUTH_AZUREAD_OAUTH2_AUTH_EXTRA_ARGUMENTS = {'msafed': 0}
          
          
# Avoid default username check to allow non-ascii characters
          django_settings.SOCIAL_AUTH_CLEAN_USERNAMES = not settings.FEATURES.get("ENABLE_UNICODE_USERNAME")
          
          
# Inject our customized auth pipeline. All auth backends must work with
          # this pipeline.
          django_settings.SOCIAL_AUTH_PIPELINE = [
              'common.djangoapps.third_party_auth.pipeline.parse_query_params',
              'social_core.pipeline.social_auth.social_details',
              'social_core.pipeline.social_auth.social_uid',
              'social_core.pipeline.social_auth.auth_allowed',
              'social_core.pipeline.social_auth.social_user',
              'common.djangoapps.third_party_auth.pipeline.associate_by_email_if_login_api',
              'common.djangoapps.third_party_auth.pipeline.associate_by_email_if_saml',
              'common.djangoapps.third_party_auth.pipeline.associate_by_email_if_oauth',
              'common.djangoapps.third_party_auth.pipeline.get_username',
              'common.djangoapps.third_party_auth.pipeline.set_pipeline_timeout',

You could look into the following steps to see if your user does not meet the requirements for any of them.

'common.djangoapps.third_party_auth.pipeline.associate_by_email_if_login_api',
'common.djangoapps.third_party_auth.pipeline.associate_by_email_if_saml',
'common.djangoapps.third_party_auth.pipeline.associate_by_email_if_oauth',
'social_core.pipeline.social_auth.associate_user',

The last one you can find it in: social-core/social_auth.py at master · python-social-auth/social-core · GitHub

zameel7 · March 22, 2023, 4:18am

@Felipe , How would I create a plugin to change the pipeline?
I wanted to make some edits in 'common.djangoapps.third_party_auth.pipeline.associate_by_email_if_oauth'.

Duc_Trung_Mai · March 22, 2023, 10:29am

I realized that it’s because of I keep both normal login and oauth login.

After setting ENABLE_REQUIRE_THIRD_PARTY_AUTH=true it works fine

Felipe · March 23, 2023, 5:10pm

You can see an example here:

github.com

eduNEXT/eox-tenant/blob/master/eox_tenant/pipeline.py#L15


      
          
          class EoxTenantAuthException(ValueError):
              """Auth process exception."""
          
              def __init__(self, backend, *args, **kwargs):
                  self.backend = backend
                  super().__init__(*args, **kwargs)
          
          
          # pylint: disable=unused-argument,keyword-arg-before-vararg
          def safer_associate_by_email(backend, details, user=None, *args, **kwargs):
              """
              Associate current auth with a user with the same email address in the DB.
              This pipeline entry is not 100% secure. It is better suited however for the
              multi-tenant case so we allow it for certain tenants.
          
              It replaces:
              https://github.com/python-social-auth/social-core/blob/master/social_core/pipeline/social_auth.py
              """
              if user:
                  return None

You would create a new step in your plugin and then alter the settings so that you replace the step 'common.djangoapps.third_party_auth.pipeline.associate_by_email_if_oauth' with your own.

Topic		Replies	Views
API to link Open edX account with the account on third party authentication providers Site Operators	5	2230	July 13, 2021
OAuth for Auth0 that auto links existing users Site Operations Help how-to , tutor	5	677	June 28, 2023
Linkedin oauth2 Architecture how-to	1	515	August 13, 2021
Error at login with Keycloak third-party authentication Site Operations Help	2	910	September 15, 2021
SAML openedx and Simplesamlphp SAML idp connection Development	2	187	November 8, 2023

Social account not auto link

Related topics