search

goauthentik / authentik

The authentication glue you need.
https://goauthentik.io
Other
13.67k stars 916 forks source link

User gets 405 Method not allowed, when logging in using Okta SAML, while having an active session #12087

Open adeptula7b opened 2 days ago

adeptula7b commented 2 days ago

Describe the bug Referring yesterdays discussion with Jens. We have problem with Okta SAML connection. When user is already logged in into our application and tries to log in through Okta, he gets 405 Method Not Allowed from source/saml/.../acs and gets stuck on an empty page. If the user is not logged in, it's fine. We also see in logs:

IntegrityError('duplicate key value violates unique constraint \"authentik_core_usersourc_user_id_source_id_ad1f5aa7_uniq\"\\nDETAIL:  Key (user_id, source_id)=(1006, 52889114-3e77-49c7-9737-c3c3a39ff0c1) already exists.').

This started to occur after update from 2024.4 to 2024.8, and is still relevant in 2024.10.1

To Reproduce Steps to reproduce the behavior:

  1. Create Okta connection
  2. Try to log in through okta
  3. User gets logged in correctly
  4. Without logging out, go again to okta, try to log in again
  5. We get 405 error from source/saml/.../acs

Seems like the cause is in authentik.core.sources.flow_manager. In 2024.4 it used to have new_connection.save()

    def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
        """decide which action should be taken"""
        new_connection = self.connection_type(source=self.source, identifier=self.identifier)
        # When request is authenticated, always link
        if self.request.user.is_authenticated:
            new_connection.user = self.request.user
            new_connection = self.update_connection(new_connection, **kwargs)

            new_connection.save()

which throw error on insert that was caught by:

    def get_flow(self, **kwargs) -> HttpResponse:
        """Get the flow response based on user_matching_mode"""
        try:
            action, connection = self.get_action(**kwargs)
        except IntegrityError as exc:
            self._logger.warning("failed to get action", exc=exc)
            return redirect(reverse("authentik_core:root-redirect"))

Now insert was moved further, hence there is no redirection.

Expected behavior Instead of empty page we get redirected

Screenshots image

Version and Deployment (please complete the following information):

Additional context Add any other context about the problem here.

BeryJu commented 2 days ago

fixed by #12080, will be included in 2024.10.3