Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

User gets 405 Method not allowed, when logging in using Okta SAML, while having an active session #12087

Open
adeptula7b opened this issue Nov 20, 2024 · 1 comment
Open

User gets 405 Method not allowed, when logging in using Okta SAML, while having an active session #12087

adeptula7b opened this issue Nov 20, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@adeptula7b
Copy link

adeptula7b commented Nov 20, 2024
edited
Loading

Describe the bug
Referring yesterdays discussion with Jens. We have problem with Okta SAML connection. When user is already logged in into our application and tries to log in through Okta, he gets 405 Method Not Allowed from source/saml/.../acs and gets stuck on an empty page. If the user is not logged in, it's fine. We also see in logs:

IntegrityError('duplicate key value violates unique constraint \"authentik_core_usersourc_user_id_source_id_ad1f5aa7_uniq\"\\nDETAIL:  Key (user_id, source_id)=(1006, 52889114-3e77-49c7-9737-c3c3a39ff0c1) already exists.').

This started to occur after update from 2024.4 to 2024.8, and is still relevant in 2024.10.1

To Reproduce
Steps to reproduce the behavior:

  1. Create Okta connection
  2. Try to log in through okta
  3. User gets logged in correctly
  4. Without logging out, go again to okta, try to log in again
  5. We get 405 error from source/saml/.../acs

Seems like the cause is in authentik.core.sources.flow_manager. In 2024.4 it used to have new_connection.save()

    def get_action(self, **kwargs) -> tuple[Action, UserSourceConnection | None]:  # noqa: PLR0911
        """decide which action should be taken"""
        new_connection = self.connection_type(source=self.source, identifier=self.identifier)
        # When request is authenticated, always link
        if self.request.user.is_authenticated:
            new_connection.user = self.request.user
            new_connection = self.update_connection(new_connection, **kwargs)

            new_connection.save()

which throw error on insert that was caught by:

    def get_flow(self, **kwargs) -> HttpResponse:
        """Get the flow response based on user_matching_mode"""
        try:
            action, connection = self.get_action(**kwargs)
        except IntegrityError as exc:
            self._logger.warning("failed to get action", exc=exc)
            return redirect(reverse("authentik_core:root-redirect"))

Now insert was moved further, hence there is no redirection.

Expected behavior
Instead of empty page we get redirected

Screenshots
image

Version and Deployment (please complete the following information):

  • authentik version: 2024.10.1
  • Deployment: docker-compose, helm

Additional context
Add any other context about the problem here.
@adeptula7b adeptula7b added the bug Something isn't working label Nov 20, 2024
@BeryJu
Copy link
Member

BeryJu commented Nov 20, 2024

fixed by #12080, will be included in 2024.10.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@BeryJu @adeptula7b