I have a django application that uses django-social-auth and allows for three types of SSO authentication, Google, Office 365, and SAML2.0. In the case of SAML2.0, the application allows the end user to specify their own IdP, and to enable that, we have a custom Database SAML Auth class, that allows us to store the users IdP information in the database, and log the user in. This works as expected, and users can sign in with SAML, Google, or Office 365, no problem.
The challenge is when I need to be redirected to a specific URL once the login has completed. This is working as expected for Google and Office 365, but not for SAML login.
As an example, I have a mobile application that authenticates via OAUTH to the django web application. When that mobile application starts its oauth flow, it goes to the authorization URL, and the gets forwarded to login. The path looks something like this:
- https://myapp.com/oauth/authorize/?client_id=something
- https://myapp.com/login/?next=/oauth/authorize/?client_id=something
- (after selecting sign in with SAML login method) https://myapp.com/login/subdomain/?next=/oauth/authorize/?client_id=something
- Redirect to IdP
- Redirect back to assertion consumer url https://myapp.com/login/sso/saml/complete/
- Redirect to account page https://myapp.com/manage/ (not https://myapp.com/oauth/authorize/?client_id=something as expected)
The frustration of course is that this breaks the oauth flow of my mobile application, as the user is logged into the web application, but never authorizes the mobile application.
According to python social auth documentation the value of ?next= should be used if present to redirect the user after a successful authentication.
I have done a lot of debugging, and I can see in the social-core do_auth
method that the next parameter is indeed added to the session as expected.
But, when I debug and look at the session returned in the social-core do_complete
method after the IdP posts the user back to my application, the session is empty and doesn't contain any data, including not having my next parameter.
At one point, all of this worked as expected. However, it has stopped working and I can not find any code change that seems to point to why this is the case. My question to the greater community is, have I missed something that might resolve my issue and set me back on the path where SAML login redirects as expected.
Some further details that may be helpful:
- Django version 2.2.24
- Python 3.6
- social-auth-app-django versions 3.0.0 and 5.0.0 tested
- social-auth-core versions 3.3.3 and 4.1.0 tested
My middlewares (note many of these are custom middlewares as part of our application):
MIDDLEWARE = [
'instana.instrumentation.django.middleware.InstanaMiddleware',
'eb.middleware.HealthCheckMiddleware',
'eb.middleware.OriginalXForwardedProtoMiddleware',
'eb.middleware.DebugMiddleware',
'eb.middleware.ContentSecurityPolicy',
'django_cookies_samesite.middleware.CookiesSameSite',
'common.middleware.RequestIDMiddleware',
'common.middleware.APIErrorHandler',
'corsheaders.middleware.CorsMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.locale.LocaleMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'accounts.middleware.TwoFactorMiddleware',
'accounts.middleware.PasswordChangeMiddleware',
'accounts.middleware.VerifyActiveMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.gzip.GZipMiddleware',
'billing.middleware.CartMiddleware',
'accounts.middleware.SentryContextMiddleware',
'accounts.middleware.SocialAuthExceptionMiddleware',
'accounts.middleware.RealIPMethodMiddleware',
'common.sqla.middleware.SQLAlchemyMiddleware',
'django.middleware.security.SecurityMiddleware',
]
Already attempted troubleshooting steps:
- Remove / rearrange middlewares
- Change settings in the django application both for session cookies and SOCIAL_AUTH security settings
- Run several PDB sessions to see the session setting and getting noted above
Thank you for any help in advance.