Feature: redirect after login/register with OAuth #910
Conversation
There was a problem hiding this comment.
This LGTM though I'm not an expert on auth/oauth/jwt, @dpgaspar should have the final word
| @@ -5,8 +5,9 @@ | |||
|
|
|||
| <script type="text/javascript"> | |||
|
|
|||
| var baseLoginUrl = {{url_for('AuthOAuthView.login')}}; | |||
| var baseRegisterUrl = {{url_for('AuthOAuthView.login')}}; | |||
| var baseLoginUrl = "{{url_for('AuthOAuthView.login')}}"; | |||
There was a problem hiding this comment.
This was interesting... we're missing the quotes, so this actually gets translated to:
var baseLoginUrl = /login/;Which works because it defines a regular expression that later gets cast to a string when it's concatenated to currentSelection!
There was a problem hiding this comment.
It's ok, I blame Javascript. :)
There was a problem hiding this comment.
Hello @dpgaspar @betodealmeida ,
I have following test case scenario , is it taken care in testing or not?
If some one logged in to FlaskAppBuilder using twitter account and in between someone delete/disable his twitter account then is user still able to use FlaskAppBuilder app (if he did not logout manually) or get Access Denied Error and How we are validating user authenticity in running application.
|
Looks good, I'll test it with some other providers. |
|
Hi, Testing with google oauth provider, using a simple login I get redirected to http://localhost:8080/None Can you help? |
|
Yeah, let me take a look. |
|
thks! |
|
@dpgaspar I fixed the |
|
Ping @dpgaspar |
|
It fails on twitter: As you can see auth works ok, and self registers the user, but there is no state on the request.args |
|
Looks like |
|
@dpgaspar I fixed the Twitter redirect. It doesn't accept the state payload, but unlike Google/Facebook it allows it in the URL, so all I had to do was change the call to I also fixed the Twitter registration: the returned user info has only the username. |
| @@ -27,7 +27,7 @@ def wraps(self, *args, **kwargs): | |||
| else: | |||
| log.warning(LOGMSG_ERR_SEC_ACCESS_DENIED.format(permission_str, self.__class__.__name__)) | |||
| flash(as_unicode(FLAMSG_ERR_SEC_ACCESS_DENIED), "danger") | |||
| return redirect(url_for(self.appbuilder.sm.auth_view.__class__.__name__ + ".login")) | |||
| return redirect(url_for(self.appbuilder.sm.auth_view.__class__.__name__ + ".login", next=request.url)) | |||
There was a problem hiding this comment.
I see this fix for only AuthOAuthView, but how do ensure this next=request.url variable will be utilized in AuthDBView, AuthLDAPView,
AuthRemoteUserView and they are sent to the index page, instead of the page they tried to visit initially.
There was a problem hiding this comment.
True @ankursinghal2005, One would have to replicate the same logic to all child classes.
Hey @betodealmeida are willing to do it?
There was a problem hiding this comment.
I'm not the right person to do it, since I don't have access to an LDAP auth server. Maybe @ankursinghal2005 can do it for the auth system they're using?
There was a problem hiding this comment.
@betodealmeida
I have tested below LDAP test server. It is working fine. You can see it for your reference. I can further work on remaining child classes after this PR gets merged into master.
Online LDAP Test Server Link
https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
When using LDAP Auth, setup the ldap server
AUTH_TYPE = AUTH_LDAP
AUTH_LDAP_SERVER = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_SEARCH = "dc=example,dc=com"
AUTH_LDAP_BIND_USER = "uid=riemann,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
|
Looks good, nice work! |
|
Just released 1.12.4 with this |
Currently, after a user goes through the authentication flow they are sent to the index page, instead of the page they tried to visit initially.
I improved the flow by storing the initial URL in a
stateparameter, that is signed and sent to the OAuth provider [see docs]. One the user has been authenticated, thestateparameter received back from the provider is used to redirect them to the initial URL.Note that the
stateis signed, to avoid a malicious provider of redirecting the user to a URL they control.I tested the workflow with Superset, and it works as expected. I only tested with Google OAuth.