Confirming password impossible with custom authentication backend #10380
Assignees
Labels
Comments
Closed
|
This issue has gone three weeks without activity. In another week, I will close it. But! If you comment or otherwise update it, I will reset the clock, and if you label it "A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀 |
BYK
pushed a commit
that referenced
this issue
Jan 25, 2021
The current behavior won't change, except that it will be possible to confirm your password in admin panel if custom authentication backend doesn't store password in DB. Fixes GH-10380
|
Is this still a valid issue, @realkosty? |
|
Hey @chadwhitacre. We had a SaaS customer using SSO report being unable to delete project because they are prompted for password which they don't have. @leedongwei said existing issue cover that. |
|
Routing to @getsentry/product-owners-sign-in for triage ⏲️ |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Important Details
How are you running Sentry?
Description
I have a custom authentication backend which use my corporate authentication provider. The backend will create a new user on first login. The company policy doesn't allow to store user passwords in application databases, so the password will be empty in Sentry DB. In future if the user would like to log in, the password will be validated with corporate authentication again. This functionality works fine by registering custom authentication backend functionality in Django via sentry.conf.py file.
The problem is when the user wants to perform an admin action. Sentry wants the user to confirm password. To do that, it uses
check_password()method from theUsermodel. The problem is thatcheck_password()is testing the password against the one stored in a database. If user has logged in via custom backend which doesn't store the password, it is impossible to confirm the password.Steps to Reproduce
What you expected to happen
Sentry should use the custom backend to validate the user password.
Possible Solution
This can be fixed by overriding or monkey-patching the
check_password()method in the User model, but it doesn't seem to be the clean solution. Especially when you're using multiple custom backends (we do that in our company).I think, the
check_password()usage shall be replaced withauthenticate()function which is defined by backend. This would be the easiest and cleanest solution.The text was updated successfully, but these errors were encountered: