fix multiple redirects, add e2e test

Signed-off-by: Jens Langhammer <[email protected]>

Author: BeryJu

authentik/policies/templates/policies/buffer.html

@@ -6,7 +6,9 @@
 {% block head %}
 {{ block.super }}
 <script>
+  let redirecting = false;
   const checkAuth = async () => {
+    if (redirecting) return true;
     const url = "{{ check_auth_url }}";
     console.debug("authentik/policies/buffer: Checking authentication...");
     try {
@@ -17,6 +19,7 @@
         return false
       }
       console.debug("authentik/policies/buffer: Continuing");
+      redirecting = true;
       if ("{{ auth_req_method }}" === "post") {
         document.querySelector("form").submit();
       } else {

authentik/policies/views.py

@@ -173,13 +173,17 @@ class BufferedPolicyAccessView(PolicyAccessView):
     def handle_no_permission(self):
         plan: FlowPlan | None = self.request.session.get(SESSION_KEY_PLAN)
         if not plan:
+            LOGGER.debug("Not buffering request, no flow plan active")
             return super().handle_no_permission()
         flow = Flow.objects.filter(pk=plan.flow_pk).first()
         if not flow or flow.designation != FlowDesignation.AUTHENTICATION:
+            LOGGER.debug("Not buffering request, no flow or flow not for authentication")
             return super().handle_no_permission()
         if self.request.GET.get(QS_SKIP_BUFFER):
+            LOGGER.debug("Not buffering request, explicit skip")
             return super().handle_no_permission()
         buffer_id = str(uuid4())
+        LOGGER.debug("Buffering access request", bf_id=buffer_id)
         self.request.session[SESSION_KEY_BUFFER % buffer_id] = {
             "body": self.request.POST,
             "url": self.request.build_absolute_uri(self.request.get_full_path()),
@@ -192,5 +196,5 @@ def handle_no_permission(self):
     def dispatch(self, request, *args, **kwargs):
         response = super().dispatch(request, *args, **kwargs)
         if QS_BUFFER_ID in self.request.GET:
-            self.request.session.pop(SESSION_KEY_BUFFER % self.request.GET[QS_BUFFER_ID])
+            self.request.session.pop(SESSION_KEY_BUFFER % self.request.GET[QS_BUFFER_ID], None)
         return response

tests/e2e/test_provider_oauth2_grafana.py

@@ -410,3 +410,77 @@ def test_authorization_denied(self):
             self.driver.find_element(By.CSS_SELECTOR, "header > h1").text,
             "Permission denied",
         )
+
+    @retry()
+    @apply_blueprint(
+        "default/flow-default-authentication-flow.yaml",
+        "default/flow-default-invalidation-flow.yaml",
+    )
+    @apply_blueprint("default/flow-default-provider-authorization-implicit-consent.yaml")
+    @apply_blueprint("system/providers-oauth2.yaml")
+    @reconcile_app("authentik_crypto")
+    def test_authorization_consent_implied_parallel(self):
+        """test OpenID Provider flow (default authorization flow with implied consent)"""
+        # Bootstrap all needed objects
+        authorization_flow = Flow.objects.get(
+            slug="default-provider-authorization-implicit-consent"
+        )
+        provider = OAuth2Provider.objects.create(
+            name=generate_id(),
+            client_type=ClientTypes.CONFIDENTIAL,
+            client_id=self.client_id,
+            client_secret=self.client_secret,
+            signing_key=create_test_cert(),
+            redirect_uris=[
+                RedirectURI(
+                    RedirectURIMatchingMode.STRICT, "http://localhost:3000/login/generic_oauth"
+                )
+            ],
+            authorization_flow=authorization_flow,
+        )
+        provider.property_mappings.set(
+            ScopeMapping.objects.filter(
+                scope_name__in=[
+                    SCOPE_OPENID,
+                    SCOPE_OPENID_EMAIL,
+                    SCOPE_OPENID_PROFILE,
+                    SCOPE_OFFLINE_ACCESS,
+                ]
+            )
+        )
+        Application.objects.create(
+            name=generate_id(),
+            slug=self.app_slug,
+            provider=provider,
+        )
+
+        self.driver.get(self.live_server_url)
+        login_window = self.driver.current_window_handle
+
+        self.driver.switch_to.new_window("tab")
+        grafana_window = self.driver.current_window_handle
+        self.driver.get("http://localhost:3000")
+        self.driver.find_element(By.CLASS_NAME, "btn-service--oauth").click()
+
+        self.driver.switch_to.window(login_window)
+        self.login()
+
+        self.driver.switch_to.window(grafana_window)
+        self.wait_for_url("http://localhost:3000/?orgId=1")
+        self.driver.get("http://localhost:3000/profile")
+        self.assertEqual(
+            self.driver.find_element(By.CLASS_NAME, "page-header__title").text,
+            self.user.name,
+        )
+        self.assertEqual(
+            self.driver.find_element(By.CSS_SELECTOR, "input[name=name]").get_attribute("value"),
+            self.user.name,
+        )
+        self.assertEqual(
+            self.driver.find_element(By.CSS_SELECTOR, "input[name=email]").get_attribute("value"),
+            self.user.email,
+        )
+        self.assertEqual(
+            self.driver.find_element(By.CSS_SELECTOR, "input[name=login]").get_attribute("value"),
+            self.user.email,
+        )