fix: prevent silent errors during SSO (account settings)

[Gi-ron]

Description

When a user tries to link a third-party identity (SAML, OAuth2, LTI) that is already linked to a different Open edX account, the backend raises AuthAlreadyAssociated. SocialAuthExceptionMiddleware records this as a Django message and redirects to /account/settings.

That URL was a plain RedirectView that forwards straight to ACCOUNT_MICROFRONTEND_URL — it doesn't carry over Django messages or query params. The error is lost, and the user lands on the Account MFE with no explanation.

Fix

Replace the RedirectView at /account/settings with a small view, account_settings_redirect_view, that:

1. Checks for a duplicate-provider Django message (via the existing pipeline.get_duplicate_provider).
2. If found, redirects to the Account MFE with ?duplicate_provider=<provider name>, which the MFE already knows how to render as an alert.
3. If not found, redirects normally — same behavior as before.

Works for any backend (SAML, OAuth2, LTI), since it only depends on the existing message left by python-social-auth's middleware.

Files changed

• common/djangoapps/third_party_auth/views.py: added account_settings_redirect_view.
• openedx/core/djangoapps/user_api/legacy_urls.py: swapped the RedirectView for the new view.

Screenshots

The user sees a clear error message in the Linked Accounts section.

Testing

Setup

1. Configure a SAML IdP (e.g. SimpleSAMLphp) as a Third Party Auth provider in Django Admin.
2. Create two platform accounts: user_a@example.com and user_b@example.com.
3. Log in as user_a and complete the SAML login flow to link the IdP identity to user_a.
4. Log out.

Reproduce the error

5. Log in as user_b.
6. Navigate to Account MFE → Linked Accounts.
7. Click Sign in with [provider name] for the same SAML IdP.
8. Complete authentication on the IdP side using the same identity used in step 3.

[openedx-webhooks]

Thanks for the pull request, @Gi-ron!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

• If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
  • This process (including the steps you'll need to take) is documented here.
• If it doesn't, simply proceed with the next step.

🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

• Dependencies

  This PR must be merged before / after / at the same time as ...

• Blockers

  This PR is waiting for OEP-1234 to be accepted.

• Timeline information

  This PR must be merged by XX date because ...

• Partner information

  This is for a course on edx.org.

• Supporting documentation
• Relevant Open edX discussion forum threads

🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

🔘 Update the status of your PR

Your PR is currently marked as a draft. After completing the steps above, update its status by clicking "Ready for Review", or removing "WIP" from the title, as appropriate.

---

Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

• Overview of Review Process for Community Contributions
• Pull Request Status Guide
• Making changes to your pull request

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

• The size and impact of the changes that it introduces
• The need for product review
• Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

[mphilbrick211]

Hi @Gi-ron! It looks like you're contributing on behalf of eduNEXT. In order to have your CLA check turn green, please have your manager reach out to oscm@axim.org to have you added to our existing entity agreement.

[Gi-ron]

Hi @Gi-ron! It looks like you're contributing on behalf of eduNEXT. In order to have your CLA check turn green, please have your manager reach out to oscm@axim.org to have you added to our existing entity agreement.

Thank you! I appreciate it.

I've already been enrolled in the CLA, so I'll keep an eye on the PR and wait for the status to update. Thanks again for your comments!

[jignaciopm]

Could you check why there're some issues with CI/CD?

[felipemontoya]

I think the underlying error is clear and needs to be fixed, but the current approach requires some refactor.

[felipemontoya]

@Gi-ron also, this PR needs at least one test

[Gi-ron]

@Gi-ron also, this PR needs at least one test

I added two tests: one for the cases where exceptions are processed in the middleware, and another for the cases where legacy_urls constructs the redirect URL.

[Gi-ron]

Hi @igobranco, @felipemontoya @bra-i-am, @jignaciopm

I’ve added some changes to enable rendering error messages in the Account MFE, along with additional tests.

The main idea is to capture as many python-social-auth exceptions as possible. Unfortunately, at the moment the Account MFE only renders a user-facing message for duplicate_provider.

Could you please take a look at the changes and give me your feedback? It would be really helpful. Thanks in advance!

[jfavellar90]

Why do we send the params only on this error occurrence? Could we just send the params for any error type? The error should land in the list defined by TPA_ERROR_CODES