properly detect settings.AUTHENTICATION_BACKEND changes for SSO logins

see: https://github.com/ansible/tower/issues/1979
2026-03-10 22:19:28 -02:30 · 2018-06-12 14:28:04 -04:00
parent 1733a20094
commit c3bda8e259
2 changed files with 21 additions and 0 deletions
--- a/awx/sso/middleware.py
+++ b/awx/sso/middleware.py
@@ -8,12 +8,14 @@ import urllib
 import six

 # Django
+from django.conf import settings
 from django.utils.functional import LazyObject
 from django.shortcuts import redirect

 # Python Social Auth
 from social_core.exceptions import SocialAuthBaseException
 from social_core.utils import social_logger
+from social_django import utils
 from social_django.middleware import SocialAuthExceptionMiddleware


@@ -24,6 +26,19 @@ class SocialAuthMiddleware(SocialAuthExceptionMiddleware):
            request.session['social_auth_last_backend'] = callback_kwargs['backend']

    def process_request(self, request):
+        if request.path.startswith('/sso'):
+            # django-social keeps a list of backends in memory that it gathers
+            # based on the value of settings.AUTHENTICATION_BACKENDS *at import
+            # time*:
+            # https://github.com/python-social-auth/social-app-django/blob/c1e2795b00b753d58a81fa6a0261d8dae1d9c73d/social_django/utils.py#L13
+            #
+            # our settings.AUTHENTICATION_BACKENDS can *change*
+            # dynamically as Tower settings are changed (i.e., if somebody
+            # configures Github OAuth2 integration), so we need to
+            # _overwrite_ this in-memory value at the top of every request so
+            # that we have the latest version
+            # see: https://github.com/ansible/tower/issues/1979
+            utils.BACKENDS = settings.AUTHENTICATION_BACKENDS
        token_key = request.COOKIES.get('token', '')
        token_key = urllib.quote(urllib.unquote(token_key).strip('"'))