Bug: Infinite Redirect with IExternalAuthenticationPlugin.CreateUserUrl

We have been using a custom external auth plugin implementing IExternalAuthenticationPlugin for a long time now.  In the upgrade from 10.2 to 10.3, the user registration functionality was broken.  It appears that the platform now automatically redirects from /user/createuser to whatever is defined in the IExternalAuthenticationPlugin.CreateUserUrl property.  However, if the CreateUserUrl property is /user/createuser, it produces an infinite redirect.

Here is a simple plugin that will cause the redirect issue:

using System.Web;
using Telligent.Evolution.Extensibility.Security.Version2;
using Telligent.Evolution.Extensibility.Urls.Version1;

namespace Test.OAuth
{
    public class TestAuthPlugin: IExternalAuthenticationPlugin
    {       
        public string Name => "TEST-Authentication";
        public string Description => "TEST";

        public void Initialize()
        {
        }

        public string CreateUserUrl => "/user/createuser";
        public string ChangePasswordUrl => "fake";
        public string ForgottenPasswordUrl => "fake";
        public string LoginUrl => "fake";
        public string LogoutUrl => "fake";
        public string ReturnUrlParameter => "returnUrl";

        public int? GetAuthenticatedUserId(AuthenticationOptions options)
        {            
            return null;
        }
    }
}

  • Hi . Thanks for the report! I can confirm that using /user/createuser as the CreateUserUrl of an IExternalAuthenticationPlugin will cause an infinite redirect, and I've loggd this as TE-14491.

    TE-14491

    This is actually a side effect of a bug fix included with version 10.2.4 last November.

    TE-10449

    TE-10449 intended to restrict access to create, login, and other related pages when an IExternalAuthenticationPlugin SSO plugin is enabled. While it should take better care to avoid an infinite redirect in the case that CreateUserUrl matches the platform's own join page, this was likely an unforeseen scenario. Can you share a little context on how you're using IExternalAuthenticationPlugin plugins while also still using /user/createuser?

  • We are using the built-in page at /user/createuser with some custom widgets to handle user registration. The widget contacts the IdP to create the account and also creates the community account.  This could be done on a separate custom page, but instead of creating additional custom objects, we opted to use the existing page.

  • I understand. For now, a custom page would be a good workaround. Alternatively, if you want to keep it fully encapsulated in your plugin, you could implement INavigable on your plugin to define the page -- which happens to also be how /user/createuser is defined internally.

  • Telligent Community
    0 Telligent Community 1 month ago
    TE-14491: Infinite redirect when IExternalAuthenticationPlugin.CreateUserUrl matches /user/createuser has been declined as "Won't Do"