Bug: Infinite Redirect with IExternalAuthenticationPlugin.CreateUserUrl

We have been using a custom external auth plugin implementing IExternalAuthenticationPlugin for a long time now.  In the upgrade from 10.2 to 10.3, the user registration functionality was broken.  It appears that the platform now automatically redirects from /user/createuser to whatever is defined in the IExternalAuthenticationPlugin.CreateUserUrl property.  However, if the CreateUserUrl property is /user/createuser, it produces an infinite redirect.

Here is a simple plugin that will cause the redirect issue:

using System.Web;
using Telligent.Evolution.Extensibility.Security.Version2;
using Telligent.Evolution.Extensibility.Urls.Version1;

namespace Test.OAuth
{
    public class TestAuthPlugin: IExternalAuthenticationPlugin
    {       
        public string Name => "TEST-Authentication";
        public string Description => "TEST";

        public void Initialize()
        {
        }

        public string CreateUserUrl => "/user/createuser";
        public string ChangePasswordUrl => "fake";
        public string ForgottenPasswordUrl => "fake";
        public string LoginUrl => "fake";
        public string LogoutUrl => "fake";
        public string ReturnUrlParameter => "returnUrl";

        public int? GetAuthenticatedUserId(AuthenticationOptions options)
        {            
            return null;
        }
    }
}

Parents
  • Hi . Thanks for the report! I can confirm that using /user/createuser as the CreateUserUrl of an IExternalAuthenticationPlugin will cause an infinite redirect, and I've loggd this as TE-14491.

    TE-14491

    This is actually a side effect of a bug fix included with version 10.2.4 last November.

    TE-10449

    TE-10449 intended to restrict access to create, login, and other related pages when an IExternalAuthenticationPlugin SSO plugin is enabled. While it should take better care to avoid an infinite redirect in the case that CreateUserUrl matches the platform's own join page, this was likely an unforeseen scenario. Can you share a little context on how you're using IExternalAuthenticationPlugin plugins while also still using /user/createuser?

Reply
  • Hi . Thanks for the report! I can confirm that using /user/createuser as the CreateUserUrl of an IExternalAuthenticationPlugin will cause an infinite redirect, and I've loggd this as TE-14491.

    TE-14491

    This is actually a side effect of a bug fix included with version 10.2.4 last November.

    TE-10449

    TE-10449 intended to restrict access to create, login, and other related pages when an IExternalAuthenticationPlugin SSO plugin is enabled. While it should take better care to avoid an infinite redirect in the case that CreateUserUrl matches the platform's own join page, this was likely an unforeseen scenario. Can you share a little context on how you're using IExternalAuthenticationPlugin plugins while also still using /user/createuser?

Children