[IMP] auth_saml: add option to display a specific error page when login fails

Author: vincent-hatakeyama

auth_saml/__manifest__.py

@@ -1,5 +1,5 @@
 # Copyright (C) 2020 GlodoUK <https://www.glodo.uk/>
-# Copyright (C) 2010-2016, 2022 XCG Consulting <http://odoo.consulting>
+# Copyright (C) 2010-2016, 2022, 2026 XCG Consulting <https://orbeet.io/>
 # License AGPL-3.0 or later (http://www.gnu.org/licenses/agpl).
 
 {
@@ -21,6 +21,7 @@
     "data": [
         "data/ir_config_parameter.xml",
         "security/ir.model.access.csv",
+        "templates/webclient.xml",
         "views/auth_saml.xml",
         "views/res_config_settings.xml",
         "views/res_users.xml",

auth_saml/controllers/main.py

@@ -7,6 +7,7 @@
 import logging
 
 import werkzeug.utils
+from saml2.validate import ResponseLifetimeExceed
 from werkzeug.exceptions import BadRequest
 from werkzeug.urls import url_quote_plus
 
@@ -54,6 +55,18 @@ def wrapper(self, **kw):
     return wrapper
 
 
+def _error_message(error: str) -> str | None:
+    if error == "no-signup":
+        return _("Sign up is not allowed on this database.")
+    if error == "access-denied":
+        return _("Access Denied")
+    if error == "response-lifetime-exceed":
+        return _("Response Lifetime Exceeded")
+    if error == "expired":
+        return _("You do not have access to this database. Please contact support.")
+    return None
+
+
 # ----------------------------------------------------------
 # Controller
 # ----------------------------------------------------------
@@ -131,19 +144,7 @@ def web_login(self, *args, **kw):
 
         response = super().web_login(*args, **kw)
         if response.is_qweb:
-            error = request.params.get("saml_error")
-            if error == "no-signup":
-                error = _("Sign up is not allowed on this database.")
-            elif error == "access-denied":
-                error = _("Access Denied")
-            elif error == "expired":
-                error = _(
-                    "You do not have access to this database. Please contact"
-                    " support."
-                )
-            else:
-                error = None
-
+            error = _error_message(request.params.get("saml_error"))
             response.qcontext["saml_providers"] = providers
 
             if error:
@@ -173,6 +174,17 @@ def _get_saml_extra_relaystate(self):
         }
         return state
 
+    def _get_saml_error_url(self, saml_error: str) -> str:
+        """Return the URL of the SAML error page.
+        This module provides a configuration option to use another page.
+        """
+        base = (
+            request.env["ir.config_parameter"]
+            .sudo()
+            .get_param("auth_saml.saml_error_page", "/web/login")
+        )
+        return f"{base}?saml_error={saml_error}"
+
     @http.route("/auth_saml/get_auth_request", type="http", auth="none")
     def get_auth_request(self, pid):
         provider_id = int(pid)
@@ -251,15 +263,17 @@ def signin(self, **kw):
             # user could be on a temporary session
             _logger.info("SAML2: access denied")
 
-            url = "/web/login?saml_error=expired"
-            redirect = werkzeug.utils.redirect(url, 303)
+            redirect = werkzeug.utils.redirect(self._get_saml_error_url("expired"), 303)
             redirect.autocorrect_location_header = False
             return redirect
+        except ResponseLifetimeExceed as e:
+            _logger.debug("Response Lifetime Exceed - %s", str(e))
+            url = self._get_saml_error_url("response-lifetime-exceed")
 
         except Exception as e:
             # signup error
             _logger.exception("SAML2: failure - %s", str(e))
-            url = "/web/login?saml_error=access-denied"
+            url = self._get_saml_error_url("access-denied")
 
         redirect = request.redirect(url, 303)
         redirect.autocorrect_location_header = False
@@ -291,3 +305,15 @@ def saml_metadata(self, **kw):
                 ),
                 [("Content-Type", "text/xml")],
             )
+
+    @http.route("/web/login/saml_error", type="http", auth="none", csrf=False)
+    def saml_error(self, redirect=None, **kw):
+        saml_error = request.params.get("saml_error")
+        error = _error_message(saml_error)
+        if not error:
+            return request.redirect(redirect or "/")
+        response = request.render("auth_saml.login_error", {"error": error})
+        response.headers["Cache-Control"] = "no-cache"
+        response.headers["X-Frame-Options"] = "SAMEORIGIN"
+        response.headers["Content-Security-Policy"] = "frame-ancestors 'self'"
+        return response

auth_saml/data/ir_config_parameter.xml

@@ -4,4 +4,8 @@
         <field name="key">auth_saml.allow_saml_uid_and_internal_password</field>
         <field name="value">True</field>
     </record>
+    <record id="saml_error_page_config_parameter" model="ir.config_parameter">
+        <field name="key">auth_saml.saml_error_page</field>
+        <field name="value">/web/login</field>
+    </record>
 </odoo>

auth_saml/models/res_config_settings.py

@@ -9,7 +9,14 @@
 class ResConfigSettings(models.TransientModel):
     _inherit = "res.config.settings"
 
+    module_auth_saml = fields.Boolean("SAML Authentication")
     allow_saml_uid_and_internal_password = fields.Boolean(
         "Allow SAML users to possess an Odoo password (warning: decreases security)",
         config_parameter=ALLOW_SAML_UID_AND_PASSWORD,
     )
+    saml_error_page = fields.Selection(
+        [("/web/login", "Login Page"), ("/web/login/saml_error", "Error Page")],
+        "SAML Error Page",
+        config_parameter="auth_saml.saml_error_page",
+        required=True,
+    )

auth_saml/readme/CONFIGURE.md

@@ -15,6 +15,11 @@ automatic redirection in the provider settings. The autoredirection will
 only be done on the active provider with the highest priority. It is
 still possible to access the login without redirection by using the
 query parameter `disable_autoredirect`, as in
-`https://example.com/web/login?disable_autoredirect=` The login is also
+`https://example.com/web/login?disable_autoredirect=`.
+
+The login is also
 displayed if there is an error with SAML login, in order to display any
 error message.
+There is an option to use a page that only displays the error message
+in a separate page instead of the login form.
+This is useful when displaying the login form is not desired.

auth_saml/readme/newsfragments/+optional-split-error-page.feature

@@ -0,0 +1 @@
+Add an option to use another page for displaying SAML error.

auth_saml/templates/webclient.xml

@@ -0,0 +1,43 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<odoo>
+    <template id="auth_saml.login_error" name="SAML Login Error">
+        <t t-call="web.layout">
+            <t t-set="head">
+                <t t-call-assets="web.assets_frontend" t-js="false" />
+            </t>
+            <t t-set="body_classname" t-value="'bg-100'" />
+
+            <div class="container py-5">
+                <div
+                    t-attf-class="card border-0 mx-auto bg-100 {{login_card_classes}} o_database_list"
+                    style="max-width: 300px;"
+                >
+                    <div class="card-body">
+                        <div
+                            t-attf-class="text-center pb-3 border-bottom {{'mb-3' if form_small else 'mb-4'}}"
+                        >
+                            <img
+                                t-attf-src="/web/binary/company_logo{{ '?dbname='+db if db else '' }}"
+                                alt="Logo"
+                                style="max-height:120px; max-width: 100%; width:auto"
+                            />
+                        </div>
+                        <div class="oe_login_form">
+                            <p class="alert alert-danger" role="alert">
+                                <t t-out="error" />
+                            </p>
+                            <div
+                                t-attf-class="clearfix oe_login_buttons text-center mb-1 {{'pt-2' if form_small else 'pt-3'}}"
+                            >
+                                <a
+                                    class="btn btn-primary btn-block"
+                                    href="/web/login"
+                                >Log in</a>
+                            </div>
+                        </div>
+                    </div>
+                    </div>
+                </div>
+        </t>
+    </template>
+</odoo>

auth_saml/views/res_config_settings.xml

@@ -7,12 +7,35 @@
         <field name="inherit_id" ref="base.res_config_settings_view_form" />
         <field name="arch" type="xml">
             <xpath expr="//block[@name='integration']" position="inside">
-                <setting
-                    string="SAML"
-                    help="Allow SAML users to possess an Odoo password (warning: decreases security)"
-                    id="module_auth_saml"
-                >
-                    <field name="allow_saml_uid_and_internal_password" />
+                <setting string="SAML Authentication" id="module_auth_saml">
+                    <field name="module_auth_saml" />
+                    <div class="content-group" invisible="not module_auth_saml">
+                        <div class="content-group mt16">
+                            <div
+                                class="alert-danger"
+                                invisible="not allow_saml_uid_and_internal_password"
+                            >Allowing users with SAML to have a password decreases security!</div>
+                            <field name="allow_saml_uid_and_internal_password" />
+                            <label
+                                for="allow_saml_uid_and_internal_password"
+                                class="o_light_label mr8"
+                                string="Allow SAML users to possess an Odoo password"
+                            />
+                        </div>
+                        <div class="content-group mt16">
+                            <label for="saml_error_page" class="o_light_label mr8" />
+                            <field name="saml_error_page" />
+                        </div>
+                        <div class="content-group mt16">
+                            <button
+                                type="action"
+                                name="%(auth_saml.action_saml_provider)d"
+                                string="SAML Providers"
+                                icon="oi-arrow-right"
+                                class="btn-link"
+                            />
+                        </div>
+                    </div>
                 </setting>
             </xpath>
         </field>