🐛(oidc) fix session persistence with Redis backend for OIDC flows

gigi206 · gigi206 · commit f8092b5d1404 · 2025-10-09T11:56:30.000+02:00
diff --git a/src/lasuite/oidc_login/views.py b/src/lasuite/oidc_login/views.py
@@ -47,6 +47,9 @@ def persist_state(request, state):
             request.session["oidc_states"] = {}
 
         request.session["oidc_states"][state] = {}
+
+        # Force immediate session save for cache-based backends
+        request.session.modified = True
         request.session.save()
 
     def construct_oidc_logout_url(self, request):
@@ -102,6 +105,12 @@ def post(self, request):
         # If the user is not redirected to the OIDC provider, ensure logout
         if logout_url == self.redirect_url:
             auth.logout(request)
+        else:
+            # Force final session save before redirect to SSO
+            # This ensures the logout state generated in construct_oidc_logout_url()
+            # is persisted in Redis before the browser redirects
+            request.session.modified = True
+            request.session.save()
 
         return HttpResponseRedirect(logout_url)
 
@@ -131,52 +140,123 @@ def get(self, request):
 
         state = request.GET.get("state")
 
+        # Handle requests without state parameter
+        # Some SSO providers send a preflight request without state before the actual callback
+        # We should not raise an error in this case, just redirect gracefully
+        if not state:
+            return HttpResponseRedirect(self.redirect_url)
+
         if state not in request.session.get("oidc_states", {}):
             msg = "OIDC callback state not found in session `oidc_states`!"
             raise SuspiciousOperation(msg)
 
+        # Clean up the state from session
         del request.session["oidc_states"][state]
         request.session.save()
 
+        # Perform Django logout
         auth.logout(request)
 
         return HttpResponseRedirect(self.redirect_url)
 
 
 class OIDCAuthenticationCallbackView(MozillaOIDCAuthenticationCallbackView):
-    """Custom callback view for handling the silent login flow."""
+    """
+    Custom callback view for handling the silent login flow.
+
+    This view extends mozilla-django-oidc to properly handle silent login failures
+    without deleting OIDC states that might be needed by concurrent requests.
+    """
+
+    def get(self, request):
+        """
+        Override callback to handle silent login failures gracefully.
+
+        When silent login fails (error=login_required), we don't delete the
+        OIDC state because the user might immediately try a normal login.
+        This prevents race conditions between silent and normal login flows.
+        """
+        error = request.GET.get("error")
+        state = request.GET.get("state")
+
+        # Handle silent login failure specifically
+        if error == "login_required" and request.session.get("silent"):
+            # Silent login failed (user not logged in to SSO)
+            # Clean up the 'silent' flag but KEEP the OIDC state
+            # This allows a subsequent normal login to succeed
+            del request.session["silent"]
+            request.session.save()
+            return HttpResponseRedirect(self.success_url)
+
+        # For all other cases (normal login callback, other errors, etc.)
+        # let parent handle it (which will properly validate and clean up state)
+        return super().get(request)
 
     @property
     def failure_url(self):
         """
         Override the failure URL property to handle silent login flow.
 
-        A silent login failure (e.g., no active user session) should not be
-        considered as an authentication failure.
+        A silent login failure (e.g., no active user session) should redirect
+        to success_url (homepage) instead of failure_url, because it's not
+        really a failure - it just means the user needs to log in manually.
         """
         if self.request.session.get("silent", None):
+            # Clean up silent flag
             del self.request.session["silent"]
             self.request.session.save()
+            # Redirect to success URL (homepage) instead of failure page
             return self.success_url
         return super().failure_url
 
 
 class OIDCAuthenticationRequestView(MozillaOIDCAuthenticationRequestView):
-    """Custom authentication view for handling the silent login flow."""
+    """
+    Custom authentication view for handling the silent login flow.
+
+    This view extends mozilla-django-oidc to:
+    1. Support silent login with prompt=none parameter
+    2. Force session save before redirect (critical for Redis backend)
+    """
+
+    def get(self, request):
+        """
+        Override GET to force session save after OIDC state initialization.
+        """
+        # Create session if it doesn't exist (new visitor)
+        if not request.session.session_key:
+            request.session.create()
+
+        # Call parent method which generates OIDC state and stores it in session
+        response = super().get(request)
+
+        # Force immediate session save to Redis before returning redirect response
+        # This ensures the OIDC state is persisted before the browser redirects to SSO
+        if hasattr(request, "session"):
+            request.session.modified = True
+            request.session.save()
+
+        return response
 
     def get_extra_params(self, request):
         """
         Handle 'prompt' extra parameter for the silent login flow.
 
-        This extra parameter is necessary to distinguish between a standard
-        authentication flow and the silent login flow.
+        Silent login allows checking if user has an active SSO session
+        without displaying any UI. This is triggered by ?silent=true in URL.
+
+        If silent=true:
+        - Adds prompt=none to OIDC request (tells SSO to not show login page)
+        - Marks session with 'silent' flag for callback handling
         """
         extra_params = self.get_settings("OIDC_AUTH_REQUEST_EXTRA_PARAMS", None)
         if extra_params is None:
             extra_params = {}
+
+        # Check if this is a silent login attempt
         if request.GET.get("silent", "").lower() == "true":
             extra_params = copy.deepcopy(extra_params)
             extra_params.update({"prompt": "none"})
             request.session["silent"] = True
-            request.session.save()
+
         return extra_params
