OrchardCore icon indicating copy to clipboard operation
OrchardCore copied to clipboard

Published 20 hours ago verified publisher icon OrchardCMS

Redirect loop instead of error message when using external identity provider

Open mvarblow opened this issue 1 month ago • 4 comments

Describe the bug

If you enable an external identity provider such as Microsoft Entra ID and the configure the user settings to disable local sign-in and user registration, then users who have not been provisioned will not receive the "Site does not allow user registration" error as expected. Instead, they end up in an infinite redirect loop.

To Reproduce

Steps to reproduce the behavior:

  1. Start and Orchard Core site and enable the Microsoft Entra ID Authentication feature - see https://docs.orchardcore.net/en/latest/guides/microsoft-entra-id-integration/.
  2. Click on Security > Settings > User Login
  3. Check "Use external provider for login". Click Save.
  4. Click on Security > Settings> User Registration and ensure that "Configure users registration" is set to NoRegistration. Click Save.
  5. In a new incognito window, open the site and attempt to access the admin page. You'll be redirected to Microsoft Entra ID to sign in and then sent back to the Orchard Core site. The Orchard Core site will redirect you back to Entra ID. This time you won't be prompted to sign in since you're already signed in, you'll just be redirected back to the Orchard Core site. Orchard Core will redirect you to Entra ID. ....

Expected behavior

If you look in the Orchard Core log file you'll see a warning: "Site does not allow user registration." This warning will be repeated many times, depending on how long the user allowed the redirect loop to continue as they waited for the page to appear. I would expect that the user should receive an error message similar to what was logged instead of being continuously redirected. If I locate the code in AccountController which is responsible for generating that log entry, it appears that this is what the author of the code also intended. Though I think they didn't consider this scenario where the "use external provider for login" option was enabled.

image

If "use external provider for login" were disabled, then the redirect wouldn't happen. Instead, the user would see the sign-in page with the error message. To fix this, it seems that the AccountController needs to account for this possibility and replace the RedirectToLogin response with a view which can display the error message.

mvarblow avatar May 28 '24 15:05 mvarblow