Skip to content

Commit

Permalink
feat: users can use helsinki_tunnus heltunnistussuomifi simultaneously
Browse files Browse the repository at this point in the history
It was not possible for a linked keycloak account (i.e. an account
which can use weak or strong authentication) to log into Helsinki
profile.

Refs: HP-2219
  • Loading branch information
charn committed Feb 23, 2024
1 parent 404d2bc commit c855c87
Showing 1 changed file with 16 additions and 8 deletions.
24 changes: 16 additions & 8 deletions users/pipeline.py
Original file line number Diff line number Diff line change
Expand Up @@ -192,14 +192,22 @@ def check_existing_social_associations(backend, strategy, user=None, social=None

logger.debug(f"social does not exist; providers: {providers}")

# This is an exception to the only-one-social-auth -rule because we want to
# allow the user to use both on-prem AD and Azure AD simultaneously.
if (
(backend.name == 'helsinkiazuread' and 'helsinki_adfs' in providers) or
(backend.name == 'helsinki_adfs' and 'helsinkiazuread' in providers)
):
logger.debug('User is an AD user. Ok to have both on-prem AD and Azure AD in social auth.')
return
# These are an exception to the only-one-social-auth -rule because we want to
# allow the user to use these provider pairs simultaneously.
allowed_exceptions = (
("helsinkiazuread", "helsinki_adfs"),
("helsinki_tunnus", "heltunnistussuomifi"),
)
for pair in allowed_exceptions:
if (
(backend.name == pair[0] and pair[1] in providers) or
(backend.name == pair[1] and pair[0] in providers)
):
logger.debug(
f"User is a {pair[0]} user. Ok to have {pair[0]} "
f"and {pair[1]} as providers in social auth."
)
return

if backend.name not in providers:
# Disallow attaching a different social auth backend to an existing user and
Expand Down

0 comments on commit c855c87

Please sign in to comment.