Skip to content

flows: redirect to next when accessing an unapplicable authentication flow while already authenticated (cherry-pick #17243 to version-2025.8) #17266

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: version-2025.8
Choose a base branch
from
Draft

flows: redirect to next when accessing an unapplicable authentication flow while already authenticated (cherry-pick #17243 to version-2025.8) #17266

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions authentik/flows/tests/test_executor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@
from authentik.core.tests.utils import create_test_flow, create_test_user
from authentik.flows.markers import ReevaluateMarker, StageMarker
from authentik.flows.models import (
FlowAuthenticationRequirement,
FlowDeniedAction,
FlowDesignation,
FlowStageBinding,
Expand Down Expand Up @@ -177,6 +178,25 @@ def test_valid_flow_redirect(self):
self.assertEqual(response.status_code, 302)
self.assertEqual(response.url, "/unique-string")

@patch(
"authentik.flows.views.executor.to_stage_response",
TO_STAGE_RESPONSE_MOCK,
)
def test_valid_flow_redirect_authenticated(self):
"""Test valid flow with valid redirect destination, authenticated already"""
flow = create_test_flow()
flow.designation = FlowDesignation.AUTHENTICATION
flow.authentication = FlowAuthenticationRequirement.REQUIRE_UNAUTHENTICATED
flow.save()
self.client.force_login(create_test_user())

dest = "/unique-string"
url = reverse("authentik_api:flow-executor", kwargs={"flow_slug": flow.slug})

response = self.client.get(url + f"?{QS_QUERY}={urlencode({NEXT_ARG_NAME: dest})}")
self.assertEqual(response.status_code, 302)
self.assertEqual(response.url, "/unique-string")

@patch(
"authentik.flows.views.executor.to_stage_response",
TO_STAGE_RESPONSE_MOCK,
Expand Down
7 changes: 7 additions & 0 deletions authentik/flows/views/executor.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,13 @@ def dispatch(self, request: HttpRequest, flow_slug: str) -> HttpResponse:
try:
self.plan = self._initiate_plan()
except FlowNonApplicableException as exc:
# If we're this flow is for authentication and the user is already authenticated
# continue to the next URL
if (
self.flow.designation == FlowDesignation.AUTHENTICATION
and self.request.user.is_authenticated
):
return self._flow_done()
self._logger.warning("f(exec): Flow not applicable to current user", exc=exc)
return self.handle_invalid_flow(exc)
except EmptyFlowException as exc:
Expand Down
Loading