fix: skip hinted login if pipeline already running

jono-booth · jono-booth · commit b6037bac4c24 · 2026-03-10T13:38:14.000+02:00
diff --git a/openedx/core/djangoapps/user_authn/views/login_form.py b/openedx/core/djangoapps/user_authn/views/login_form.py
@@ -160,6 +160,14 @@ def login_and_registration_form(request, initial_mode="login"):
     # Retrieve the form descriptions from the user API
     form_descriptions = _get_form_descriptions(request)
 
+    # Detect a running TPA pipeline early so it can guard against redirect loops below.
+    saml_provider = False
+    running_pipeline = pipeline.get(request)
+    if running_pipeline:
+        saml_provider, __ = third_party_auth.utils.is_saml_provider(
+            running_pipeline.get('backend'), running_pipeline.get('kwargs')
+        )
+
     # Our ?next= URL may itself contain a parameter 'tpa_hint=x' that we need to check.
     # If present, we display a login page focused on third-party auth with that provider.
     third_party_auth_hint = None
@@ -171,9 +179,10 @@ def login_and_registration_form(request, initial_mode="login"):
                 provider_id = next_args['tpa_hint'][0]
                 tpa_hint_provider = third_party_auth.provider.Registry.get(provider_id=provider_id)
                 if tpa_hint_provider:
-                    if tpa_hint_provider.skip_hinted_login_dialog:
+                    if tpa_hint_provider.skip_hinted_login_dialog and not running_pipeline:
                         # Forward the user directly to the provider's login URL when the provider is configured
-                        # to skip the dialog.
+                        # to skip the dialog. Do not redirect if a TPA pipeline is already running, as that
+                        # would cause an infinite loop (e.g. new SAML users dispatched back to /login).
                         if initial_mode == "register":
                             auth_entry = pipeline.AUTH_ENTRY_REGISTER
                         else:
@@ -193,12 +202,6 @@ def login_and_registration_form(request, initial_mode="login"):
     #   tpa_hint_provider is not available
     # AND
     #   user is not coming from a SAML IDP.
-    saml_provider = False
-    running_pipeline = pipeline.get(request)
-    if running_pipeline:
-        saml_provider, __ = third_party_auth.utils.is_saml_provider(
-            running_pipeline.get('backend'), running_pipeline.get('kwargs')
-        )
 
     enterprise_customer = enterprise_customer_for_request(request)
 
