SAML and OAUTH federated logins not working on 24.6.0

[mccullerlp]

Describe the bug

After my update to 24.6.0, I have an OAuth connection to CILogon.org that will now no longer bind to users. I also have a SAML source that throws exceptions related to caching and pickling.

Interestingly, these exceptions are only exposed to the log in 24.4.2. After the update to 24.6.0, you can find the exceptions in the docker logs, but the traceback is not in the web UI log.

To Reproduce

Have previously working SAML and OAuth logins that can be connected to accounts. Update to 24.6.0 - now the SAML throws exceptions and neither successfully create a connection.

When using the "connected services page" The OAuth or SAML reports success as a notification and in the log, but then is not attached.

Logs
This is the debug log using the SAML source from the login page on 24.6.0:

server-1 | {"auth_via": "unauthenticated", "domain_url": "users.xxxxxxxxxx.com", "event": "sending event to sentry", "exc": "TypeError("cannot pickle 'RestrictedElement' object")", "host": "users.xxxxxxxxxxx.com", "level": "debug", "logger": "authentik.lib.sentry", "pid": 25812, "request_id": "d9339c3b96c64326b493f2b7ace68500", "schema_name": "public", "source_logger": null, "timestamp": "2024-06-27T17:35:28.957618"}

If I instead try from my admit account to connect to my SAML source user, I get a log entry that the source was connected, but the connected services page does not reflect this and the login will not work for the account.

This stack trace is from 24.4.2. 24.6.0 only shows the last line in the docker logs.

Stacktrace from authentik

Traceback (most recent call last):
  File "/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py", line 518, in thread_handler
    raise exc_info[1]
  File "/ak-root/venv/lib/python3.12/site-packages/django/core/handlers/base.py", line 253, in _get_response_async
    response = await wrapped_callback(
               ^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py", line 468, in __call__
    ret = await asyncio.shield(exec_coro)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/asgiref/current_thread_executor.py", line 40, in run
    result = self.fn(*self.args, **self.kwargs)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/asgiref/sync.py", line 522, in thread_handler
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/sentry_sdk/integrations/django/views.py", line 84, in sentry_wrapped_callback
    return callback(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django/views/generic/base.py", line 104, in view
    return self.dispatch(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django/utils/decorators.py", line 48, in _wrapper
    return bound_method(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django/views/decorators/csrf.py", line 65, in _view_wrapper
    return view_func(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django/views/generic/base.py", line 143, in dispatch
    return handler(request, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/sources/saml/views.py", line 165, in post
    return processor.prepare_flow_manager().get_flow()
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/core/sources/flow_manager.py", line 180, in get_flow
    return self.handle_auth(connection)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/core/sources/flow_manager.py", line 288, in handle_auth
    return self._prepare_flow(
           ^^^^^^^^^^^^^^^^^^^
  File "/authentik/core/sources/flow_manager.py", line 269, in _prepare_flow
    plan = planner.plan(self.request, kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/authentik/flows/planner.py", line 206, in plan
    cache.set(cache_key(self.flow, user), plan, CACHE_TIMEOUT)
  File "/ak-root/venv/lib/python3.12/site-packages/django_redis/cache.py", line 29, in _decorator
    return method(self, *args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django_redis/cache.py", line 81, in set
    return self.client.set(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django_redis/client/default.py", line 143, in set
    nvalue = self.encode(value)
             ^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django_redis/client/default.py", line 461, in encode
    value = self._serializer.dumps(value)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/ak-root/venv/lib/python3.12/site-packages/django_redis/serializers/pickle.py", line 29, in dumps
    return pickle.dumps(value, self._pickle_version)
           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
builtins.TypeError: cannot pickle 'RestrictedElement' object

Version and Deployment (please complete the following information):

• authentik version: 2024.4.2
• Deployment: [e.g. docker-compose, helm]

Additional context
Add any other context about the problem here.

[mccullerlp]

I think I see where this issue might be arising.

authentik/authentik/core/sources/flow_manager.py

Line 102 in 361765c

new_connection = self.update_connection(new_connection, **kwargs)

There used to be

            new_connection = self.update_connection(new_connection, **kwargs)
            new_connection.save()
            return Action.LINK, new_connection

this also occurs on line 149.

and now the new_connection.save() call is missing in newer versions. Was it factored into update_connection only for certain sources?

[mccullerlp]

I can now confirm that adding these lines back in has fixed the issue for me.

[mccullerlp]

I've found the source of the pickling error.

authentik/authentik/sources/saml/processors/response.py

Line 243 in 496f342

flow_manager.policy_context["saml_response"] = self._root

This line could become

        flow_manager.policy_context["saml_response"] = tostring(self._root)    

I don't see anywhere in the code that a "saml_response" context is accessed, so this is a future-compatible method to 'pre-serialize' back into XML form.

With these fixes, both SAML and OAuth are working as expected now.

I'll try to make this into a PR when I have the time. The SAML source is also much more useful if some of the abstracted response entry names are mapped back into semantic names. Here is some code that is doing that well for me, that I will also include in the PR. In particular, this gets the email out of a university Shibboleth implementation, allowing a mapping into my Authentik instance. (Sorry about the line numbers)

    def prepare_flow_manager(self) -> SourceFlowManager:
        """Prepare flow plan depending on whether or not the user exists"""
        name_id = self._get_name_id()
        # Sanity check, show a warning if NameIDPolicy doesn't match what we go
        if self._source.name_id_policy != name_id.attrib["Format"]:
            LOGGER.warning(
                "NameID from IdP doesn't match our policy",
                expected=self._source.name_id_policy,
                got=name_id.attrib["Format"],
            )
        # transient NameIDs are handled separately as they don't have to go through flows.
        if name_id.attrib["Format"] == SAML_NAME_ID_FORMAT_TRANSIENT:
            return self._handle_name_id_transient()

        attr_values = delete_none_values(self.get_attributes())
        # mapping of SAML abstracted oids into semantic names. This should probably be factored into constants.py
        attr_map = {
            'urn:oid:0.9.2342.19200300.100.1.3' : 'email',
            'urn:oid:2.5.4.42': 'firstname',
            'urn:oid:2.5.4.4': 'lastname',
            'urn:oid:2.16.840.1.113730.3.1.241' : 'displayname'
        }
        # expand the map
        for k, v in list(attr_values.items()):
            m = attr_map.get(k, None)
            if m is not None:
                attr_values[m] = v
        #print("saml name: ", attr_values)
        flow_manager = SAMLSourceFlowManager(
            self._source,
            self._http_request,
            name_id.text,
            attr_values,
        )
        flow_manager.policy_context["saml_response"] = tostring(self._root)
        return flow_manager

[BeryJu]

So the pickle error shouldn't happen anymore in 2024.6 since the cause of it was caching the planned flow, which is disabled here: 833c66a

It would probably still be safer to wrap saml_response back into a string, but to a degree that makes it harder to do anything with (and yes, it was indeed added as an object that can be used in policies, authentik doesn't use it itself by default)

---

The link not being saved is an actual bug, we've changed the saving behaviour to only save the connection through a dynamic stage injected into the flow, but of course when initiating the link from the user settings there isn't a flow where that stage can run

---

For mapping SAML source data, this will be much easier with #8771

[mccullerlp]

I was still getting a pickling error in 2024.6 even with that caching disabled from 833c66a. I checked and my copy did have those lines disabling the caching.

I think there is some other point where it is caching or passing flow details to a worker or logging system. I couldn't get a backtrace to determine what was triggering the pickle on 2024.6 though.