Policy on enrollment no longer working in 2024.4 resulting in UserSourceConnection has no user. #9477
Description
Describe the bug
With a expresion policy in place to allow only certain Google users to login, it now shows the message UserSourceConnection has no user. (disregarding if it passes/fails the policy) due to failing to run a policy which worked fine in 2024.2.3.
To Reproduce
Steps to reproduce the behavior:
- Add Google as social login according to docs: https://docs.goauthentik.io/integrations/sources/google/
- Create an expression policy with the following expression:
google-email-expression
if context["source"].provider_type != "google":
return True
email = request.context["prompt_data"]["email"]
# Direct set username to email
request.context["prompt_data"]["username"] = email
# Set username to email without domain
request.context["prompt_data"]["username"] = email.split("@")[0]
accepted_users = ["user1@gmail.com","user2@gmail.com"]
# Match username
user_matched = any(user == email for user in accepted_users)
if not user_matched:
ak_message("You are not allowed to log in. This attempt has been logged.")
return user_matched- Add the above policy to the
default-source-enrollment.
- Try to login with Google as
user1@gmail.com(allowed according to policy)
- Try to login with Google as
user3@gmail.com(not allowed according to policy)
Expected behavior
Same behaviour as 2024.2.3, account is either created for allowed users passing the policy, or the message is displayed that the user is not allowed.
Screenshots
See above.
Logs
{
"auth_via": "unauthenticated",
"domain_url": "auth.example.com",
"event": "Policy failed to run",
"exc": "Traceback (most recent call last):\n File \"/authentik/policies/process.py\", line 144, in run\n self.connection.send(self.profiling_wrapper())\n ^^^^^^^^^^^^^^^^^^^^^^^^\n File \"/authentik/policies/process.py\", line 139, in profiling_wrapper\n return self.execute()\n ^^^^^^^^^^^^^^\n File \"/authentik/policies/process.py\", line 90, in execute\n self.create_event(\n File \"/authentik/policies/process.py\", line 60, in create_event\n event = Event.new(\n ^^^^^^^^^^\n File \"/authentik/events/models.py\", line 218, in new\n cleaned_kwargs = cleanse_dict(sanitize_dict(kwargs))\n^^^^^^^^^^^^^^^^^^^^^\nFile\"/authentik/events/utils.py\", line 191, in sanitize_dict\n new_value = sanitize_item(value)\n ^^^^^^^^^^^^^^^^^^^^\n File \"/authentik/events/utils.py\", line 114, in sanitize_item\n return sanitize_dict(value)\n ^^^^^^^^^^^^^^^^^^^^\n File \"/authentik/events/utils.py\", line 191, in sanitize_dict\n new_value = sanitize_item(value)\n ^^^^^^^^^^^^^^^^^^^^\n File \"/authentik/events/utils.py\", line 114, in sanitize_item\n return sanitize_dict(value)\n ^^^^^^^^^^^^^^^^^^^^\n File \"/authentik/events/utils.py\", line 191, in sanitize_dict\n new_value = sanitize_item(value)\n ^^^^^^^^^^^^^^^^^^^^\n File \"/authentik/events/utils.py\", line 127, in sanitize_item\n return sanitize_dict(model_to_dict(value))\n ^^^^^^^^^^^^^^^^^^^^\n File \"/authentik/events/utils.py\", line 66, in model_to_dict\n name = str(model)\n ^^^^^^^^^^\n File \"/authentik/core/models.py\", line 635, in __str__\n return f\"User-source connection (user={self.user.username}, source={self.source.slug})\"\n ^^^^^^^^^\n File \"/ak-root/venv/lib/python3.12/site-packages/django/db/models/fields/related_descriptors.py\", line 264, in __get__\n raise self.RelatedObjectDoesNotExist(\nauthentik.core.models.RelatedObjectDoesNotExist: UserSourceConnection has no user.",
"host": "auth.example.com",
"level": "warning",
"logger": "authentik.policies.process",
"pid": 88,
"request_id": "e20f015d8b0a4447887685e1ebd7720e",
"schema_name": "public",
"timestamp": "2024-04-26T21:34:05.375936"
}Version and Deployment (please complete the following information):
- authentik version:
2024.4.0,2024.4.1. - Deployment:
docker compose v2.26.1