Python-social-auth: do not reassociate existing users

0
votes

I'm using python-social-auth to allow users to login via SAML; everything's working correctly, except for the fact that if a logged-in user opens the SAML login page and logs in again as a different user, they'll get an association with both of the SAML users, rather than switch login.

I understand the purpose behind this (since it's what you can normally do to associate the user with different auth services) but in this case I need to enforce a single association (ie. if you're logged in with a given SAML IdP, you cannot add another association for the same user with the same provider).

Is there any python-social-auth solution for this, or should I cobble together something (for instance, preventing logged-in users from accessing the login page)?

1
djangopython-social-auth

1 Answers

0
votes

There's no standard way to do it in python-social-auth, there are a few alternatives:

  • Override the login page and if there's a user authenticated, then log them out first, or show an error, whatever fits your projects.

  • Add a pipeline function and set it in the top that will act if user is not None, you can raise an error, logout the user, etc.

  • Override the backend and extend the auth_allowed method in it return False if there's a valid user instance at self.strategy.request.user. This will halt the auth flow and AuthForbidden will be raised.