diff --git a/lib/galaxy/app.py b/lib/galaxy/app.py index e7abc7c35ee1..9351167634e0 100644 --- a/lib/galaxy/app.py +++ b/lib/galaxy/app.py @@ -709,6 +709,13 @@ def __init__(self, **kwargs) -> None: self, self.config.oidc_config_file, self.config.oidc_backends_config_file ) + # If there is only a single external authentication provider in use + # TODO: Future work will expand on this and provide an interface for + # multiple auth providers allowing explicit authenticated association. + self.config.fixed_delegated_auth = ( + len(list(self.config.oidc)) == 1 and len(list(self.auth_manager.authenticators)) == 0 + ) + if not self.config.enable_celery_tasks and self.config.history_audit_table_prune_interval > 0: self.prune_history_audit_task = IntervalTask( func=lambda: galaxy.model.HistoryAudit.prune(self.model.session), diff --git a/lib/galaxy/authnz/custos_authnz.py b/lib/galaxy/authnz/custos_authnz.py index aba22d2649fa..c066fb0d1e59 100644 --- a/lib/galaxy/authnz/custos_authnz.py +++ b/lib/galaxy/authnz/custos_authnz.py @@ -189,21 +189,9 @@ def callback(self, state_token, authz_code, trans, login_redirect_url): if custos_authnz_token is None: user = trans.user existing_user = trans.sa_session.query(User).filter_by(email=email).first() - # If there is only a single external authentication - # provider in use, trust the user provided and - # automatically associate. - # Equivalent to `fixed_delegated_auth` from `ConfigSerializer` - # TODO: Future work will expand on this and provide an - # interface for when there are multiple auth providers - # allowing explicit authenticated association. - fixed_delegated_auth = ( - trans.app.config.enable_oidc - and len(trans.app.config.oidc) == 1 - and len(trans.app.auth_manager.authenticators) == 0 - ) if not user: if existing_user: - if fixed_delegated_auth: + if trans.app.config.fixed_delegated_auth: user = existing_user else: message = f"There already exists a user with email {email}. To associate this external login, you must first be logged in as that existing account." @@ -235,7 +223,7 @@ def callback(self, state_token, authz_code, trans, login_redirect_url): refresh_expiration_time=refresh_expiration_time, ) label = self.config["label"] - if fixed_delegated_auth: + if trans.app.config.fixed_delegated_auth: redirect_url = login_redirect_url elif existing_user and existing_user != user: redirect_url = ( diff --git a/lib/galaxy/config/__init__.py b/lib/galaxy/config/__init__.py index 2cc29a027431..4601fe34151c 100644 --- a/lib/galaxy/config/__init__.py +++ b/lib/galaxy/config/__init__.py @@ -857,6 +857,7 @@ def _process_config(self, kwargs: Dict[str, Any]) -> None: self.builds_file_path = os.path.join(self.tool_data_path, self.builds_file_path) self.len_file_path = os.path.join(self.tool_data_path, self.len_file_path) self.oidc: Dict[str, Dict] = {} + self.fixed_delegated_auth: bool = False self.integrated_tool_panel_config = self._in_managed_config_dir(self.integrated_tool_panel_config) integrated_tool_panel_tracking_directory = kwargs.get("integrated_tool_panel_tracking_directory") if integrated_tool_panel_tracking_directory: diff --git a/lib/galaxy/managers/configuration.py b/lib/galaxy/managers/configuration.py index 46e6112f82fc..f1e149c869a3 100644 --- a/lib/galaxy/managers/configuration.py +++ b/lib/galaxy/managers/configuration.py @@ -113,7 +113,6 @@ def _config_is_truthy(item, key, **context): return True if item.get(key) else False object_store = self.app.object_store - auth_manager = self.app.auth_manager self.serializers: Dict[str, base.Serializer] = { # TODO: this is available from user data, remove "is_admin_user": lambda *a, **c: False, @@ -209,11 +208,7 @@ def _config_is_truthy(item, key, **context): "tool_training_recommendations_link": _use_config, "tool_training_recommendations_api_url": _use_config, "enable_notification_system": _use_config, - "fixed_delegated_auth": lambda item, key, **context: ( - bool(item.get("enable_oidc")) - and len(list(_use_config(item, "oidc", **context))) == 1 - and len(list(auth_manager.authenticators)) == 0 - ), + "fixed_delegated_auth": _defaults_to(False), }