Skip to content

social-auth-core 5.x breaks third_party_auth OAuth pipeline redirect tests #38841

Description

@irfanuddinahmad

Context

While migrating Python dependency management from pip-compile to uv (public-engineering#543), a fresh dependency resolution picked up social-auth-core 5.0.2 (previously pinned at 4.9.1 via pip-compile's locked requirements/edx/base.txt).

Problem

With social-auth-core 5.x, common/djangoapps/third_party_auth's integration test suite fails consistently:

common/djangoapps/third_party_auth/tests/specs/test_azuread.py::AzureADOauth2IntegrationTest::test_full_pipeline_succeeds_for_linking_account
common/djangoapps/third_party_auth/tests/specs/test_azuread.py::AzureADOauth2IntegrationTest::test_full_pipeline_succeeds_for_signing_in_to_existing_active_account
common/djangoapps/third_party_auth/tests/specs/test_azuread.py::AzureADOauth2IntegrationTest::test_full_pipeline_succeeds_registering_new_account
(same three for test_google.py, test_linkedin.py, test_twitter.py)

All fail at the same assertion in common/djangoapps/third_party_auth/tests/specs/base.py:

def assert_logged_in_cookie_redirect(self, response):
    """Verify that the user was redirected in order to set the logged in cookie."""
    assert response.status_code == 302
    assert response["Location"] == pipeline.get_complete_url(self.provider.backend_name)  # fails here

The redirect's Location header no longer matches the expected complete-pipeline URL, suggesting social-auth-core 5.x changed some aspect of the OAuth pipeline's post-login redirect behavior (or URL/backend-name resolution) that this repo's pipeline code or tests assume.

Workaround

social-auth-core<5.0.0 has been added to [tool.edx_lint].uv_constraints in the root pyproject.toml to keep the currently-tested 4.x behavior while this repo is on uv. This mirrors the existing social-auth-app-django<=5.4.1 constraint already in this file, pinned for a related reason (avoiding an unplanned migration in the same dependency family).

Follow-up

Investigate what changed in social-auth-core 5.x's pipeline/redirect handling, update common/djangoapps/third_party_auth (and/or its tests) accordingly, then remove the social-auth-core<5.0.0 constraint.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions