Exemple #1
0
    def post(self, request, organization=None, *args, **kwargs):
        """
        Process a login request via username/password. SSO login is handled
        elsewhere.
        """
        login_form = AuthenticationForm(request, request.data)

        # Rate limit logins
        is_limited = ratelimiter.is_limited(
            "auth:login:username:{}".format(
                md5_text(
                    login_form.clean_username(
                        request.data.get("username"))).hexdigest()),
            limit=10,
            window=60,  # 10 per minute should be enough for anyone
        )

        if is_limited:
            errors = {"__all__": [login_form.error_messages["rate_limited"]]}
            metrics.incr("login.attempt",
                         instance="rate_limited",
                         skip_internal=True,
                         sample_rate=1.0)

            return self.respond_with_error(errors)

        if not login_form.is_valid():
            metrics.incr("login.attempt",
                         instance="failure",
                         skip_internal=True,
                         sample_rate=1.0)
            return self.respond_with_error(login_form.errors)

        user = login_form.get_user()

        auth.login(request,
                   user,
                   organization_id=organization.id if organization else None)
        metrics.incr("login.attempt",
                     instance="success",
                     skip_internal=True,
                     sample_rate=1.0)

        if not user.is_active:
            return Response({
                "nextUri":
                "/auth/reactivate/",
                "user":
                serialize(user, user, DetailedUserSerializer()),
            })

        active_org = self.get_active_organization(request)
        redirect_url = auth.get_org_redirect_url(request, active_org)

        return Response({
            "nextUri":
            auth.get_login_redirect(request, redirect_url),
            "user":
            serialize(user, user, DetailedUserSerializer()),
        })
Exemple #2
0
    def handle_basic_auth(self, request):
        if request.user.is_authenticated():
            return self.redirect(get_login_redirect(request))

        form = AuthenticationForm(
            request, request.POST or None,
            captcha=bool(request.session.get('needs_captcha')),
        )
        if form.is_valid():
            login(request, form.get_user())

            request.session.pop('needs_captcha', None)

            return self.redirect(get_login_redirect(request))

        elif request.POST and not request.session.get('needs_captcha'):
            request.session['needs_captcha'] = 1
            form = AuthenticationForm(request, request.POST or None, captcha=True)
            form.errors.pop('captcha', None)

        request.session.set_test_cookie()

        context = {
            'form': form,
            'CAN_REGISTER': features.has('auth:register') or request.session.get('can_register'),
        }
        return self.respond('sentry/login.html', context)
Exemple #3
0
    def handle(self, request):
        if request.user.is_authenticated():
            return self.redirect(get_login_redirect(request))

        form = AuthenticationForm(request, request.POST or None, captcha=bool(request.session.get("needs_captcha")))
        if form.is_valid():
            login(request, form.get_user())

            request.session.pop("needs_captcha", None)

            return self.redirect(get_login_redirect(request))

        elif request.POST and not request.session.get("needs_captcha"):
            request.session["needs_captcha"] = 1
            form = AuthenticationForm(request, request.POST or None, captcha=True)
            form.errors.pop("captcha", None)

        request.session.set_test_cookie()

        context = {
            "form": form,
            "next": request.session.get("_next"),
            "CAN_REGISTER": features.has("auth:register") or request.session.get("can_register"),
            "AUTH_PROVIDERS": get_auth_providers(),
            "SOCIAL_AUTH_CREATE_USERS": features.has("social-auth:register"),
        }
        return self.respond("sentry/login.html", context)
Exemple #4
0
def login(request):
    from django.conf import settings

    if request.user.is_authenticated():
        return login_redirect(request)

    form = AuthenticationForm(request, request.POST or None,
                              captcha=bool(request.session.get('needs_captcha')))
    if form.is_valid():
        login_user(request, form.get_user())

        request.session.pop('needs_captcha', None)

        return login_redirect(request)

    elif request.POST and not request.session.get('needs_captcha'):
        request.session['needs_captcha'] = 1
        form = AuthenticationForm(request, request.POST or None, captcha=True)
        form.errors.pop('captcha', None)

    request.session.set_test_cookie()

    context = csrf(request)
    context.update({
        'form': form,
        'next': request.session.get('_next'),
        'CAN_REGISTER': settings.SENTRY_ALLOW_REGISTRATION or request.session.get('can_register'),
        'AUTH_PROVIDERS': get_auth_providers(),
        'SOCIAL_AUTH_CREATE_USERS': settings.SOCIAL_AUTH_CREATE_USERS,
    })
    return render_to_response('sentry/login.html', context, request)
Exemple #5
0
def login(request):
    from django.conf import settings

    if request.user.is_authenticated():
        return login_redirect(request)

    form = AuthenticationForm(request, request.POST or None)
    if form.is_valid():
        login_user(request, form.get_user())
        return login_redirect(request)

    request.session.set_test_cookie()

    context = csrf(request)
    context.update({
        'form':
        form,
        'next':
        request.session.get('_next'),
        'CAN_REGISTER':
        settings.SENTRY_ALLOW_REGISTRATION
        or request.session.get('can_register'),
        'AUTH_PROVIDERS':
        get_auth_providers(),
        'SOCIAL_AUTH_CREATE_USERS':
        settings.SOCIAL_AUTH_CREATE_USERS,
    })
    return render_to_response('sentry/login.html', context, request)
Exemple #6
0
    def post(self, request, organization=None, *args, **kwargs):
        """
        Process a login request via username/password. SSO login is handled
        elsewhere.
        """
        login_form = AuthenticationForm(request, request.DATA)

        # Rate limit logins
        is_limited = ratelimiter.is_limited(
            u'auth:login:username:{}'.format(
                md5_text(request.DATA.get('username').lower()).hexdigest()),
            limit=10,
            window=60,  # 10 per minute should be enough for anyone
        )

        if is_limited:
            errors = {'__all__': [login_form.error_messages['rate_limited']]}
            metrics.incr('login.attempt',
                         instance='rate_limited',
                         skip_internal=True,
                         sample_rate=1.0)

            return self.respond_with_error(errors)

        if not login_form.is_valid():
            metrics.incr('login.attempt',
                         instance='failure',
                         skip_internal=True,
                         sample_rate=1.0)
            return self.respond_with_error(login_form.errors)

        user = login_form.get_user()

        auth.login(
            request,
            user,
            organization_id=organization.id if organization else None,
        )
        metrics.incr('login.attempt',
                     instance='success',
                     skip_internal=True,
                     sample_rate=1.0)

        if not user.is_active:
            return Response({
                'nextUri':
                '/auth/reactivate/',
                'user':
                serialize(user, user, DetailedUserSerializer()),
            })

        active_org = self.get_active_organization(request)
        redirect_url = auth.get_org_redirect_url(request, active_org)

        return Response({
            'nextUri':
            auth.get_login_redirect(request, redirect_url),
            'user':
            serialize(user, user, DetailedUserSerializer()),
        })
    def handle_basic_auth(self, request, organization):
        form = SimplifiedAuthenticationForm(
            request, request.POST or None,
            captcha=bool(request.session.get('needs_captcha')),
        )

        if form.is_valid():
            login(request, form.get_user())

            request.session.pop('needs_captcha', None)

            return self.redirect(get_login_redirect(request))

        elif request.POST and not request.session.get('needs_captcha'):
            request.session['needs_captcha'] = 1
            form = AuthenticationForm(request, request.POST or None, captcha=True)
            form.errors.pop('captcha', None)

        context = {
            'form': form,
            'CAN_REGISTER': features.has('auth:register') or request.session.get('can_register'),
            'organization': organization,
        }

        return self.respond('sentry/organization-login.html', context)
Exemple #8
0
 def get_login_form(self, request):
     op = request.POST.get('op')
     return AuthenticationForm(
         request,
         request.POST if op == 'login' else None,
         captcha=bool(request.session.get('needs_captcha')),
     )
Exemple #9
0
 def _get_login_form(self, existing_user=None):
     request = self.request
     return AuthenticationForm(
         request,
         request.POST if request.POST.get('op') == 'login' else None,
         initial={
             'username': existing_user.username if existing_user else None,
         },
     )
Exemple #10
0
    def handle(self, request):
        if request.user.is_authenticated():
            return self.redirect(get_login_redirect(request))

        form = AuthenticationForm(request, request.POST or None,
                                  captcha=bool(request.session.get('needs_captcha')))
        if form.is_valid():
            login(request, form.get_user())

            request.session.pop('needs_captcha', None)

            return self.redirect(get_login_redirect(request))

        elif request.POST and not request.session.get('needs_captcha'):
            request.session['needs_captcha'] = 1
            form = AuthenticationForm(request, request.POST or None, captcha=True)
            form.errors.pop('captcha', None)

        request.session.set_test_cookie()

        context = {
            'form': form,
            'next': request.session.get('_next'),
            'CAN_REGISTER': settings.SENTRY_ALLOW_REGISTRATION or request.session.get('can_register'),
            'AUTH_PROVIDERS': get_auth_providers(),
            'SOCIAL_AUTH_CREATE_USERS': settings.SOCIAL_AUTH_CREATE_USERS,
        }
        return self.respond('sentry/login.html', context)
Exemple #11
0
def handle_unknown_identity(request, organization, auth_provider, provider, state, identity):
    """
    Flow is activated upon a user logging in to where an AuthIdentity is
    not present.

    XXX(dcramer): this docstring is out of date

    The flow will attempt to answer the following:

    - Is there an existing user with the same email address? Should they be
      merged?

    - Is there an existing user (via authentication) that should be merged?

    - Should I create a new user based on this identity?
    """
    op = request.POST.get("op")
    if not request.user.is_authenticated():
        # TODO(dcramer): its possible they have multiple accounts and at
        # least one is managed (per the check below)
        try:
            acting_user = User.objects.filter(
                id__in=UserEmail.objects.filter(email__iexact=identity["email"]).values("user"),
                is_active=True,
            ).first()
        except IndexError:
            acting_user = None
        login_form = AuthenticationForm(
            request,
            request.POST if request.POST.get("op") == "login" else None,
            initial={"username": acting_user.username if acting_user else None},
        )
    else:
        acting_user = request.user

    # If they already have an SSO account and the identity provider says
    # the email matches we go ahead and let them merge it. This is the
    # only way to prevent them having duplicate accounts, and because
    # we trust identity providers, its considered safe.
    # Note: we do not trust things like SAML, so the SSO implementation needs
    # to consider if 'email_verified' can be trusted or not
    if acting_user and identity.get("email_verified"):
        # we only allow this flow to happen if the existing user has
        # membership, otherwise we short circuit because it might be
        # an attempt to hijack membership of another organization
        has_membership = OrganizationMember.objects.filter(
            user=acting_user, organization=organization
        ).exists()
        if has_membership:
            if not auth.login(
                request,
                acting_user,
                after_2fa=request.build_absolute_uri(),
                organization_id=organization.id,
            ):
                if acting_user.has_usable_password():
                    return post_login_redirect(request)
                else:
                    acting_user = None
            else:
                # assume they've confirmed they want to attach the identity
                op = "confirm"
        else:
            # force them to create a new account
            acting_user = None
    # without a usable password they cant login, so let's clear the acting_user
    elif acting_user and not acting_user.has_usable_password():
        acting_user = None

    if op == "confirm" and request.user.is_authenticated():
        auth_identity = handle_attach_identity(
            auth_provider, request, organization, provider, identity
        )
    elif op == "newuser":
        auth_identity = handle_new_user(auth_provider, organization, request, identity)
    elif op == "login" and not request.user.is_authenticated():
        # confirm authentication, login
        op = None
        if login_form.is_valid():
            # This flow is special.  If we are going through a 2FA
            # flow here (login returns False) we want to instruct the
            # system to return upon completion of the 2fa flow to the
            # current URL and continue with the dialog.
            #
            # If there is no 2fa we don't need to do this and can just
            # go on.
            if not auth.login(
                request,
                login_form.get_user(),
                after_2fa=request.build_absolute_uri(),
                organization_id=organization.id,
            ):
                return post_login_redirect(request)
        else:
            auth.log_auth_failure(request, request.POST.get("username"))
    else:
        op = None

    if not op:
        if request.user.is_authenticated():
            return respond(
                "sentry/auth-confirm-link.html",
                organization,
                request,
                {
                    "identity": identity,
                    "existing_user": request.user,
                    "identity_display_name": get_display_name(identity),
                    "identity_identifier": get_identifier(identity),
                },
            )

        return respond(
            "sentry/auth-confirm-identity.html",
            organization,
            request,
            {
                "existing_user": acting_user,
                "identity": identity,
                "login_form": login_form,
                "identity_display_name": get_display_name(identity),
                "identity_identifier": get_identifier(identity),
            },
        )

    user = auth_identity.user
    user.backend = settings.AUTHENTICATION_BACKENDS[0]

    # XXX(dcramer): this is repeated from above
    if not auth.login(
        request, user, after_2fa=request.build_absolute_uri(), organization_id=organization.id
    ):
        return post_login_redirect(request)

    state.clear()

    return post_login_redirect(request)
Exemple #12
0
    def handle_unknown_identity(
        self,
        state: AuthHelperSessionStore,
    ) -> HttpResponseRedirect:
        """
        Flow is activated upon a user logging in to where an AuthIdentity is
        not present.

        XXX(dcramer): this docstring is out of date

        The flow will attempt to answer the following:

        - Is there an existing user with the same email address? Should they be
          merged?

        - Is there an existing user (via authentication) that should be merged?

        - Should I create a new user based on this identity?
        """
        op = self.request.POST.get("op")
        login_form = (None if self._logged_in_user else AuthenticationForm(
            self.request,
            self.request.POST
            if self.request.POST.get("op") == "login" else None,
            initial={"username": self._app_user and self._app_user.username},
        ))
        # we don't trust all IDP email verification, so users can also confirm via one time email link
        is_account_verified = False
        if self.request.session.get("confirm_account_verification_key"):
            verification_key = self.request.session.get(
                "confirm_account_verification_key")
            verification_value = get_verification_value_from_key(
                verification_key)
            if verification_value:
                is_account_verified = self.has_verified_account(
                    verification_value)

        is_new_account = not self.user.is_authenticated  # stateful
        if self._app_user and self.identity.get(
                "email_verified") or is_account_verified:
            # we only allow this flow to happen if the existing user has
            # membership, otherwise we short circuit because it might be
            # an attempt to hijack membership of another organization
            has_membership = OrganizationMember.objects.filter(
                user=self._app_user, organization=self.organization).exists()
            if has_membership:
                try:
                    self._login(self.user)
                except self._NotCompletedSecurityChecks:
                    # adding is_account_verified to the check below in order to redirect
                    # to 2fa when the user migrates their idp but has 2fa enabled,
                    # otherwise it would stop them from linking their sso provider
                    if (self._has_usable_password() or is_account_verified
                            or using_okta_migration_workaround(
                                self.organization, self.user,
                                self.auth_provider)):
                        return self._post_login_redirect()
                    else:
                        is_new_account = True
                else:
                    # assume they've confirmed they want to attach the identity
                    op = "confirm"
            elif is_account_verified:
                op = "confirm"
            else:
                # force them to create a new account
                is_new_account = True
        # without a usable password they can't login, so default to a new account
        elif not self._has_usable_password():
            is_new_account = True

        auth_identity = None
        if op == "confirm" and self.user.is_authenticated or is_account_verified:
            auth_identity = self.handle_attach_identity()
        elif op == "newuser":
            auth_identity = self.handle_new_user()
        elif op == "login" and not self._logged_in_user:
            # confirm authentication, login
            op = None
            if login_form.is_valid():
                # This flow is special.  If we are going through a 2FA
                # flow here (login returns False) we want to instruct the
                # system to return upon completion of the 2fa flow to the
                # current URL and continue with the dialog.
                #
                # If there is no 2fa we don't need to do this and can just
                # go on.
                try:
                    self._login(login_form.get_user())
                except self._NotCompletedSecurityChecks:
                    return self._post_login_redirect()
            else:
                auth.log_auth_failure(self.request,
                                      self.request.POST.get("username"))
        else:
            op = None

        if not op:
            existing_user, template = self._dispatch_to_confirmation(
                is_new_account)

            context = {
                "identity":
                self.identity,
                "provider":
                self.provider_name,
                "identity_display_name":
                self.identity.get("name") or self.identity.get("email"),
                "identity_identifier":
                self.identity.get("email") or self.identity.get("id"),
                "existing_user":
                existing_user,
            }
            if login_form:
                context["login_form"] = login_form
            return self._respond(f"sentry/{template}.html", context)

        user = auth_identity.user
        user.backend = settings.AUTHENTICATION_BACKENDS[0]

        # XXX(dcramer): this is repeated from above
        try:
            self._login(user)
        except self._NotCompletedSecurityChecks:
            return self._post_login_redirect()

        state.clear()

        if not is_active_superuser(self.request):
            auth.set_active_org(self.request, self.organization.slug)
        return self._post_login_redirect()
Exemple #13
0
 def get_login_form(self, request):
     op = request.POST.get("op")
     return AuthenticationForm(request, request.POST if op == "login" else None)
Exemple #14
0
 def get_login_form(self, request):
     op = request.POST.get('op')
     return AuthenticationForm(
         request,
         request.POST if op == 'login' else None,
     )
Exemple #15
0
    def handle_unknown_identity(
        self,
        state: AuthHelperSessionStore,
        identity: Identity,
    ) -> HttpResponseRedirect:
        """
        Flow is activated upon a user logging in to where an AuthIdentity is
        not present.

        XXX(dcramer): this docstring is out of date

        The flow will attempt to answer the following:

        - Is there an existing user with the same email address? Should they be
          merged?

        - Is there an existing user (via authentication) that should be merged?

        - Should I create a new user based on this identity?
        """
        op = self.request.POST.get("op")
        if not self.user.is_authenticated:
            # TODO(dcramer): its possible they have multiple accounts and at
            # least one is managed (per the check below)
            try:
                acting_user = User.objects.filter(
                    id__in=UserEmail.objects.filter(
                        email__iexact=identity["email"]).values("user"),
                    is_active=True,
                ).first()
            except IndexError:
                acting_user = None
            login_form = AuthenticationForm(
                self.request,
                self.request.POST
                if self.request.POST.get("op") == "login" else None,
                initial={
                    "username": acting_user.username if acting_user else None
                },
            )
        else:
            acting_user = self.user

        # If they already have an SSO account and the identity provider says
        # the email matches we go ahead and let them merge it. This is the
        # only way to prevent them having duplicate accounts, and because
        # we trust identity providers, its considered safe.
        # Note: we do not trust things like SAML, so the SSO implementation needs
        # to consider if 'email_verified' can be trusted or not
        if acting_user and identity.get("email_verified"):
            # we only allow this flow to happen if the existing user has
            # membership, otherwise we short circuit because it might be
            # an attempt to hijack membership of another organization
            has_membership = OrganizationMember.objects.filter(
                user=acting_user, organization=self.organization).exists()
            if has_membership:
                try:
                    self._login(acting_user)
                except self._NotCompletedSecurityChecks:
                    if acting_user.has_usable_password():
                        return self._post_login_redirect()
                    else:
                        acting_user = None
                else:
                    # assume they've confirmed they want to attach the identity
                    op = "confirm"
            else:
                # force them to create a new account
                acting_user = None
        # without a usable password they can't login, so let's clear the acting_user
        elif acting_user and not acting_user.has_usable_password():
            acting_user = None

        if op == "confirm" and self.user.is_authenticated:
            auth_identity = self.handle_attach_identity(identity)
        elif op == "newuser":
            auth_identity = self.handle_new_user(identity)
        elif op == "login" and not self.user.is_authenticated:
            # confirm authentication, login
            op = None
            if login_form.is_valid():
                # This flow is special.  If we are going through a 2FA
                # flow here (login returns False) we want to instruct the
                # system to return upon completion of the 2fa flow to the
                # current URL and continue with the dialog.
                #
                # If there is no 2fa we don't need to do this and can just
                # go on.
                try:
                    self._login(login_form.get_user())
                except self._NotCompletedSecurityChecks:
                    return self._post_login_redirect()
            else:
                auth.log_auth_failure(self.request,
                                      self.request.POST.get("username"))
        else:
            op = None

        if not op:
            # A blank character is needed to prevent the HTML span from collapsing
            provider_name = self.auth_provider.get_provider(
            ).name if self.auth_provider else " "

            context = {
                "identity":
                identity,
                "provider":
                provider_name,
                "identity_display_name":
                identity.get("name") or identity.get("email"),
                "identity_identifier":
                identity.get("email") or identity.get("id"),
            }
            if self.user.is_authenticated:
                template = "sentry/auth-confirm-link.html"
                context.update({"existing_user": self.user})
            else:
                self.request.session.set_test_cookie()
                template = "sentry/auth-confirm-identity.html"
                context.update({
                    "existing_user": acting_user,
                    "login_form": login_form
                })
            return self._respond(template, context)

        user = auth_identity.user
        user.backend = settings.AUTHENTICATION_BACKENDS[0]

        # XXX(dcramer): this is repeated from above
        try:
            self._login(user)
        except self._NotCompletedSecurityChecks:
            return self._post_login_redirect()

        state.clear()

        if not is_active_superuser(self.request):
            # set activeorg to ensure correct redirect upon logging in
            self.request.session["activeorg"] = self.organization.slug
        return self._post_login_redirect()
Exemple #16
0
 def get_login_form(self, request):
     return AuthenticationForm(
         request,
         request.POST or None,
         captcha=bool(request.session.get('needs_captcha')),
     )
Exemple #17
0
def handle_unknown_identity(request, organization, auth_provider, provider, state, identity):
    """
    Flow is activated upon a user logging in to where an AuthIdentity is
    not present.

    XXX(dcramer): this docstring is out of date

    The flow will attempt to answer the following:

    - Is there an existing user with the same email address? Should they be
      merged?

    - Is there an existing user (via authentication) that should be merged?

    - Should I create a new user based on this identity?
    """
    op = request.POST.get('op')
    if not request.user.is_authenticated():
        # TODO(dcramer): its possible they have multiple accounts and at
        # least one is managed (per the check below)
        try:
            acting_user = User.objects.filter(
                id__in=UserEmail.objects.filter(email__iexact=identity['email']).values('user'),
                is_active=True,
            ).first()
        except IndexError:
            acting_user = None
        login_form = AuthenticationForm(
            request,
            request.POST if request.POST.get('op') == 'login' else None,
            initial={
                'username': acting_user.username if acting_user else None,
            },
        )
    else:
        acting_user = request.user

    # If they already have an SSO account and the identity provider says
    # the email matches we go ahead and let them merge it. This is the
    # only way to prevent them having duplicate accounts, and because
    # we trust identity providers, its considered safe.
    # Note: we do not trust things like SAML, so the SSO implementation needs
    # to consider if 'email_verified' can be trusted or not
    if acting_user and identity.get('email_verified'):
        # we only allow this flow to happen if the existing user has
        # membership, otherwise we short circuit because it might be
        # an attempt to hijack membership of another organization
        has_membership = OrganizationMember.objects.filter(
            user=acting_user,
            organization=organization,
        ).exists()
        if has_membership:
            if not auth.login(
                request,
                acting_user,
                after_2fa=request.build_absolute_uri(),
                organization_id=organization.id
            ):
                if acting_user.has_usable_password():
                    return HttpResponseRedirect(auth.get_login_redirect(request))
                else:
                    acting_user = None
            else:
                # assume they've confirmed they want to attach the identity
                op = 'confirm'
        else:
            # force them to create a new account
            acting_user = None
    # without a usable password they cant login, so let's clear the acting_user
    elif acting_user and not acting_user.has_usable_password():
        acting_user = None

    if op == 'confirm' and request.user.is_authenticated():
        auth_identity = handle_attach_identity(
            auth_provider,
            request,
            organization,
            provider,
            identity,
        )
    elif op == 'newuser':
        auth_identity = handle_new_user(auth_provider, organization, request, identity)
    elif op == 'login' and not request.user.is_authenticated():
        # confirm authentication, login
        op = None
        if login_form.is_valid():
            # This flow is special.  If we are going through a 2FA
            # flow here (login returns False) we want to instruct the
            # system to return upon completion of the 2fa flow to the
            # current URL and continue with the dialog.
            #
            # If there is no 2fa we don't need to do this and can just
            # go on.
            if not auth.login(
                request,
                login_form.get_user(),
                after_2fa=request.build_absolute_uri(),
                organization_id=organization.id
            ):
                return HttpResponseRedirect(auth.get_login_redirect(request))
        else:
            auth.log_auth_failure(request, request.POST.get('username'))
    else:
        op = None

    if not op:
        if request.user.is_authenticated():
            return respond(
                'sentry/auth-confirm-link.html',
                organization,
                request,
                {
                    'identity': identity,
                    'existing_user': request.user,
                    'identity_display_name': get_display_name(identity),
                    'identity_identifier': get_identifier(identity)
                },
            )

        return respond(
            'sentry/auth-confirm-identity.html',
            organization,
            request,
            {
                'existing_user': acting_user,
                'identity': identity,
                'login_form': login_form,
                'identity_display_name': get_display_name(identity),
                'identity_identifier': get_identifier(identity)
            },
        )

    user = auth_identity.user
    user.backend = settings.AUTHENTICATION_BACKENDS[0]

    # XXX(dcramer): this is repeated from above
    if not auth.login(
        request,
        user,
        after_2fa=request.build_absolute_uri(),
        organization_id=organization.id
    ):
        return HttpResponseRedirect(auth.get_login_redirect(request))

    state.clear()

    return HttpResponseRedirect(auth.get_login_redirect(request))