Skip to content

fix: only auto-submit SSO registration form when provider returns an email#38860

Open
ayesha-waris wants to merge 1 commit into
openedx:masterfrom
ayesha-waris:awaris/fix-38780-skip-registration-email
Open

fix: only auto-submit SSO registration form when provider returns an email#38860
ayesha-waris wants to merge 1 commit into
openedx:masterfrom
ayesha-waris:awaris/fix-38780-skip-registration-email

Conversation

@ayesha-waris

Copy link
Copy Markdown
Contributor

Description

When a third-party auth (SSO) provider has Skip registration form enabled, third_party_auth_context set autoSubmitRegForm=True unconditionally. Some providers — Facebook (when the user denies the email permission) and Microsoft Entra ID (accounts without a confirmed email) — complete authentication without returning an email claim. In that case the authn MFE auto-submits a registration form whose required email field is empty; client-side validation silently blocks the submit, and the learner is left stuck on a partially-filled form with no explanation.

This gates the auto-submit on the provider actually returning an email. When no email is present, the learner falls back to the normal registration form and can fill in the missing field. The happy path (email present) is unchanged.

Fixes #38780

How to reproduce

  1. Configure an SSO provider with Skip registration form enabled that authenticates without an email claim (e.g. Facebook with the email permission denied, or Microsoft Entra ID).
  2. Register/sign in via that provider and complete the external authentication.
  3. Before: the registration form auto-submits and silently fails validation, leaving the learner stuck.
    After: the learner lands on the registration form with the email field empty and can complete it.

Testing

Added a regression test MFEContextViewTest.test_skip_registration_form_requires_email covering both cases:

  • provider returns an email → autoSubmitRegForm is True (unchanged happy path)
  • provider returns no email → autoSubmitRegForm is False (learner keeps the form)

…email

When a third-party auth provider has "skip registration form" enabled, the
authn MFE context set autoSubmitRegForm=True unconditionally. Providers such
as Facebook (email permission denied) or Microsoft Entra ID can complete
authentication without returning an email claim; auto-submitting the
registration form in that case silently fails client-side validation and
leaves the learner stuck on a partially-filled form with no explanation.

Gate the auto-submit on the provider actually returning an email so the
learner falls back to the normal registration form and can fill in what is
missing.

Fixes: openedx#38780
@ayesha-waris ayesha-waris requested a review from a team as a code owner July 8, 2026 09:32
@openedx-webhooks openedx-webhooks added open-source-contribution PR author is not from Axim or 2U core contributor PR author is a Core Contributor (who may or may not have write access to this repo). labels Jul 8, 2026
@openedx-webhooks

Copy link
Copy Markdown

Thanks for the pull request, @ayesha-waris!

This repository is currently maintained by @openedx/wg-maintenance-openedx-platform.

Once you've gone through the following steps feel free to tag them in a comment and let them know that your changes are ready for engineering review.

🔘 Get product approval

If you haven't already, check this list to see if your contribution needs to go through the product review process.

  • If it does, you'll need to submit a product proposal for your contribution, and have it reviewed by the Product Working Group.
    • This process (including the steps you'll need to take) is documented here.
  • If it doesn't, simply proceed with the next step.
🔘 Provide context

To help your reviewers and other members of the community understand the purpose and larger context of your changes, feel free to add as much of the following information to the PR description as you can:

  • Dependencies

    This PR must be merged before / after / at the same time as ...

  • Blockers

    This PR is waiting for OEP-1234 to be accepted.

  • Timeline information

    This PR must be merged by XX date because ...

  • Partner information

    This is for a course on edx.org.

  • Supporting documentation
  • Relevant Open edX discussion forum threads
🔘 Get a green build

If one or more checks are failing, continue working on your changes until this is no longer the case and your build turns green.

Details
Where can I find more information?

If you'd like to get more details on all aspects of the review process for open source pull requests (OSPRs), check out the following resources:

When can I expect my changes to be merged?

Our goal is to get community contributions seen and reviewed as efficiently as possible.

However, the amount of time that it takes to review and merge a PR can vary significantly based on factors such as:

  • The size and impact of the changes that it introduces
  • The need for product review
  • Maintenance status of the parent repository

💡 As a result it may take up to several weeks or months to complete a review and merge your PR.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR fixes an authn MFE “stuck registration form” scenario by ensuring the backend only instructs the MFE to auto-submit the third-party registration form when the running SSO pipeline actually has an email address available. This aligns the autoSubmitRegForm signal with the MFE’s required email field constraints and preserves the existing “happy path” behavior.

Changes:

  • Gate autoSubmitRegForm=True behind both skip_registration_form and presence of an email in pipeline user details.
  • Add a regression test covering both “email present” (auto-submit) and “email missing” (do not auto-submit) cases.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
openedx/core/djangoapps/user_authn/views/utils.py Only sets autoSubmitRegForm when the provider is configured to skip the form and the pipeline returned an email.
openedx/core/djangoapps/user_authn/api/tests/test_views.py Adds a regression test verifying autoSubmitRegForm toggles correctly based on whether an email is returned.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@mphilbrick211 mphilbrick211 moved this from Needs Triage to Ready for Review in Contributions Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

core contributor PR author is a Core Contributor (who may or may not have write access to this repo). open-source-contribution PR author is not from Axim or 2U

Projects

Status: Ready for Review

Development

Successfully merging this pull request may close these issues.

SSO flow does not skip registration form when "Skip registration form" is enabled

5 participants