[auth] Display login form when OIDC auth is enabled along with other auth backends

[idzikovsky]

What changes were proposed in this pull request?

Without this fix Hue skips login form when desktop.auth.backend set to desktop.auth.backend.OIDCBackend (and does not include desktop.auth.backend.AllowFirstUserDjangoBackend).

But this does not cover a lot of cases, e.g.:

[desktop]
[[auth]]
backend=desktop.auth.backend.LdapBackend,desktop.auth.backend.OIDCBackend

or:

[desktop]
[[auth]]
backend=desktop.auth.backend.AllowFirstUserDjangoBackend,desktop.auth.backend.PamBackend,desktop.auth.backend.OIDCBackend

So in my opinion it's better to skip that form only when only OIDCBackend is used (pretty much exactly like the comment on the first line of that if statement says).

How was this patch tested?

Manual

[github-actions]

⚠️ No test files modified. Please ensure that changes are properly tested. ⚠️

[github-actions]

Python Coverage Report •

File	Stmts	Miss	Cover	Missing
TOTAL	54185	27078	50%

report-only-changed-files is enabled. No files were changed during this commit :)

Pytest Report

Tests	Skipped	Failures	Errors	Time
1186	106 💤	0 ❌	0 🔥	5m 55s ⏱️

[github-actions]

UI Coverage Report

Lines	Statements	Branches	Functions
	39.15% (30527/77959)	31.01% (14247/45936)	23.89% (2130/8915)

[github-actions]

Python Coverage Report •

File	Stmts	Miss	Cover	Missing
TOTAL	54185	27078	50%

report-only-changed-files is enabled. No files were changed during this commit :)

Pytest Report

Tests	Skipped	Failures	Errors	Time
1186	106 💤	0 ❌	0 🔥	6m 1s ⏱️

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull Request Overview

This PR refines when the OIDC login form is displayed by introducing a helper that detects if OIDC is the only authentication backend and updating the login URL logic accordingly.

• Add only_oidc_configured to check if the backends list contains only OIDC
• Replace the previous backend check with only_oidc_configured in the login URL condition
• Ensure mozilla_django_oidc is added to INSTALLED_APPS when OIDC is enabled

Comments suppressed due to low confidence (2)

desktop/core/src/desktop/settings.py:597

• [nitpick] The loop variable b is ambiguous; consider renaming it to backend for better readability.

return not [b for b in AUTHENTICATION_BACKENDS if b != 'desktop.auth.backend.OIDCBackend']

desktop/core/src/desktop/settings.py:596

• Introduce unit tests for only_oidc_configured covering cases with single OIDC backend, multiple backends including OIDC, and no OIDC backend to ensure correct behavior.

def only_oidc_configured():

[Harshg999]

LGTM! Thanks @idzikovsky for contributing a fix!

There are some nits from the copilot review, can you please take a look if possible and rebase your PR to latest master?

[idzikovsky]

I did additional testing on this and it appeared that we also need to ignore the axes.backends.AxesBackend entry added here:
https://github.com/cloudera/hue/blob/84d4002d/desktop/core/src/desktop/settings.py#L530

[github-actions]

Python Coverage Report •

File	Stmts	Miss	Cover	Missing
TOTAL	54185	27078	50%

report-only-changed-files is enabled. No files were changed during this commit :)

Pytest Report

Tests	Skipped	Failures	Errors	Time
1186	106 💤	0 ❌	0 🔥	5m 58s ⏱️

[idzikovsky]

Or another variant here is to remove axes backend in a separate step to make code clearer:

def only_oidc_configured():
    """Check if only the OIDC Auth Backend is enabled."""
    backends = filter(lambda backend: backend != 'axes.backends.AxesBackend', AUTHENTICATION_BACKENDS)  # ignore implicitly added backends
    return all(backend == 'desktop.auth.backend.OIDCBackend' for backend in backends)