fix(oauth): Preserve session payload across cycle_key() in authorize flow (#111738)

sentry[bot] · michelletran-sentry · web-flow · commit dfe9a86c2471 · 2026-03-30T16:54:06.000Z
This PR addresses a `KeyError: 'oa2'` that occurred in the
`/oauth/authorize/` endpoint when an unauthenticated user attempted to
log in during an OAuth authorization flow.

**Root Cause:**
The `_logged_out_post` method in `oauth_authorize.py` calls
`request.session.cycle_key()` to prevent session fixation attacks.
However, `cycle_key()` regenerates the session ID and, in doing so, was
inadvertently clearing the OAuth payload stored under
`request.session["oa2"]`. Consequently, when the code attempted to
access `request.session["oa2"]["uid"]` immediately after `cycle_key()`,
it resulted in a `KeyError`.

**Solution:**
The fix involves preserving the `oa2` payload across the `cycle_key()`
operation. Before `request.session.cycle_key()` is called, the existing
`request.session["oa2"]` data is retrieved and stored in a temporary
variable. After `cycle_key()` has regenerated the session, this saved
payload is restored to the new session, and the `uid` is updated with
the authenticated user's ID. Finally, `request.session.modified` is set
to `True` to ensure the changes are persisted.

This approach maintains the security benefits of `cycle_key()` while
ensuring the necessary OAuth context is not lost during the login
process.

&lt;!--

  Sentry employees and contractors can delete or ignore the following.

--&gt;

### Legal Boilerplate

Look, I get it. The entity doing business as "Sentry" was incorporated
in the State of Delaware in 2015 as Functional Software, Inc. and is
gonna need some rights from me in order to utilize my contributions in
this here PR. So here's the deal: I retain all rights, title and
interest in and to my contributions, and by keeping this boilerplate
intact I confirm that Sentry can use, modify, copy, and redistribute my
contributions, under Sentry's choice of terms.

Co-authored-by: sentry[bot] &lt;39604003+sentry[bot]@users.noreply.github.com&gt;
Co-authored-by: michelletran-sentry &lt;167130096+michelletran-sentry@users.noreply.github.com&gt;
diff --git a/src/sentry/web/frontend/oauth_authorize.py b/src/sentry/web/frontend/oauth_authorize.py
@@ -339,12 +339,17 @@ def _logged_out_post(
         response = super().post(request, application=application, **kwargs)
         # once they login, bind their user ID
         if request.user.is_authenticated:
+            # Save OAuth payload before session regeneration
+            oa2_payload = request.session.get("oa2")
+
             # Regenerate session to prevent session fixation attacks
             request.session.cycle_key()
 
-            # Update OAuth payload with authenticated user ID for validation in post()
-            request.session["oa2"]["uid"] = request.user.id
-            request.session.modified = True
+            # Restore OAuth payload after session regeneration and update user ID
+            if oa2_payload is not None:
+                oa2_payload["uid"] = request.user.id
+                request.session["oa2"] = oa2_payload
+                request.session.modified = True
         return response
 
     def post(self, request: HttpRequest, **kwargs) -> HttpResponseBase:
