don't use the alternate CAS login url during api oauth flow

Otherwise the alternate login screen may not get the user back to the
oauth2_token page in a state that the application recognizes.

test plan: Execute the oauth flow against an CAS account with a log_in_url
configured (e.g., with the iOS app). The flow should not redirect to the
alternate url, instead using the primary CAS url.  Also confirm that
normal non-oauth logins still use the alternate url.

Change-Id: Iba39b719a5f80727801880660d19afa128b898ce
Reviewed-on: https://gerrit.instructure.com/7368
Reviewed-by: Zach Wily <zach@instructure.com>
Tested-by: Hudson <hudson@instructure.com>

lib/authentication_methods.rb

@@ -239,7 +239,7 @@ module AuthenticationMethods
 
   def initiate_cas_login(cas_client = nil)
     reset_session_for_login
-    if @domain_root_account.account_authorization_config.log_in_url.present?
+    if @domain_root_account.account_authorization_config.log_in_url.present? && !in_oauth_flow?
       session[:exit_frame] = true
       delegated_auth_redirect(@domain_root_account.account_authorization_config.log_in_url)
     else
@@ -259,4 +259,9 @@ module AuthenticationMethods
   def delegated_auth_redirect(uri)
     redirect_to(uri)
   end
+
+  # if true, the user is currently stepping through the oauth2 flow for the canvas api
+  def in_oauth_flow?
+    !!session[:oauth2]
+  end
 end

spec/apis/oauth_spec.rb

@@ -195,6 +195,8 @@ describe "OAuth2", :type => :integration do
     it "should execute for cas login" do
       flow do
         account = account_with_cas(:account => Account.default)
+        # it should *not* redirect to the alternate log_in_url on the config, when doing oauth
+        account.account_authorization_config.update_attribute(:log_in_url, "https://www.example.com/bogus")
 
         cas = CASClient::Client.new(:cas_base_url => account.account_authorization_config.auth_base)
         cas.instance_variable_set(:@stub_user, @user)