Skip to content

Expose redirect_url for OAuth clients #953

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 9 commits into from
Nov 10, 2023
Merged

Expose redirect_url for OAuth clients #953

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
72a0684
Add `OAuthClientConfig.REDIRECT_URL` attribute and use it in `fastapi…
tcompa Nov 10, 2023
cd91982
Update CHANGELOG
tcompa Nov 10, 2023
e958c93
Update docs about REDIRECT_URL
tcompa Nov 10, 2023
0b9322e
Remove obsolete docs lines
tcompa Nov 10, 2023
7cb968c
Make docs examples more homogeneous, re: `redirect_url`
tcompa Nov 10, 2023
8b59a08
Fix typo in docs
tcompa Nov 10, 2023
ca53010
Update docstring
tcompa Nov 10, 2023
d1b1be5
Update CHANGELOG [skip ci]
tcompa Nov 10, 2023
06612b2
Merge branch 'main' into 952-expose-redirect_url-attribute-for-oauth
tcompa Nov 10, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 4 additions & 1 deletion CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,12 @@

# Unreleased

# 1.3.14

* Make `Dataset.resource_list` an `ordering_list`, ordered by `Resource.id` (\#951).
* Improve delete-resource endpoint (\#943).
* Expose `redirect_url` for OAuth clients (\#953).
* Expose JSON Schema for the `ManifestV1` Pydantic model (\#942).
* Improve delete-resource endpoint (\#943).
* Dependencies:
* Upgrade sqlmodel to 0.0.11 (\#949).
* Testing:
Expand Down
13 changes: 13 additions & 0 deletions docs/internals/users.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -133,6 +133,7 @@ To add an `OAuth2` client, the following environment variables must be added to
OAUTH_MYCLIENT_CLIENT_ID=...
OAUTH_MYCLIENT_CLIENT_SECRET=...
OAUTH_MYCLIENT_OIDC_CONFIGURATION_ENDPOINT=https://client.com/.well-known/openid-configuration
OAUTH_MYCLIENT_REDIRECT_URL=... # e.g. https://fractal-web.example.org/auth/login/oauth2
```

=== "OIDC (multiple clients)"
Expand All @@ -141,24 +142,28 @@ To add an `OAuth2` client, the following environment variables must be added to
OAUTH_MYCLIENT1_CLIENT_ID=...
OAUTH_MYCLIENT1_CLIENT_SECRET=...
OAUTH_MYCLIENT1_OIDC_CONFIGURATION_ENDPOINT=https://client1.com/.well-known/openid-configuration
OAUTH_MYCLIENT1_REDIRECT_URL=... # e.g. https://fractal-web.1.example.org/auth/login/oauth2

OAUTH_MYCLIENT2_CLIENT_ID=...
OAUTH_MYCLIENT2_CLIENT_SECRET=...
OAUTH_MYCLIENT2_OIDC_CONFIGURATION_ENDPOINT=https://client2.com/.well-known/openid-configuration
OAUTH_MYCLIENT2_REDIRECT_URL=... # e.g. https://fractal-web.2.example.org/auth/login/oauth2
```

=== "GitHub"

```console
OAUTH_GITHUB_CLIENT_ID=...
OAUTH_GITHUB_CLIENT_SECRET=...
OAUTH_GITHUB_REDIRECT_URL=... # e.g. https://fractal-web.example.org/auth/login/oauth2
```

=== "Google"

```console
OAUTH_GOOGLE_CLIENT_ID=...
OAUTH_GOOGLE_CLIENT_SECRET=...
OAUTH_GOOGLE_REDIRECT_URL=... # e.g. https://fractal-web.example.org/auth/login/oauth2
```

When `fractal-server` starts, two new routes will be generated for each client:
Expand All @@ -168,6 +173,14 @@ When `fractal-server` starts, two new routes will be generated for each client:

> For `GitHub` and `Google` clients the `client-name` is `github` or `google`, while for `OIDC` clients it comes from the environment variables (e.g. for `OAUTH_MYCLIENT_CLIENT_ID` the `client-name` is `MYCLIENT`).

> Note that the `OAUTH_*_REDIRECT_URL` environment variable is optional. It is
> not relevant for the examples described in this page, since they are all in
> the command-line interface. However, it is required when OAuth authentication
> is performed starting from a browser (e.g. through the [`fractal-web`
> client](https://github.com/fractal-analytics-platform/fractal-web)), since
> the callback URL should be opened in the browser itself.


#### Authorization Code Flow

Authentication via OAuth2 client is based on the [Authorizion Code Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow), as described in this diagram
Expand Down
1 change: 1 addition & 0 deletions fractal_server/app/security/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -348,6 +348,7 @@ async def list_users(
settings.JWT_SECRET_KEY,
is_verified_by_default=False,
associate_by_email=True,
redirect_url=client_config.REDIRECT_URL,
),
prefix=f"/{client_name}",
)
6 changes: 6 additions & 0 deletions fractal_server/config.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,12 +60,17 @@ class OAuthClientConfig(BaseModel):
OIDC_CONFIGURATION_ENDPOINT:
OpenID configuration endpoint,
allowing to discover the required endpoints automatically
REDIRECT_URL:
String to be used as `redirect_url` argument for
`fastapi_users.get_oauth_router`, and then in
`httpx_oauth.integrations.fastapi.OAuth2AuthorizeCallback`.
"""

CLIENT_NAME: str
CLIENT_ID: str
CLIENT_SECRET: str
OIDC_CONFIGURATION_ENDPOINT: Optional[str]
REDIRECT_URL: Optional[str] = None

@root_validator
def check_configuration(cls, values):
Expand Down Expand Up @@ -153,6 +158,7 @@ def collect_oauth_clients(cls, values):
OIDC_CONFIGURATION_ENDPOINT=getenv(
f"{prefix}_OIDC_CONFIGURATION_ENDPOINT", None
),
REDIRECT_URL=getenv(f"{prefix}_REDIRECT_URL", None),
)
values["OAUTH_CLIENTS_CONFIG"].append(oauth_client_config)
return values
Expand Down