Merge pull request #953 from fractal-analytics-platform/952-expose-re…

…direct_url-attribute-for-oauth Expose `redirect_url` for OAuth clients
fractal-analytics-platform · Nov 10, 2023 · 488ec30 · 488ec30
2 parents 1fee3a8 + 06612b2
commit 488ec30
Show file tree

Hide file tree

Showing 4 changed files with 24 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -2,9 +2,12 @@
 
 # Unreleased
 
+# 1.3.14
+
 * Make `Dataset.resource_list` an `ordering_list`, ordered by `Resource.id` (\#951).
-* Improve delete-resource endpoint (\#943).
+* Expose `redirect_url` for OAuth clients (\#953).
 * Expose JSON Schema for the `ManifestV1` Pydantic model (\#942).
+* Improve delete-resource endpoint (\#943).
 * Dependencies:
     * Upgrade sqlmodel to 0.0.11 (\#949).
 * Testing:

diff --git a/docs/internals/users.md b/docs/internals/users.md
@@ -133,6 +133,7 @@ To add an `OAuth2` client, the following environment variables must be added to
     OAUTH_MYCLIENT_CLIENT_ID=...
     OAUTH_MYCLIENT_CLIENT_SECRET=...
     OAUTH_MYCLIENT_OIDC_CONFIGURATION_ENDPOINT=https://client.com/.well-known/openid-configuration
+    OAUTH_MYCLIENT_REDIRECT_URL=...   # e.g. https://fractal-web.example.org/auth/login/oauth2
     ```
 
 === "OIDC (multiple clients)"
@@ -141,24 +142,28 @@ To add an `OAuth2` client, the following environment variables must be added to
     OAUTH_MYCLIENT1_CLIENT_ID=...
     OAUTH_MYCLIENT1_CLIENT_SECRET=...
     OAUTH_MYCLIENT1_OIDC_CONFIGURATION_ENDPOINT=https://client1.com/.well-known/openid-configuration
+    OAUTH_MYCLIENT1_REDIRECT_URL=...   # e.g. https://fractal-web.1.example.org/auth/login/oauth2
 
     OAUTH_MYCLIENT2_CLIENT_ID=...
     OAUTH_MYCLIENT2_CLIENT_SECRET=...
     OAUTH_MYCLIENT2_OIDC_CONFIGURATION_ENDPOINT=https://client2.com/.well-known/openid-configuration
+    OAUTH_MYCLIENT2_REDIRECT_URL=...   # e.g. https://fractal-web.2.example.org/auth/login/oauth2
     ```
 
 === "GitHub"
 
     ```console
     OAUTH_GITHUB_CLIENT_ID=...
     OAUTH_GITHUB_CLIENT_SECRET=...
+    OAUTH_GITHUB_REDIRECT_URL=...   # e.g. https://fractal-web.example.org/auth/login/oauth2
     ```
 
 === "Google"
 
     ```console
     OAUTH_GOOGLE_CLIENT_ID=...
     OAUTH_GOOGLE_CLIENT_SECRET=...
+    OAUTH_GOOGLE_REDIRECT_URL=...   # e.g. https://fractal-web.example.org/auth/login/oauth2
     ```
 
 When `fractal-server` starts, two new routes will be generated for each client:
@@ -168,6 +173,14 @@ When `fractal-server` starts, two new routes will be generated for each client:
 
 > For `GitHub` and `Google` clients the `client-name` is `github` or `google`, while for `OIDC` clients it comes from the environment variables (e.g. for `OAUTH_MYCLIENT_CLIENT_ID` the `client-name` is `MYCLIENT`).
 
+> Note that the `OAUTH_*_REDIRECT_URL` environment variable is optional. It is
+> not relevant for the examples described in this page, since they are all in
+> the command-line interface. However, it is required when OAuth authentication
+> is performed starting from a browser (e.g. through the [`fractal-web`
+> client](https://github.com/fractal-analytics-platform/fractal-web)), since
+> the callback URL should be opened in the browser itself.
+
+
 #### Authorization Code Flow
 
 Authentication via OAuth2 client is based on the [Authorizion Code Flow](https://auth0.com/docs/get-started/authentication-and-authorization-flow/authorization-code-flow), as described in this diagram

diff --git a/fractal_server/app/security/__init__.py b/fractal_server/app/security/__init__.py
@@ -348,6 +348,7 @@ async def list_users(
             settings.JWT_SECRET_KEY,
             is_verified_by_default=False,
             associate_by_email=True,
+            redirect_url=client_config.REDIRECT_URL,
         ),
         prefix=f"/{client_name}",
     )
diff --git a/fractal_server/config.py b/fractal_server/config.py
@@ -60,12 +60,17 @@ class OAuthClientConfig(BaseModel):
         OIDC_CONFIGURATION_ENDPOINT:
             OpenID configuration endpoint,
             allowing to discover the required endpoints automatically
+        REDIRECT_URL:
+            String to be used as `redirect_url` argument for
+            `fastapi_users.get_oauth_router`, and then in
+            `httpx_oauth.integrations.fastapi.OAuth2AuthorizeCallback`.
     """
 
     CLIENT_NAME: str
     CLIENT_ID: str
     CLIENT_SECRET: str
     OIDC_CONFIGURATION_ENDPOINT: Optional[str]
+    REDIRECT_URL: Optional[str] = None
 
     @root_validator
     def check_configuration(cls, values):
@@ -153,6 +158,7 @@ def collect_oauth_clients(cls, values):
                 OIDC_CONFIGURATION_ENDPOINT=getenv(
                     f"{prefix}_OIDC_CONFIGURATION_ENDPOINT", None
                 ),
+                REDIRECT_URL=getenv(f"{prefix}_REDIRECT_URL", None),
             )
             values["OAUTH_CLIENTS_CONFIG"].append(oauth_client_config)
         return values