use oauth lib for oidc

prmths128 · prmths128 · commit 8fb9c7938aa6 · 2026-02-15T17:44:47.000+01:00
let the lib do the work instead of building requests and urls
uses the well-known endpoint
fixes the urls only working on fief
diff --git a/carbonserver/carbonserver/api/routers/authenticate.py b/carbonserver/carbonserver/api/routers/authenticate.py
@@ -3,6 +3,7 @@
 import logging
 import random
 from typing import Optional
+from authlib.integrations.starlette_client import OAuth, OAuthError
 
 from authlib.integrations.starlette_client import OAuthError
 from dependency_injector.wiring import Provide, inject
diff --git a/carbonserver/carbonserver/api/services/auth_providers/oidc_auth_provider.py b/carbonserver/carbonserver/api/services/auth_providers/oidc_auth_provider.py
@@ -8,12 +8,18 @@
 from typing import Any, Dict, Optional, Tuple
 
 from authlib.integrations.starlette_client import OAuth
+from authlib.jose import JsonWebKey
+from authlib.jose import jwt as jose_jwt
+from fief_client import FiefAsync
 
 from carbonserver.config import settings
 
 DEFAULT_SIGNATURE_CACHE_TTL = 3600  # seconds
 OAUTH_SCOPES = ["openid", "email", "profile"]
 
+fief = FiefAsync(
+    settings.fief_url, settings.fief_client_id, settings.fief_client_secret
+)
 
 oauth = OAuth()
 oauth.register(
@@ -44,3 +50,20 @@ async def get_authorize_url(self, request, login_url):
 
     def get_client_credentials(self) -> Tuple[str, str]:
         return (self.client.client_id, self.client.client_secret)
+
+    async def _decode_token(self, token: str) -> Dict[str, Any]:
+        try:
+            access_token_info = await fief.validate_access_token(token)
+            return access_token_info
+        except Exception:
+            ...
+
+        jwks_data = await self.client.fetch_jwk_set()
+        keyset = JsonWebKey.import_key_set(jwks_data)
+        claims = jose_jwt.decode(token, keyset)
+        claims.validate()
+        return dict(claims)
+
+    async def validate_access_token(self, token: str) -> bool:
+        await self._decode_token(token)
+        return True
diff --git a/carbonserver/main.py b/carbonserver/main.py
@@ -25,6 +25,7 @@
 from carbonserver.container import ServerContainer
 from carbonserver.database.database import engine
 from carbonserver.logger import logger
+from starlette.middleware.sessions import SessionMiddleware
 
 
 async def db_exception_handler(request: Request, exc: DBException):
