use oauth lib for oidc

let the lib do the work instead of building requests and urls
uses the well-known endpoint
fixes the urls only working on fief

Author: prmths128

carbonserver/carbonserver/api/routers/authenticate.py

@@ -2,6 +2,7 @@
 import logging
 import random
 from typing import Optional
+from authlib.integrations.starlette_client import OAuth, OAuthError
 
 import requests
 from dependency_injector.wiring import Provide, inject
@@ -83,8 +84,17 @@ async def get_login(
     if auth_provider is None:
         raise HTTPException(status_code=501, detail="Authentication not configured")
     login_url = request.url_for("login")
-
     if code:
+        try:
+            token = await auth_provider.client.authorize_access_token(request)
+        except OAuthError as error:
+            return "Error"
+        user = token.get('userinfo')
+        if user:
+            request.session['user'] = dict(user)
+        return RedirectResponse(url='/')
+
+        return
         client_id, client_secret = auth_provider.get_client_credentials()
         res = requests.post(
             auth_provider.get_token_endpoint(),
@@ -132,9 +142,8 @@ async def get_login(
             secure=True,
         )
         return response
+    return await auth_provider.get_authorize_url(request, str(login_url))
 
     state = str(int(random.random() * 1000))
     client_id, _ = auth_provider.get_client_credentials()
-    authorize_url = auth_provider.get_authorize_endpoint()
-    url = f"{authorize_url}?response_type=code&client_id={client_id}&redirect_uri={login_url}&scope={' '.join(OAUTH_SCOPES)}&state={state}"
-    return RedirectResponse(url=url)
+    return await auth_provider.client.authorize_redirect(request, str(login_url), scope=' '.join(OAUTH_SCOPES))

carbonserver/carbonserver/api/services/auth_providers/oidc_auth_provider.py

@@ -8,15 +8,83 @@
 import asyncio
 from typing import Any, Dict, List, Optional, Tuple
 from urllib.parse import urlencode
+from carbonserver.config import settings
 
 import httpx
-from fastapi_oidc import discovery
+from fastapi_oidc import discovery, get_auth
 from jose import jwt
 
 DEFAULT_SIGNATURE_CACHE_TTL = 3600  # seconds
-
+OAUTH_SCOPES = ["openid", "email", "profile"]
+
+from authlib.integrations.starlette_client import OAuth
+oauth = OAuth()
+oauth.register(
+    "client",
+    client_id=settings.oidc_client_id,
+    client_secret=settings.oidc_client_secret,
+    server_metadata_url=settings.oidc_well_known_url,
+    client_kwargs={"scope": "openid profile email"},
+)
 
 class OIDCAuthProvider:
+    def __init__(
+        self,
+        base_url: str,
+        client_id: str,
+        client_secret: str,
+        *,
+        signature_cache_ttl: int = DEFAULT_SIGNATURE_CACHE_TTL,
+        openid_configuration: Optional[Dict[str, Any]] = None,
+    ):
+        self.client = oauth._clients["client"]
+
+    async def get_authorize_url(self, request, login_url):
+        return self.client.authorize_redirect(request, str(login_url), scope=' '.join(OAUTH_SCOPES))
+
+    def get_client_credentials(self) -> Tuple[str, str]:
+        return (self.client.client_id, self.client.client_secret)
+
+    def validate_access_token(self, token):
+        ...
+
+
+
+    # async def get_authorize_url(self, redirect_uri: str, **kwargs) -> str:
+    #     return (await self.client.create_authorization_url(redirect_uri=redirect_uri, **kwargs))["url"]
+
+    # def get_token_endpoint(self) -> str:
+    #     if (
+    #         self._openid_configuration
+    #         and "token_endpoint" in self._openid_configuration
+    #     ):
+    #         return self._openid_configuration["token_endpoint"]
+    #     return f"{self.base_url}/api/token"
+
+    # def get_authorize_endpoint(self) -> str:
+    #     """
+    #     Get the authorization endpoint URL.
+
+    #     Returns:
+    #         The authorization endpoint URL
+    #     """
+    #     if (
+    #         self._openid_configuration
+    #         and "authorization_endpoint" in self._openid_configuration
+    #     ):
+    #         return self._openid_configuration["authorization_endpoint"]
+    #     return f"{self.base_url}/authorize"
+
+
+
+
+
+"""
+['OAUTH_APP_CONFIG', '__class__', '__delattr__', '__dict__', '__dir__', '__doc__', '__eq__', '__format__', '__ge__', '__getattribute__', '__getstate__', '__gt__', '__hash__', '__init__', '__init_subclass__', '__le__', '__lt__', '__module__', '__ne__', '__new__', '__reduce__', '__reduce_ex__', '__repr__', '__setattr__', '__sizeof__', '__str__', '__subclasshook__', '__weakref__', '_create_oauth2_authorization_url', '_fetch_token', '_format_state_params', '_get_oauth_client', '_on_update_token', '_server_metadata_url', '_update_token', '_user_agent', 'access_token_params', 'access_token_url', 'api_base_url', 'authorize_access_token', 'authorize_params', 'authorize_redirect', 'authorize_url', 'client_auth_methods', 'client_cls', 'client_id', 'client_kwargs', 'client_secret', 'compliance_fix', 'create_authorization_url', 'delete', 'fetch_access_token', 'fetch_jwk_set', 'framework', 'get', 'load_server_metadata', 'name', 'parse_id_token', 'patch', 'post', 'put', 'request', 'save_authorize_data', 'server_metadata', 'userinfo']
+
+"""
+
+class OffOIDCAuthProvider:
     """
     Generic OIDC authentication provider implementation.
 
@@ -185,39 +253,44 @@ async def get_user_info(self, access_token: str) -> Dict[str, Any]:
             response.raise_for_status()
             return response.json()
 
-    def get_token_endpoint(self) -> str:
-        """
-        Get the token endpoint URL.
+    # def get_token_endpoint(self) -> str:
+    #     """
+    #     Get the token endpoint URL.
 
-        Returns:
-            The token endpoint URL
-        """
-        if (
-            self._openid_configuration
-            and "token_endpoint" in self._openid_configuration
-        ):
-            return self._openid_configuration["token_endpoint"]
-        return f"{self.base_url}/api/token"
-
-    def get_authorize_endpoint(self) -> str:
-        """
-        Get the authorization endpoint URL.
+    #     Returns:
+    #         The token endpoint URL
+    #     """
+    #     if (
+    #         self._openid_configuration
+    #         and "token_endpoint" in self._openid_configuration
+    #     ):
+    #         return self._openid_configuration["token_endpoint"]
+    #     return f"{self.base_url}/api/token"
 
-        Returns:
-            The authorization endpoint URL
-        """
-        if (
-            self._openid_configuration
-            and "authorization_endpoint" in self._openid_configuration
-        ):
-            return self._openid_configuration["authorization_endpoint"]
-        return f"{self.base_url}/authorize"
+    # def get_authorize_endpoint(self) -> str:
+    #     """
+    #     Get the authorization endpoint URL.
 
-    def get_client_credentials(self) -> Tuple[str, str]:
-        """
-        Get the client ID and client secret.
+    #     Returns:
+    #         The authorization endpoint URL
+    #     """
+    #     if (
+    #         self._openid_configuration
+    #         and "authorization_endpoint" in self._openid_configuration
+    #     ):
+    #         return self._openid_configuration["authorization_endpoint"]
+    #     return f"{self.base_url}/authorize"
 
-        Returns:
-            A tuple of (client_id, client_secret)
-        """
-        return (self.client_id, self.client_secret)
+
+
+
+
+
+    # def get_client_credentials(self) -> Tuple[str, str]:
+    #     """
+    #     Get the client ID and client secret.
+
+    #     Returns:
+    #         A tuple of (client_id, client_secret)
+    #     """
+    #     return (self.client_id, self.client_secret)

carbonserver/carbonserver/config.py

@@ -15,6 +15,7 @@ class Settings(BaseSettings):
     oidc_client_id: str = ""
     oidc_client_secret: str = ""
     oidc_issuer_url: str = "https://auth.codecarbon.io/codecarbon-dev"
+    oidc_well_known_url: str = ""
 
     # Deprecated: Old Fief-specific settings (use OIDC settings instead)
     @property
@@ -43,6 +44,7 @@ class Config:
             "oidc_client_id": {"env": ["OIDC_CLIENT_ID", "FIEF_CLIENT_ID"]},
             "oidc_client_secret": {"env": ["OIDC_CLIENT_SECRET", "FIEF_CLIENT_SECRET"]},
             "oidc_issuer_url": {"env": ["OIDC_ISSUER_URL", "FIEF_URL"]},
+            "oidc_well_known_url": {"env": ["OIDC_WELL_KNOWN_URL", "FIEF_URL"+"/.well-known/openid-configuration"]},
         }
 
 

carbonserver/main.py

@@ -25,6 +25,7 @@
 from carbonserver.container import ServerContainer
 from carbonserver.database.database import engine
 from carbonserver.logger import logger
+from starlette.middleware.sessions import SessionMiddleware
 
 
 async def db_exception_handler(request: Request, exc: DBException):
@@ -54,6 +55,7 @@ def create_app() -> FastAPI:
     server.add_exception_handler(DBException, db_exception_handler)
     server.add_exception_handler(ValidationError, validation_exception_handler)
     server.add_exception_handler(Exception, generic_exception_handler)
+    server.add_middleware(SessionMiddleware, secret_key="some-random-string")
 
     return server
 

carbonserver/pyproject.toml

@@ -40,6 +40,8 @@ dependencies = [
     "PyJWT",
     "logfire[fastapi]>=1.0.1",
     "fastapi-oidc>=0.0.9",
+    "authlib>=1.6.6",
+    "itsdangerous>=2.2.0",
 ]
 
 [project.urls]