search

Chainlit / chainlit

Build Conversational AI in minutes ⚡️
https://docs.chainlit.io
Apache License 2.0
6.01k stars 767 forks source link

State set by Chainlit before call to auth provider is not base64 encoded #972

Open ankitgupta-ag opened 1 month ago

ankitgupta-ag commented 1 month ago

Describe the bug AWS Cognito requires that calls to /oauth2/authorize endpoint must have the state parameter base64 encoded https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html#get-authorize .

Chainlit however simply creates a 32 character state randomly without encoding the string to base64. https://github.com/Chainlit/chainlit/blob/main/backend/chainlit/server.py#L370

This issue occurs randomly whenever the 32 character state has characters not typically found in a base64 string (like $,%,^).

To Reproduce Steps to reproduce the behavior:

  1. Go to an endpoint running Chainlit with auth providers configured. I tested this with AWS Cognito.
  2. Start inspecting the network calls on the browser.
  3. Try to login through Cognito. Continue with the authorization flow.
  4. Observe the calls made to /oauth2/authorize.
  5. Check the state parameter set in the location header in the response received from the Chainlit application.
  6. If the state parameter has special characters, observe the 400 bad request error code from calls to the Cognito domain.
  7. Retry steps 1-6 above and expect the calls to /oauth2/authorize succeed when state parameter no longer has special characters.

Expected behavior The expectation is that Chainlit encodes the string to base64 before setting it as the state and call the configured auth providers.

Screenshots If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

aniruddha-adhikary commented 1 month ago

This has affected and prevented us from using AWS Cognito.

https://github.com/Chainlit/chainlit/blob/main/backend/chainlit/secret.py#L5

The ^ character is not accepted by AWS Cognito in a value to the state during /oauth2/authorize. We monkey-patched the issue for now. By including this in our chainlit app.

from chainlit import secret

# We have to do this because, `^` in the OAuth /authorize step
# trips up AWS Cognito. So we are monkey-patching out this
# character.
# FIXME: Remove this monkeypatch once chainlit fixes it
secret.chars = secret.chars.replace("^", "")

Looking forward to a long-term fix!