Improve OAuth integration

frascuchon commented 8 months ago

Some improvement points:

Linking OAuth user and argilla user in a better way (using a new table to map users)
Take a look into the authlib package (:warning: this package is using session middleware and maybe we don't want it in our server)
Define oauth callback redirect to API endpoint /api/v1/oauth2/:provider/callback which tackles step after oauth login. The final step can be redirect to the frontend uri

dosubot[bot] commented 8 months ago

🤖

Hey there @frascuchon! 😃 Great to see you back stirring up some magic in the Argilla cauldron! How's everything going on your end?

To enhance the OAuth integration in Argilla by better linking OAuth users and Argilla users, a new mapping table can be created. This table can store the relationship between the OAuth provider's user ID and the Argilla user ID.

Here's an example of how you can use SQLAlchemy to create a new model for this table:

from sqlalchemy import Column, Integer, String, ForeignKey
from sqlalchemy.orm import relationship
from argilla.server.database import Base

class OAuthUser(Base):
    __tablename__ = "oauth_users"

    id = Column(Integer, primary_key=True, index=True)
    provider = Column(String, index=True)
    provider_user_id = Column(String, index=True)
    argilla_user_id = Column(Integer, ForeignKey("users.id"))

    user = relationship("User", back_populates="oauth_users")

In the User model, you can add a relationship to the OAuthUser:

from sqlalchemy.orm import relationship

class User(Base):
    # existing fields...

    oauth_users = relationship("OAuthUser", back_populates="user")

Then, in the get_access_token function, you can create a new OAuthUser when a user logs in via OAuth for the first time:

oauth_user = await accounts.get_oauth_user_by_provider_and_provider_user_id(db, provider.name, user_info.id)
if oauth_user is None:
    await accounts.create_oauth_user(
        db,
        provider_name=provider.name,
        provider_user_id=user_info.id,
        argilla_user_id=user.id,
    )

Regarding the authlib package, it's a great library for OAuth but it does use session middleware. If you don't want to use sessions on your server, you can use the authlib package for the OAuth flow but avoid using its session middleware. Instead, you can use JWTs or another stateless authentication method to keep track of logged-in users.

Please note that you'll need to implement the get_oauth_user_by_provider_and_provider_user_id and create_oauth_user functions in the accounts module.

Currently, the method of linking OAuth users and Argilla users in the Argilla codebase is based on the user's role at the time of creation. This is done in the _is_user_created_by_oauth_provider function, which checks if the user's role is equal to _USER_ROLE_ON_CREATION (which is set to UserRole.annotator). If the user's role matches this, it is assumed that the user was created by the OAuth provider. However, this is a temporary solution and the developers plan to link the created user with the provider in the future.

I hope this helps! If you have any further questions, feel free to ask.

Best, Dosu

Sources

src/argilla/server/apis/v1/handlers/oauth2.py

This response is meant to be useful and save you time. It is not meant to be a precise solution, but rather a starting point for your own research.

Help me be more useful! Please leave a 👍 if this is helpful and 👎 if it is irrelevant.

If you want to continue the conversation, start your reply with @dosu-bot.

github-actions[bot] commented 5 months ago

This issue is stale because it has been open for 90 days with no activity.

github-actions[bot] commented 4 months ago

This issue was closed because it has been inactive for 30 days since being marked as stale.

argilla-io / argilla

Improve OAuth integration #4559

Sources