search

lepture / authlib

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.
https://authlib.org/
BSD 3-Clause "New" or "Revised" License
4.52k stars 452 forks source link

Documentation for FastAPI/Starlette for Oauth2 is incorrect/misleading/confusing? #611

Open ldorigo opened 9 months ago

ldorigo commented 9 months ago

Describe the bug

The documentation for the FastAPI/starlette clients for Oauth2 are unclear. In Starlette, it says that it's not necessary to use SessionMiddleware for OAuth2, yet in FastAPI (Which uses the exact same client), it seems to say that it is necessary? indeed, if I don't include the middleware, I get an error saying that "SessionMiddleware must be installed to access request.session"?

This was supposedly fixed in https://github.com/lepture/authlib/issues/425 (commit https://github.com/lepture/authlib/commit/1089d5441c8e780a5165ca859b289fc8485ec5eb ), but that doesn't work: framework.cache is None in my case, and the docs don't say anywhere where/how to initialize it?

Note that adding the SessionMiddleware doesn't work either, although that seems to be a separate bug. Happy to expand if necessary.

Code 

from authlib.integrations.starlette_client import OAuth
from starlette.middleware.sessions import SessionMiddleware
from fastapi.responses import RedirectResponse

CANVAS_CLIENT_ID = "xxx"
CANVAS_CLIENT_SECRET = "xxx"

oauth = OAuth()

oauth.register(
    name="canvas",
    client_id=CANVAS_CLIENT_ID,
    client_secret=CANVAS_CLIENT_SECRET,
    access_token_url="xxx",
    access_token_params=None,
    authorize_url="xxx",
    authorize_params=None,
    api_base_url="xxx",
    client_kwargs={
        "force_login": 1, # Custom parameter
    }
)

# app.add_middleware(SessionMiddleware, secret_key="some-random-string") # Shouldnt be necessary, also fails if uncommented

@app.get('/login/canvas')
async def login_via_canvas(request:Request) -> RedirectResponse:
    canvas = oauth.create_client('canvas')
    redirect_uri = "http://localhost:xxx/auth/canvas"
    return await canvas.authorize_redirect(request, redirect_uri)

@app.get('/auth/canvas')
async def authorize_canvas(request:Request) -> RedirectResponse:
    canvas = oauth.create_client('canvas')
    # do something with the token and userinfo
    # Just go back to the homepage for now
    token = await canvas.authorize_access_token(request)
    user = token['userinfo']
    print(token)
    return RedirectResponse(url="http://localhost:3018")

Environment:

ftapajos commented 9 months ago

I'm a bit confused... The error is shown even when you add the middleware? By what you've shown, your code is not setting the framework cache, as it should have been done in oauth creation. Do you intend to use the cache or the session approach?

ldorigo commented 9 months ago

I'm confused too, that's the point :-) The docs aren't clear.

That error is not shown when I add the middleware - I used to have an entirely different error, however it disappeared now and I'm not sure why, I don't think I changed anything - maybe it was related to the browser's cache.

But according to the docs, it's not necessary to use session middleware with Starlette for OAuth2, which doesn't appear to be true?

ftapajos commented 9 months ago

Yeah, I guess the docs are misleading or incomplete. You must either use the starlette session middleware or setup the cache service (which is only described in flask configuration for some reason)