Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(auth): add support for oauth2 with openid connect discovery #4618

Merged
merged 29 commits into from
Sep 20, 2024

Conversation

axiomofjoy
Copy link
Contributor

@axiomofjoy axiomofjoy commented Sep 15, 2024

Adds initial support for OAuth2 identity providers that support the OpenID Connect Discovery standard. From the standard:

OpenID Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string /.well-known/openid-configuration to the Issuer. The syntax and semantics of .well-known are defined in [RFC 5785](https://openid.net/specs/openid-connect-discovery-1_0.html#RFC5785) [RFC5785] and apply to the Issuer value when it contains no path component. openid-configuration MUST point to a JSON document compliant with this specification and MUST be returned using the application/json content type. The openid-configuration endpoint SHOULD support the use of [Cross-Origin Resource Sharing (CORS)](https://openid.net/specs/openid-connect-discovery-1_0.html#CORS) [CORS] and/or other methods as appropriate to enable JavaScript Clients and other Browser-Based Clients to access it.

This means that we can use environment variables to point Phoenix to the configuration at /.well-known/openid-configuration in order to know authorization server metadata such as the authorize and access token urls.

The environment variables currently required are:

  • PHOENIX_OAUTH2_<idp>_CLIENT_ID
  • PHOENIX_OAUTH2_<idp>_CLIENT_SECRET
  • PHOENIX_OAUTH2_<idp>_SERVER_METADATA_URL

For the following IDPs, we provide logos on the login page:

  • GOOGLE
  • MICROSOFT_ENTRA_ID (previously known as Azure Active Directory)
  • AWS_COGNITO

As a follow-up, we can add IDP-specific environment variables to help construct the server metadata url (e.g., using a tenant ID for Microsoft Entra ID).

resolves #4649
resolves #4653
resolves #4657
resolves #4654

@axiomofjoy axiomofjoy changed the base branch from main to auth September 15, 2024 07:30
@axiomofjoy axiomofjoy force-pushed the xander/oauth branch 2 times, most recently from 98b3b7e to 5edbf5e Compare September 15, 2024 20:04
@axiomofjoy axiomofjoy changed the title feat(auth): support oauth feat(auth): add support for oauth2 with openid connect discovery Sep 18, 2024
@axiomofjoy axiomofjoy marked this pull request as ready for review September 18, 2024 01:24
@dosubot dosubot bot added the size:XL This PR changes 500-999 lines, ignoring generated files. label Sep 18, 2024
@dosubot dosubot bot added size:XXL This PR changes 1000+ lines, ignoring generated files. and removed size:XL This PR changes 500-999 lines, ignoring generated files. labels Sep 19, 2024
src/phoenix/db/models.py Show resolved Hide resolved
src/phoenix/server/api/routers/auth.py Outdated Show resolved Hide resolved
src/phoenix/server/api/routers/auth.py Outdated Show resolved Hide resolved
src/phoenix/server/api/routers/oauth2.py Outdated Show resolved Hide resolved
src/phoenix/server/bearer_auth.py Show resolved Hide resolved
@axiomofjoy axiomofjoy merged commit 4a101c7 into auth Sep 20, 2024
17 checks passed
@axiomofjoy axiomofjoy deleted the xander/oauth branch September 20, 2024 02:29
RogerHYang pushed a commit that referenced this pull request Sep 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
size:XXL This PR changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants