busykoala / fastapi-opa Goto Github PK

Describe the bug
The pattern used to get the well_known endpoint (well_known_pattern = "{}/auth/realms/{}/.well-known/openid-configuration") is keycloak specific and can differ from oidc broker to the other. It should therefore be configurable as a complete string instead.

Also allow a config without providing the well known endpoint.

❗ This also requires to update the README and the wiki!

The current implementation needs extensive testing especially for the oidc flow and the requests to opa.

Also a pipeline would be nice. Parts should be:

• Linting/Formatting (flake8, isort, black)
• Unittesting (pytest)
• Dependency check (bandit)

Describe the bug
In a Kubernetes environment, with the SSL connection terminated at the ingress and with a FastAPI app behind, request.url.scheme as retrieved by the OIDC authentication is http.
When using an OIDC client-id that is valid for "https://", the OIDC provider does not allow the login to progress as the redirect uri does not match the Callback URL regex for the client-id.

I think the redirect uri could use the x-forwarded-proto header, if provided, in place of the request.uri.scheme, but I do not know enough about web routing to know if this is the correct solution.

To Reproduce
Steps to reproduce the behavior:

1. Configure a Kubernetes cluster with the Nginx Ingress Controller and SSL termination
2. Configure an OIDC provider with a client-id with a redirect regex of "https://../*"
3. Deploy FastAPI with the fastapi-opa middleware and the oidc authentication method configured.
4. Access your https://..
5. Your OIDC provider will return a 401 at https://<OIDC_Provder>/?response_type=code&scope=openid&client_id=&redirect_uri=http://..

Expected behavior
5. Your OIDC provider serves its login page at at https://<OIDC_Provder>/?response_type=code&scope=openid&client_id=&redirect_uri=https://..

Can importlib-metadata be bumped to >= 5.0? I am also not seeing its use in this library but maybe it can be removed?

Is your feature request related to a problem? Please describe.
The documentation is crucial to the users of this package. It is important to continuously work on the documentation and make it as readable as possible.

Describe the solution you'd like
One way to improve upon the documentation is to follow some guidelines.
Vale provides some great templates to integrate with widely used guidelines and check them for documentation files.

Describe alternatives you've considered
There are many other solutions on the market while Vale addresses and combines some of the most important topics (general guidelines, naive linting, readability, sexism, etc.).

Additional enrichment should be possible by injecting more attributes into the opa client.

The injectable should accept the Scopa as an argument (starlette.types.Scope) and return a jsonifyable obj.

def injectable(x: Scope):
    return "my fance attr value"

new_attribute = {"attr-name": injectable}
injectables = [new_attribute, ]

OPAConfig(auth, host, injectables)

Injectables need to be optional in order not to break the previous interface and only going with the default.

An interface should be provided for injectables.

Describe the bug
I tried to follow your example for OIDC + OPA and I'm unable to see the documentation. I suspect it is because fastapi-opa is causing a redirect instead of returning the openapi.json (see the log below). Maybe it is redirecting to login?

To Reproduce
Follow this guide https://github.com/busykoala/fastapi-opa/wiki#dev-setup and try to access /docs or /redoc

Expected behavior
Expected to be able to use /docs interactively and login like in the fastapi examples like here https://fastapi.tiangolo.com/tutorial/security/simple-oauth2/

Screenshots

test-fastapi-keycloak_1  | INFO:     127.0.0.1:42760 - "GET /redoc?session_state=bb916ff5-4570-41c1-8bea-1a28b1ba767e&code=d2170d1c-feae-4150-8274-7273924d5347.bb916ff5-4570-41c1-8bea-1a28b1ba767e.f70a6f2b-5f7f-4ce0-8c47-e80b58c40fbc HTTP/1.1" 200 OK
test-fastapi-keycloak_1  | INFO:     127.0.0.1:42760 - "GET /openapi.json HTTP/1.1" 307 Temporary Redirect

Additional context
Possibly related, I'm not sure that we need to save anything as a query parameter. Here is an alternative implementation that I've used before for auth0 https://github.com/dorinclisu/fastapi-auth0 that does not modify the url. Maybe this is a limitation enforced by OPA though?

To get started with the tech stack it would be nice to document a minimal setup including OPA and Keycloak in a minimal app.

Possibly it will be easier to create a different project or utilize the wiki.

It would be great to have a SAML auth handler as there is one for OIDB already.

The new auth flow also needs to be documented for the use with the package.

Describe the bug
If instead of providing the well-known endpoint each endpoint is provided it will check whether all of them are provided and otherwise raises an exception. This check includes the jwks endpoint. If the algorithm used is HS256 though it is not necessary to provide this endpoint (or might not exist).

Expected behavior
Using the HS256 algorithm it should be possible to provide endpoints instead of the well-known but without providing the jwks endpoint.

Describe the bug
Master Branch is failing for code checks in python 3.9

To Reproduce
Master is failing for some python versions at code checks:

Run python -m poetry run flake8 .
Traceback (most recent call last):
  File "/home/runner/.cache/pypoetry/virtualenvs/fastapi-opa-QHUTUZvm-py3.9/bin/black", line 5, in <module>
    from black import patched_main
  File "/home/runner/.cache/pypoetry/virtualenvs/fastapi-opa-QHUTUZvm-py3.9/lib/python3.9/site-packages/black/__init__.py", line 52, in <module>
    from typed_ast import ast3, ast27
  File "/home/runner/.cache/pypoetry/virtualenvs/fastapi-opa-QHUTUZvm-py3.9/lib/python3.9/site-packages/typed_ast/ast3.py", line 40, in <module>
    from typed_ast import _ast3
ImportError: /home/runner/.cache/pypoetry/virtualenvs/fastapi-opa-QHUTUZvm-py3.9/lib/python3.9/site-packages/typed_ast/_ast3.cpython-39-x86_64-linux-gnu.so: undefined symbol: _PyUnicode_DecodeUnicodeEscape
Error: Process completed with exit code 1.

Is your feature request related to a problem? Please describe.
FastAPI can be used with a GraphQL endpoint. If this is the case it would be great if there was a way to retrieve information by the raw query to send a payload including that to OPA before it hits the endpoint.

Additional context
Relies on #11

Often an API also needs Basic Authentication for some endpoints.

Basic Auth requests come with the header:

Authorization: Basic ZGVtbzpwQDU1dzByZA==

while the string is a base64 encoded form of user:password.

The OPA request token should be enriched with the user and possibly the auth method.

It has to be seen if the authentication can be done by a third party service since the app should not be storing any user data but delegate authentication.

For now, the exceptions of the flow are handled quite reliable.

On the other hand, the requests (using the requests library) should be improved when it comes to error handling.
A failing request should immediately raise an OIDCAuth error and stop the authentication process in a cleaner way.
Additionally, the log output needs to be improved to show e.g. the request's route for easier debugging.

At the same time solving this issue the general logging concept should be overthought. Which logger is used, and what's the output channel?

Is your feature request related to a problem? Please describe.
Would be comforting to know why later versions of fastapi do not work and if there's interest in supporting it. Otherwise it might feel safer to roll your own

Describe the solution you'd like
Support for later versions or open issue on why fastapi >= 0.66 does not work

Describe alternatives you've considered
I think this repo looks to have the nicest solution and I am comparing with fastapi-oidc and modifying an example.

Describe the bug

PyPi does not incl/show relative assets. To make the description look pretty incl. the flow diagram the readme should incl. the link as an absolute URL to the github master img. file.

Is your feature request related to a problem? Please describe.
The pkg can't be used with python <3.9 but there should not really be a problem supporting these versions.

Describe the solution you'd like
Change the pyproject requirement file allowing smaller py versions.

So far the Assertion Consumer Service (acs) endpoint is implemented as well as the AuthNRequest to the IdP for all the other endpoints (similar to sso/sso2 endpoints).

Additionally, the middleware should be handling also the Single Logout Service endpoint (sls). Also, the slo endpoint should be present.
Furthermore, there should be a /attrs/ endpoint for the user attributes and a /metadata/ endpoint for the metadata information.

The sls endpoint should be fairly easy to implement, while sessions become a requirement for the others.

This is often used for microservice communication.

The schema looks like:

Authorization: Bearer < token >

The OPA request token should be enriched with the authentication method.

It has to be seen if the authentication can be delegated to a third party service so that token don't need to be stored within the app.

Describe the bug
Uvicorn is a dependency of the package but it is not necessary to install unless the package is used to be used.
Also, it is an additional point of failure when installing the package since a minimal version is pinned.

First off, I'm excited about this library. After spending more time than I want to admit looking for a good ASGI middleware that does oidc token validation out of the box.

It's a minor issue as propably no one would want to run that way without a frontend client***. I could write a pull request if you want, but I wonder about future plans/needs of this project.It would be nicer to split out authn functions as their own standalone middleware.

Describe the bug
bug was introduced here 701e5a6#r79824655 the if not successfull comes before the redirect

To Reproduce
Steps to reproduce the behavior:
Follow documentation at https://github.com/busykoala/fastapi-opa/wiki#dev-setup

*** if using fastapi-opa without some sort of SPA or client is intended, https://github.com/simonw/asgi-auth-github has a nice implementation of usign a cookie (reduces load on the identity provider) and also splits the authorization function from the callback_url, your design does both at the same time.

⬆️ Bump cryptography due to the issue in GHSA-w7pp-m8wf-vj6r