fastapi-azure-auth icon indicating copy to clipboard operation
fastapi-azure-auth copied to clipboard

Published 20 hours ago verified publisher icon Intility

[Feature request] oauth2-redirect outside local development

Open Christian-Schultz opened this issue 3 years ago • 9 comments
trafficstars

The documentation is sufficient for building an API that runs in a local development environment - but I suppose that setting oauth2-redirect to a real domain instead of localhost is a common use case outside local development. Suppose the API is hosted somewhere (kubernetes, Azure Container Instances, Virtual Machine) - how should the oauth2-redirect URI now be changed - and what are some options on how to treat TLS in such a setting (as Azure App Registration will only allow https links as redirects). Maybe a section on production maturing would be helpful or maybe simply just clarifying that oauth2-redirect should be changed in a realistic production/TLS setting.

Christian-Schultz avatar Apr 13 '22 12:04 Christian-Schultz

Hi! Thanks for the feedback. 😊

I agree, we could definitely add some options here. @h3rmanj actually have a section about this here, which we could take inspiration from. Would you please look over that and see if that is sufficient information, or anything else you'd like to add?

On the second part about TLS and hosting; I'd generally want to steer away from talking too much about those subject, as it will vary so much between the services. At some point I think having too much documentation will just make it be skimmed instead of followed, so it's a fine balance.

  • At Intility TLS is managed by K8s admins, and we just "check a box".
  • In Azure, I have never hosted anything behind a custom URL, so I don't even know.
  • In Heroku you get a TLS certificate to a custom domain through adding a CNAME record which points to their custom URL. E.g. api.mydomain.com points to some-random-long-string.herokudns.com.
  • In AWS you verify a domain ownership through Certificate Manager, where they tell you to create a CNAME from your domain to theirs. (For instance they'd ask you to point some-random-long-string.mydomain.com to some-random-long-string.acm-validations.aws.)

JonasKs avatar Apr 13 '22 12:04 JonasKs

I think that section covers most of the details - so I guess most of it is already written. I'll see if I can do a PR over easter copy-pasting this and modifying it where necessary.

I agree with your comment on TLS, it is probably too much detail. Maybe it's a topic for a future Medium post.

Christian-Schultz avatar Apr 13 '22 13:04 Christian-Schultz

Awesome! Let me know if you have any issues, I'm normally pretty quick to respond.

As a side note, I'm not sure if we need a redirect URL on on the backend app registration at all, since we're not hosting a MVC site. I'll see if it is possible to even skip that step, and only have a redirect URL for the OpenAPI app reg and whatever frontend app registrations one might have.

I agree with your comment on TLS, it is probably too much detail. Maybe it's a topic for a future Medium post.

True! We actually have our own blog over at engineering@, I've written a blog about Oauth2 there.

As for the topic, pure frontends (such as your own react frontend) can be hosted for free on GitHub pages behind a custom domain with TLS. It is also easy to set up, all you do is to point a domain name to GitHub as told in the settings for the repository, and it'll create a file called CNAME for you. We do this for the templates repository I linked above, under the gh-pages branch.

I'll think about creating a blog post with examples for the most common providers, but I won't promise anything. 😁 I have a few other things I want to write about first.

JonasKs avatar Apr 13 '22 13:04 JonasKs

As a side note, I'm not sure if we need a redirect URL on on the backend app registration at all, since we're not hosting a MVC site. I'll see if it is possible to even skip that step, and only have a redirect URL for the OpenAPI app reg and whatever frontend app registrations one might have.

Very much possible, I have omitted the redirect URL in the template setup guide for .NET already.

h3rmanj avatar Apr 13 '22 14:04 h3rmanj

You're always one step ahead, aren't you! Let's reflect that over here. 😁

JonasKs avatar Apr 13 '22 14:04 JonasKs

Perfect, I will see what I can do. I have an ambition of writing a blog on how to deploy a containerized fastapi app as an Azure App Service - I might as well use this example as the base for that. That comes with free automatic SSL as well, so it might serve as a good example.

Christian-Schultz avatar Apr 13 '22 14:04 Christian-Schultz

Hi! Do you still want to fix this? If not I'll look into it this week/weekend. 😊

JonasKs avatar Apr 26 '22 06:04 JonasKs

It's still on my todo - unfortunately I've been very busy elsewhere. I'll see if I can get it done before the weekend, otherwise feel free :)

Christian-Schultz avatar Apr 26 '22 07:04 Christian-Schultz

No rush, just wanted to follow up. I’ll leave it then 😊

JonasKs avatar Apr 26 '22 07:04 JonasKs