aioauth icon indicating copy to clipboard operation
aioauth copied to clipboard
verified publisher icon aliev

Separate Authorization Request Validation and Response

Open imgurbot12 opened this issue 1 year ago • 3 comments

Is your feature request related to a problem? Please describe.

Currently, it seems it is not possible to validate an authorization request separately from generating an authorization response. This means that a user must be redirected to a login and be logged in before the initial authorization request processing can be made. Otherwise the request fails due to missing user information

This is very problematic because it means only after the user has properly logged in does the oauth-server report an error with the criteria passed ahead of time to the server making the login virtually pointless.

Describe the solution you'd like

It would be very beneficial to have some sort of workflow like this:

def authorize(request):
  server = AuthorizationServer(storage=storage)
  state = server.validate_authorization_request(request)
  redirect('/login')
  
def post_login(request, state):
  server   = AuthorizationServer(storage=storage)
  response = server.create_authorization_response(state)
  return response

Looking at the existing fastapi example it does not seem like a solution or workaround exists otherwise.

imgurbot12 avatar Aug 28 '24 05:08 imgurbot12

Hi @imgurbot12 ! I'll review your PR ASAP. Thanks for your contribution!

aliev avatar Aug 28 '24 06:08 aliev

Hi @imgurbot12 ! I'll review your PR ASAP. Thanks for your contribution!

awesome, thanks :)

imgurbot12 avatar Aug 28 '24 06:08 imgurbot12

Another important reason to have this is to validate the request URI so that you can safely return an error to the downstream client if there's a problem during the upstream authentication process.

For example, imagine a client sends a request to your authorize endpoint, and before calling AuthorizationServer.create_authorization_response, you first want to present them with a login page. Then on the login page, the user clicks cancel. In that case you should redirect back to the client with an access_denied error code, but since you haven't called create_authorization_response yet, you can't be sure if the redirect URI is valid for that client.

With this change, you would be able to first call validate_authorization_request before presenting the login page, and then if there's an error during the login process, you can safely redirect them to the redirect URI with the error code specified since the redirect URI has been validated already.

shawn-monadical avatar Sep 10 '24 18:09 shawn-monadical

I support splitting validation from authorization code generation; as it stands, expecting the user to be logged in before validating the auth request (or as a part of it, as currently happens) is actually not compliant with the OIDC specification, where it's explicitly stated that login should be happening after the initial authorization request is validated.

Seems like this package also doesn't follow the proper error OIDC codes for failures, either.

thearchitector avatar Jan 19 '25 05:01 thearchitector

Hey, @thearchitector!

I'm currently working on the v2 version of aioauth, but progress is very slow as I lack the time to fully focus on the project and address all issues of the previous version. If you already have ideas on splitting validation and response, I would be very happy to see your contribution! The master branch currently contains the latest changes for v2.

aliev avatar Jan 19 '25 17:01 aliev

@aliev I was holding off on this one since I wasn't sure what your priorities were for v2 release and the workaround you provided works fine, but I can try and revamp the PR for v2 if you're cool with that.

imgurbot12 avatar Jan 19 '25 19:01 imgurbot12

but I can try and revamp the PR for v2 if you're cool with that.

that would be great. thank you!

aliev avatar Jan 19 '25 20:01 aliev

Got distracted with some work stuff but PR is made, sorry for the wait.

Funnily enough now that I've made the required changes I think my design makes things worse and I think that's cause fundamentally its probably better that aioauth puts the whole authorization process into one function/part due to the way aioauth is designed. Posted a comment in the PR for discussion.

lmk what y'all think. Thanks :)

imgurbot12 avatar Jan 21 '25 04:01 imgurbot12

@imgurbot12 Thanks! I'll be able to review it in more detail only on the weekend.

aliev avatar Jan 21 '25 18:01 aliev

@imgurbot12

I've closed this issue. Please feel free to reopen it or create a new one if any code additions related to separating Validation and Response are needed. I'm not making an official release yet.

P.S.

I'm currently working on a small side project in my free time - thought you might be interested: https://github.com/aliev/baker

aliev avatar Feb 09 '25 19:02 aliev

Sounds good! Thanks for all your support and effort in finding a solution.

imgurbot12 avatar Feb 09 '25 20:02 imgurbot12