New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature: redirect after login/register with OAuth #910
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This LGTM though I'm not an expert on auth/oauth/jwt, @dpgaspar should have the final word
@@ -5,8 +5,9 @@ | |||
|
|||
<script type="text/javascript"> | |||
|
|||
var baseLoginUrl = {{url_for('AuthOAuthView.login')}}; | |||
var baseRegisterUrl = {{url_for('AuthOAuthView.login')}}; | |||
var baseLoginUrl = "{{url_for('AuthOAuthView.login')}}"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This was interesting... we're missing the quotes, so this actually gets translated to:
var baseLoginUrl = /login/;
Which works because it defines a regular expression that later gets cast to a string when it's concatenated to currentSelection
!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
God...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's ok, I blame Javascript. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hello @dpgaspar @betodealmeida ,
I have following test case scenario , is it taken care in testing or not?
If some one logged in to FlaskAppBuilder using twitter account and in between someone delete/disable his twitter account then is user still able to use FlaskAppBuilder app (if he did not logout manually) or get Access Denied Error and How we are validating user authenticity in running application.
Looks good, I'll test it with some other providers. |
Hi, Testing with google oauth provider, using a simple login I get redirected to http://localhost:8080/None Can you help? |
Yeah, let me take a look. |
thks! |
@dpgaspar I fixed the |
Ping @dpgaspar |
It fails on twitter:
As you can see auth works ok, and self registers the user, but there is no state on the request.args |
Looks like |
@dpgaspar I fixed the Twitter redirect. It doesn't accept the state payload, but unlike Google/Facebook it allows it in the URL, so all I had to do was change the call to I also fixed the Twitter registration: the returned user info has only the username. |
@@ -27,7 +27,7 @@ def wraps(self, *args, **kwargs): | |||
else: | |||
log.warning(LOGMSG_ERR_SEC_ACCESS_DENIED.format(permission_str, self.__class__.__name__)) | |||
flash(as_unicode(FLAMSG_ERR_SEC_ACCESS_DENIED), "danger") | |||
return redirect(url_for(self.appbuilder.sm.auth_view.__class__.__name__ + ".login")) | |||
return redirect(url_for(self.appbuilder.sm.auth_view.__class__.__name__ + ".login", next=request.url)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see this fix for only AuthOAuthView, but how do ensure this next=request.url
variable will be utilized in AuthDBView, AuthLDAPView,
AuthRemoteUserView and they are sent to the index page, instead of the page they tried to visit initially.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
True @ankursinghal2005, One would have to replicate the same logic to all child classes.
Hey @betodealmeida are willing to do it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not the right person to do it, since I don't have access to an LDAP auth server. Maybe @ankursinghal2005 can do it for the auth system they're using?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@betodealmeida
I have tested below LDAP test server. It is working fine. You can see it for your reference. I can further work on remaining child classes after this PR gets merged into master.
Online LDAP Test Server Link
https://www.forumsys.com/tutorials/integration-how-to/ldap/online-ldap-test-server/
When using LDAP Auth, setup the ldap server
AUTH_TYPE = AUTH_LDAP
AUTH_LDAP_SERVER = "ldap://ldap.forumsys.com:389"
AUTH_LDAP_SEARCH = "dc=example,dc=com"
AUTH_LDAP_BIND_USER = "uid=riemann,dc=example,dc=com"
AUTH_LDAP_BIND_PASSWORD = "password"
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice!!
Looks good, nice work! |
Just released 1.12.4 with this |
Currently, after a user goes through the authentication flow they are sent to the index page, instead of the page they tried to visit initially.
I improved the flow by storing the initial URL in a
state
parameter, that is signed and sent to the OAuth provider [see docs]. One the user has been authenticated, thestate
parameter received back from the provider is used to redirect them to the initial URL.Note that the
state
is signed, to avoid a malicious provider of redirecting the user to a URL they control.I tested the workflow with Superset, and it works as expected. I only tested with Google OAuth.