Handling redirect for OAuth callback

[MatthewScholefield]

When using OAuth with the cookie backend, the callback like /auth/google/callback responds with a set-cookie header so I would expect that I would set this as the callback URL in my OAuth application so that the cookie would be set on the browser on redirect. However, the content of this page is always null and I couldn't find a way to change this (the redirect_url parameter in get_oath_router doesn't seem to make a difference).

Would it make sense to have a request customizer within get_oauth_router so that we could choose to redirect the user to our application in the callback response?

I read in another issue that fastapi-users is meant to be used for the API only but if that's the case, I'm wondering why there's a cookie auth backend and what the expected method of providing the callback info is. Is the expected method to set the Google callback URL to your frontend application and then have the frontend forward the request to the api backend within javascript?

Edit: Actually, the cookie backend still makes sense because when you use fetch from Javascript, it still sets cookies properly etc. so it's still useful to enable httpOnly auth storage. Anyways, for now I've set the redirect to route to a frontend endpoint that forwards to the backend within javascript, but I do still believe it would be convenient to allow for a simple redirect so that the OAuth provider could route directly to the backend.

- Matthew

[frankie567]

Hi Matthew,

The way you describe (redirect to a frontend application and forward the parameters to the API through JavaScript) is exactly what I do myself in my production application.

I understand your need to automatically do a 302 to a URL of your choice in the /callback route. However, we have to account for all cases there. For example, with the JWT authentication backend, the response actually contains the jwt in order to authenticate.

What you can do is overload the get_login_response method of the CookieAuthentication class. Something like this:

from fastapi import status
from fastapi_users.authentication import CookieAuthentication

class AutoRedirectCookieAuthentication(CookieAuthentication):
    async def get_login_response(self, user, response):
        await super().get_login_response(user, response)
        response.status_code = status.HTTP_302_FOUND
        response.headers["Location"] = "http://www.myapp.com/route/after/oauth"

And use it as your authentication backend.

PS: For this kind of discussion, please favor Discussions ; it helps me to organize 🙂

[MatthewScholefield]

Thanks for the reply! I was thinking about overloading the auth, but I thought that be a little strange because in the non-auth login flow I think it would also redirect (but I suppose you just wouldn't ever use AutoRedirectCookieAuthentication for non-oauth login).

Anyways, now that I know forwarding the request from the frontend is what you do (and isn't "hacky" like I initially thought), there's not too much of a need for an alternative.

[pcnoic]

I believe that this is a typical pattern that many fastapi-users implement, I'd like to add as a side note that when dealing with cross-domain cookies, the following settings work as they should.

response.set_cookie("token", token, max_age=SESSION_LIFETIME, secure=True, samesite='none', domain='.example.com')
        response.headers["Location"] = FRONTEND_URL
        response.headers["Access-Control-Allow-Credentials"] = "true"
        response.status_code = status.HTTP_302_FOUND

[much-to-learn2]

In case it's helpful to anyone, this worked for me to overload the newer CookieTransport class:

    async def get_login_response(self, token: str) -> Response:
        response = RedirectResponse(settings.oauth_redirect_url, status_code=302)
        return self._set_login_cookie(response, token)