oidc-fastapi-test/src/oidc_test/main.py

"""
Test of OpenId Connect & OAuth2 with FastAPI
"""

from typing import Annotated
from pathlib import Path
from datetime import datetime
import logging
from urllib.parse import urlencode
from contextlib import asynccontextmanager

from httpx import HTTPError
from fastapi import Depends, FastAPI, HTTPException, Request, status
from fastapi.staticfiles import StaticFiles
from fastapi.responses import HTMLResponse, RedirectResponse
from fastapi.templating import Jinja2Templates
from fastapi.middleware.cors import CORSMiddleware
from jwt import InvalidTokenError, PyJWTError
from starlette.middleware.sessions import SessionMiddleware
from authlib.integrations.starlette_client.apps import StarletteOAuth2App
from authlib.integrations.base_client import OAuthError
from authlib.oauth2.rfc6749 import OAuth2Token

# TODO: PKCE
# from authlib.integrations.httpx_client import AsyncOAuth2Client
# from fastapi.security import OpenIdConnect
# from pkce import generate_code_verifier, generate_pkce_pair

from .settings import settings, oidc_providers_settings
from .models import User
from .auth_utils import (
    get_oidc_provider,
    get_oidc_provider_or_none,
    get_current_user_or_none,
    authlib_oauth,
    get_providers_info,
    get_token_or_none,
)
from .auth_misc import pretty_details
from .database import TokenNotInDb, db
from .resource_server import resource_server

logger = logging.getLogger("oidc-test")

templates = Jinja2Templates(Path(__file__).parent / "templates")


@asynccontextmanager
async def lifespan(app: FastAPI):
    assert app is not None
    await get_providers_info()
    yield


app = FastAPI(title="OIDC auth test", lifespan=lifespan)

app.add_middleware(
    CORSMiddleware,
    allow_origins=settings.cors_origins,
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

# SessionMiddleware is required by authlib
app.add_middleware(
    SessionMiddleware,
    secret_key=settings.secret_key,
)

app.mount("/static", StaticFiles(directory=Path(__file__).parent / "static"), name="static")
app.mount("/resource", resource_server, name="resource_server")


@app.get("/")
async def home(
    request: Request,
    user: Annotated[User, Depends(get_current_user_or_none)],
    oidc_provider: Annotated[StarletteOAuth2App | None, Depends(get_oidc_provider_or_none)],
    token: Annotated[OAuth2Token | None, Depends(get_token_or_none)],
) -> HTMLResponse:
    now = datetime.now()
    if oidc_provider and (
        (
            oidc_provider_settings := oidc_providers_settings.get(
                request.session.get("oidc_provider_id", "")
            )
        )
        is not None
    ):
        resources = oidc_provider_settings.resources
    else:
        resources = []
        oidc_provider_settings = None

    if user is None:
        access_token_scope = None
    else:
        try:
            access_token_scope = user.decode_access_token()["scope"]
        except InvalidTokenError as err:
            access_token_scope = None
            logger.info("Invalid token")
            logger.exception(err)

    context = {
        "settings": settings.model_dump(),
        "user": user,
        "access_token_scope": access_token_scope,
        "now": now,
        "oidc_provider": oidc_provider,
        "oidc_provider_settings": oidc_provider_settings,
        "resources": resources,
    }
    if token is None:
        context["id_token_parsed"] = None
        context["access_token_parsed"] = None
        context["refresh_token_parsed"] = None
    else:
        assert oidc_provider is not None
        assert oidc_provider.name is not None
        oidc_provider_settings = oidc_providers_settings[oidc_provider.name]
        context["id_token_parsed"] = pretty_details(user, now)
        context["access_token_parsed"] = oidc_provider_settings.decode(token["access_token"])
        context["refresh_token_parsed"] = oidc_provider_settings.decode(
            token["refresh_token"], verify_signature=False
        )
    return templates.TemplateResponse(name="home.html", request=request, context=context)


# Endpoints for the login / authorization process


@app.get("/login/{oidc_provider_id}")
async def login(request: Request, oidc_provider_id: str) -> RedirectResponse:
    """Login with the provider id, giving the browser a redirect to its authorize page.
    The provider is expected to send the browser back to our own /auth/{oidc_provider_id} url
    with the token.
    """
    redirect_uri = request.url_for("auth", oidc_provider_id=oidc_provider_id)
    try:
        provider: StarletteOAuth2App = getattr(authlib_oauth, oidc_provider_id)
    except AttributeError:
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "No such provider")
    # if (
    #    code_challenge_method := oidc_providers_settings[
    #        oidc_provider_id
    #    ].code_challenge_method
    # ) is not None:
    #    #client = AsyncOAuth2Client(..., code_challenge_method=code_challenge_method)
    #    code_verifier = generate_code_verifier()
    #    logger.debug("TODO: PKCE")
    # else:
    #    code_verifier = None
    try:
        response = await provider.authorize_redirect(
            request,
            redirect_uri,
            access_type="offline",
            code_verifier=None,
        )
        return response
    except HTTPError:
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Cannot reach provider")


@app.get("/auth/{oidc_provider_id}")
async def auth(request: Request, oidc_provider_id: str) -> RedirectResponse:
    """Decrypt the auth token, store it to the session (cookie based)
    and response to the browser with a redirect to a "welcome user" page.
    """
    try:
        oidc_provider: StarletteOAuth2App = getattr(authlib_oauth, oidc_provider_id)
    except AttributeError:
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, "No such provider")
    try:
        token: OAuth2Token = await oidc_provider.authorize_access_token(request)
    except OAuthError as error:
        raise HTTPException(status.HTTP_401_UNAUTHORIZED, detail=error.error)
    # Remember the oidc_provider in the session
    # logger.info(f"Scope: {token['scope']}")
    request.session["oidc_provider_id"] = oidc_provider_id
    #
    # One could process the full decoded token which contains extra information
    # eg for updates. Here we are only interested in roles
    #
    if userinfo := token.get("userinfo"):
        # Remember the oidc_provider in the session
        request.session["oidc_provider_id"] = oidc_provider_id
        # User id (sub) given by oidc provider
        sub = userinfo["sub"]
        # Build and remember the user in the session
        request.session["user_sub"] = sub
        # Store the user in the database, which also verifies the token validity and signature
        try:
            user = await db.add_user(
                sub,
                user_info=userinfo,
                oidc_provider=oidc_provider,
                access_token=token["access_token"],
            )
        except PyJWTError as err:
            raise HTTPException(
                status.HTTP_401_UNAUTHORIZED,
                detail=f"Token invalid: {err.__class__.__name__}",
            )
        assert isinstance(user, User)
        # Add the provider session id to the session
        request.session["sid"] = userinfo["sid"]
        # Add the token to the db because it is used for logout
        assert oidc_provider.name is not None
        oidc_provider_settings = oidc_providers_settings[oidc_provider.name]
        await db.add_token(oidc_provider_settings, token)
        # Send the user to the home: (s)he is authenticated
        return RedirectResponse(url=request.url_for("home"))
    else:
        # Not sure if it's correct to redirect to plain login
        # if no userinfo is provided
        return RedirectResponse(url=request.url_for("login", oidc_provider_id=oidc_provider_id))


@app.get("/account")
async def account(
    request: Request,
) -> RedirectResponse:
    if (
        oidc_provider_settings := oidc_providers_settings.get(
            request.session.get("oidc_provider_id", "")
        )
    ) is None:
        raise HTTPException(status.HTTP_406_NOT_ACCEPTABLE, detail="No oidc provider settings")
    return RedirectResponse(f"{oidc_provider_settings.account_url_template}")


@app.get("/logout")
async def logout(
    request: Request,
    oidc_provider: Annotated[StarletteOAuth2App, Depends(get_oidc_provider)],
) -> RedirectResponse:
    # Clear session
    request.session.pop("user_sub", None)
    # Get provider's endpoint
    if (provider_logout_uri := oidc_provider.server_metadata.get("end_session_endpoint")) is None:
        logger.warn(f"Cannot find end_session_endpoint for provider {oidc_provider.name}")
        return RedirectResponse(request.url_for("non_compliant_logout"))
    post_logout_uri = request.url_for("home")
    oidc_provider_settings = oidc_providers_settings.get(
        request.session.get("oidc_provider_id", "")
    )
    assert oidc_provider_settings is not None
    try:
        token = await db.get_token(oidc_provider_settings, request.session.pop("sid", None))
    except TokenNotInDb:
        logger.warn("No session in db for the token or no token")
        return RedirectResponse(request.url_for("home"))
    logout_url = (
        provider_logout_uri
        + "?"
        + urlencode(
            {
                "post_logout_redirect_uri": post_logout_uri,
                "id_token_hint": token["id_token"],
                "cliend_id": "oidc_local_test",
            }
        )
    )
    return RedirectResponse(logout_url)


@app.get("/non-compliant-logout")
async def non_compliant_logout(
    request: Request,
    oidc_provider: Annotated[StarletteOAuth2App, Depends(get_oidc_provider)],
):
    """A page for non-compliant OAuth2 servers that we cannot log out."""
    # Clear the remain of the session
    request.session.pop("oidc_provider_id", None)
    return templates.TemplateResponse(
        name="non_compliant_logout.html",
        request=request,
        context={"oidc_provider": oidc_provider, "home_url": request.url_for("home")},
    )


# Snippet for running standalone
# Mostly useful for the --version option,
# as running with uvicorn is easy and provides better flexibility, eg.
# uvicorn --host foo oidc_test.main:app --reload


def main():
    from uvicorn import run
    from argparse import ArgumentParser

    parser = ArgumentParser(description=__doc__)
    parser.add_argument(
        "-l",
        "--host",
        type=str,
        default="0.0.0.0",
        help="Address to listen to (default: 0.0.0.0)",
    )
    parser.add_argument(
        "-p", "--port", type=int, default=80, help="Port to listen to (default: 80)"
    )
    parser.add_argument("-v", "--version", action="store_true", help="Print version and exit")
    args = parser.parse_args()

    if args.version:
        import sys
        from importlib.metadata import version

        print(version("oidc-fastapi-test"))
        sys.exit(0)

    run(app, host=args.host, port=args.port)