-
-
Notifications
You must be signed in to change notification settings - Fork 799
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix CORS by passing 'Origin' header to OAuthLib #1229
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you explain the use case for this given apps using Django CORS settings have been using this library successfully without it?
Using this PR it is possible to enable CORS for OAuth Django CORS settings is an alternative way. Use Case 1:
|
Codecov Report
@@ Coverage Diff @@
## master #1229 +/- ##
==========================================
+ Coverage 97.46% 97.48% +0.02%
==========================================
Files 32 32
Lines 2092 2111 +19
==========================================
+ Hits 2039 2058 +19
Misses 53 53
📣 We’re building smart automated test selection to slash your CI/CD build times. Learn more |
@akanstantsinau Are you unable to meet your CORS needs using the CORS middleware? The docs recommend using cors-headers for this purpose. I'm wary of adding CORS handling. The scope of oauth support is pretty broad and there is already a lot of surface area in oauth_toolkit. I wouldn't want to add things we didn't have to and that weren't explicitly defined in OAuth/OIDC specifications. I'm willing to hear more about your case for adding this, but convenience isn't going to be a convincing argument. |
@dopry Thank your for looking into this PR
The solution would be trivial if we do not have existing CORS middelware configs.
In our case we already have set The only motivation for this PR was to reuse already existing CORS feature in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think this is a good start to improving our CORS support.
The default OauthLib request validator always returns false, https://github.com/oauthlib/oauthlib/blob/d4b6699f8ccb608152b764919e0bd3d38a7b171f/oauthlib/oauth2/rfc6749/request_validator.py#L656
If we're going to enable this upstream with OAuthLib we also need to
- implement of
is_origin_allowed
inoauth2_provider.oauth2_validators.OAuth2Validator
. - add a field for the allowed origins on the application model
- ensure all views which should implement CORS in DOT are using the validator
@akanstantsinau do you have the bandwidth to continue working on this issue? |
2bd7dba
to
bdc26e7
Compare
@dopry Apologize for long delay. Yes I do have bandwidth now to continue work on this. |
FWIW, we implemeted this, and the approach is working well: It allows us to customise |
7cc9ab6
to
cc4e470
Compare
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Awesome progress. This is great work and we're super close. I have a few small asks. Mostly simple renaming and docs, otherwise, from a code review perspective, we're pretty much there. After we can get those changes in I'll setup a test env and put it through it's paces!
@akanstantsinau This looks great. Can you look at the coverage issue in Codecov? It looks like your tests should be covering those cases. Can you look into it and confirm those cases are covered? Also double check the doc changes to make sure there isn't a typo that is throwing sphinx for a loop. I'll try to do a local test setup tomorrow. |
@dopry I believe sphinx issue is something not related with changes in this PR:
The fix might be adding I'd prefer not to fix it in this PR, because its a different issue. Also my findings can be not correct. Working on coverage issue. |
ah, don't suppose django-oauth-toolkit is hit by the recent RTD changes? https://blog.readthedocs.com/defaulting-latest-build-tools/ or https://blog.readthedocs.com/newsletter-september-2023/ |
@rcoup looks like you're right. I'll try to get a PR up to fix that today so we can get CI working again. |
@akanstantsinau I updated the branch with a rebase in the Github UI to see if the RTD fixes are good. Feel free to force push your local over it. |
@akanstantsinau it looks like everything is passing. I'll do some manual testing later today and hopefully we'll get this in. |
@dopry that are awesome news! Thank you! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wasn't able to do my local testing due to validation issues.
@dopry Added |
It is possible to control CORS by overriding is_origin_allowed method of RequestValidator class. OAuthLib allows origin if: - is_origin_allowed returns True for particular request - Request connection is secure - Request has 'Origin' header
for more information, see https://pre-commit.ci
for more information, see https://pre-commit.ci
Fixes #
Description of the Change
Pass DJango
HTTP_ORIGIN
header to underlying OAuthLibIt is possible to control CORS by overriding is_origin_allowed method of RequestValidator class.
OAuthLib allows origin if:
RequestValidator.is_origin_allowed
returnsTrue
for particular requestOrigin
headerChecklist
CHANGELOG.md
updated (only for user relevant changes) - change is not user relevantAUTHORS