OAuth: authentication and authorization support

What is OAuth

OAuth (Open Authorization) is an open standard for token-based authentication and authorization. It enables third-party applications to obtain limited access to a user's resources on another service without exposing their credentials. The user can grant access to their resources on one site to another site without sharing their credentials, providing a secure and efficient way to authenticate users.

You have probably used OAuth without realizing it when signing into various online services and applications. For example, when you use "Sign in with Google" or "Log in with Facebook" to access a third-party website or application, you are using OAuth. By leveraging OAuth, these services allow users to authenticate themselves using their existing Google or Facebook credentials, simplifying the login process and reducing the need for users to remember multiple usernames and passwords. OAuth has become an essential aspect of online identity management and is widely used by companies and developers to provide a seamless and secure authentication experience.

Installing

To install Solara with OAuth support, make sure you have Solara Enterprise install by run the following command:

$ pip install solara solara-enterprise[auth]

OAuth support in Solara

Solara offers two modes for enabling OAuth: private mode and application controlled mode.

Private mode

In private mode, Solara pages or any static resources are not accessible without being authenticated. This mode is suitable for web servers that should not be publicly accessible. To enable private mode, set the following environment variable:

SOLARA_OAUTH_PRIVATE=True

Application controlled mode

In application controlled mode, the application is responsible for checking if a user is authenticated. The application can show a login or logout link and provide user information when the user is logged in. Solara comes preconfigured to run on localhost out of the box, and no additional setup is required to enable OAuth for local development and testing.

Here's an example of how to implement OAuth in application controlled mode:

import solara
from solara_enterprise import auth

@solara.component
def Page():
    if not auth.user.value:
        # `get_login_url` should automatically redirect the user back to the current page.
        # The URL argument is only used here as an example.
        solara.Button("Login", icon_name="mdi-login", href=auth.get_login_url("documentation/advanced/enterprise/oauth"))
    else:
        userinfo = auth.user.value['userinfo']
        if 'name' in userinfo:
            solara.Markdown(f"### Welcome {userinfo['name']}")
        # See above comment
        solara.Button("Logout", icon_name="mdi-logout", href=auth.get_logout_url("documentation/advanced/enterprise/oauth"))

Live output

How to configure OAuth

Solara supports the following OAuth providers: Auth0 and Fief.

Configuring Auth0

By default, Solara is configured with a test Auth0 account. This is useful for testing, but you should not use this in production. This account does limit solara running on localhost, port 8765 to 8770 (and 18765 to 18770 for running the tests).

To configure your own Auth0 provider, you need to change the following environment variables from their defaults:

# required if you don't use the default test account
SOLARA_SESSION_SECRET_KEY="change me"
# found in the Auth0 dashboard Applications->Applications->Client ID
SOLARA_OAUTH_CLIENT_ID="cW7owP5Q52YHMZAnJwT8FPlH2ZKvvL3U"
# found in the Auth0 dashboard Applications->Applications->Client secret
SOLARA_OAUTH_CLIENT_SECRET="zxITXxoz54OjuSmdn-PluQgAwbeYyoB7ALlnLoodftvAn81usDXW0quchvoNvUYD"
# found in the Auth0 dashboard Applications->Applications->Domain
SOLARA_OAUTH_API_BASE_URL="dev-y02f02f2bpr8skxu785.us.auth0.com"

You can optionally set the following environment variables:

SOLARA_OAUTH_SCOPE = "openid profile email"

Create your own Auth0 Application

To create your own Auth0 application, follow these steps:

Go to the Auth0 dashboard and click on "Applications" on the left side navigation menu.
Click on "Create Application".
Enter a name for your application and select "Regular Web Applications" as the application type. Click on "Create".
Click "Skip Integration" to skip the integration step.
Click on the "Settings" tabs and enter the following information:
- Allowed Callback URLs: http://localhost:8765/_solara/auth/authorize, https://yourdomain.com/_solara/auth/authorize
- Allowed Logout URLs: http://localhost:8765/_solara/auth/logout, https://yourdomain.com/_solara/auth/logout
Note that the localhost URLs are only meant for testing. You can remove them once you are ready to deploy your application. We recommend setting up a new application for each environment (e.g. development, staging, production).
Configure Solara.

At the top of the "Settings" tab, you should see your "Domain", "Client ID" and "Client Secret". You will need to set the following environment variables to these values:
```
SOLARA_OAUTH_API_BASE_URL="dev-y02f2bpr8skxu785.us.auth0.com"  # replace with your domain
SOLARA_OAUTH_CLIENT_ID="ELOFERLovc7e7dPwkxO6WFAljtYj9UzJ"  # replace with your client ID
SOLARA_OAUTH_CLIENT_SECRET="..."  # not shown here, replace with your client secret
```
Set your SOLARA_SESSION_SECRET_KEY to a random string. See the Generating a secret key for a convenient way to generate a secret key.

Solara forces you to set a value for SOLARA_SESSION_HTTPS_ONLY, because the OAuth login is only secure when this setting is True and your app runs over HTTPS. For development, where your app likely doesn't run over HTTPS, you must set it to False, otherwise OAuth login will not work. For more information on configuring Solara to run over HTTPS, see HTTPS.

Now you can run the above solara example using your own auth0 provider.

Configuring Fief

You can also configure Solara to use our Fief test account. To do this, you need to set the following environment variables:

SOLARA_SESSION_SECRET_KEY="change me"  # required if you don't use the default test account
SOLARA_OAUTH_CLIENT_ID="x2np62qgwp6hnEGTP4JYUE3igdZWhT-AvjpjwwDyKXU"  # found in the Auth0 dashboard Clients->General Tab->ID
SOLARA_OAUTH_CLIENT_SECRET="XQlByE1pVIz5h2SBN2GYDwT_ziqArHJgLD3KqMlCHjg" # found in the Auth0 dashboard Clients->General Tab->Secret
SOLARA_OAUTH_API_BASE_URL="solara-dev.fief.dev"  # found in the Fief dashboard Tenants->Base URL
 # different from Solara's default
SOLARA_OAUTH_LOGOUT_PATH="logout"

Generating a secret key

To generate a secret key, you can use the following code:

$ python -c "import secrets; print(secrets.token_urlsafe(32))"
ZgrzSLUyft-JvnNMNJ2LgbCFVqcxPOatANAQhMD5EYU

Note: do not copy this key, run this yourself in a terminal.

OAuth Component

Solara provides two convenient components for creating a user interface for login and logout:

Avatar: This component shows the user's avatar.
AvatarMenu: This component shows a menu with the user's avatar and a logout button.

## Python version support

Please note that Python 3.6 is not supported for Solara OAuth.

Possible issues

Wrong redirection

If the redirection back to solara return to the wrong address, it might be due to solara not choosing the right default for SOLARA_BASE_URL. This can happen in a situation where you have multiple reverse proxies that communicate via https and therefore need to set the Host header. For instance this variable could be set to SOLARA_BASE_URL=https://solara.dev for the solara.dev server. If you application runs behind a subpath, e.g. /myapp, you might have to set SOLARA_ROOT_PATH=/myapp.

Wrong schema detected for redirect URL

Solara needs to give the OAuth providers a redirect URL to get back to your Solara application after navigating to the OAuth provider website. For our documentation server, we ask the OAuth provider to redirect to https://solara.dev/_solara/auth/authorize. The protocol part (https) and the domain name part (solara.dev) of this URL is constructed from the request (what the browser sends to the server).

If you are running Solara behind a reverse proxy server (like nginx), make sure that the X-Forwarded-Proto and Host headers are forwarded correctly, and the proxy server is trusted by uvicorn (by configuring the FORWARDED_ALLOW_IPS environment variable) so Solara can construct the correct redirect URL to send to the OAuth provider.

See our self hosted deployment for more information on how to configure your reverse proxy server.