S
Solara•2mo ago
Cyrus

Redirect URI error when testing login in solara app

Hi, I am trying to test an auth example in solara via okta. I have configured my app in okta following the solara docs and I am trying to test (locally) a simple login button. The relevant part of the snippet is 
 
import solara
from solara_enterprise import auth

@solara.component
def Page():
 
  [...]

  if not auth.user.value:
      #print(auth.get_login_url())
      with solara.Tooltip('Login'):
          solara.Button(icon_name="mdi-login", href=auth.get_login_url(), icon=True)
 
import solara
from solara_enterprise import auth

@solara.component
def Page():
 
  [...]

  if not auth.user.value:
      #print(auth.get_login_url())
      with solara.Tooltip('Login'):
          solara.Button(icon_name="mdi-login", href=auth.get_login_url(), icon=True)
I see the login button appear in my app but when I click on it a get a invalid_request error in the browser saying that the redirect_uri parameter in the request did not match any of the Login redirect URIs configured in the client application settings. If I print the output of get_login_url I get /_solara/auth/login?redirect_uri=http%3A//localhost%3A8080 which is missing the main base url (what sets that value?)? Am I missing something in the configuration? I am setting these in my .env 
SOLARA_SESSION_SECRET_KEY=<<mysecretkey>>
SOLARA_OAUTH_CLIENT_ID=<<myclientid>>
SOLARA_OAUTH_CLIENT_SECRET=<<myclientsecret>>
SOLARA_OAUTH_API_BASE_URL=https://<<myissuer>>
SOLARA_SESSION_HTTPS_ONLY=False
SOLARA_BASE_URL=http://localhost:8080
SOLARA_SESSION_SECRET_KEY=<<mysecretkey>>
SOLARA_OAUTH_CLIENT_ID=<<myclientid>>
SOLARA_OAUTH_CLIENT_SECRET=<<myclientsecret>>
SOLARA_OAUTH_API_BASE_URL=https://<<myissuer>>
SOLARA_SESSION_HTTPS_ONLY=False
SOLARA_BASE_URL=http://localhost:8080
and in okta I have set application login url as: http://localhost:8080/_solara/auth/login and allowed callback urls as: authorize: http://localhost:8080/_solara/auth/authorize logout: http://localhost:8080/_solara/auth/logout is this correct?
7 Replies
iisakkirotko
iisakkirotko•2mo ago
Hey @Cyrus! I suspect that you have to allow http://localhost:8080 as a redirect url in your Okta configuration. I'm not familiar with Okta in particular, but usually there is something akin to a "URL configuration" section for OAuth providers, where valid redirect_urls should be listed.
If I print the output of get_login_url I get /_solara/auth/login?redirect_uri=http%3A//localhost%3A8080
That's correct. Since the url provided to href starts with a slash, it is relative to the domain, and get's automatically added to the end of whatever domain you're on.
Cyrus
Cyrus•2mo ago
I think I tried that before and didn't work. I'll try again and let you know Indeed I still get the browser error 😦
iisakkirotko
iisakkirotko•2mo ago
Interesting. I'll give it a try tomorrow and we'll see where I get. We do officially only support auth0 and Fief, so I'm not sure if it's possible to make Okta work.
Cyrus
Cyrus•2mo ago
Thanks. I think auth0 is okta?
No description
iisakkirotko
iisakkirotko•2mo ago
Ah I see. Then we should certainly be able to make it work
mariobuikhuizen
mariobuikhuizen•2mo ago
Is URL of the browser error your configured SOLARA_OAUTH_API_BASE_URL ? or is it showing: dev-y02f2bpr8skxu785.us.auth0.com?
Cyrus
Cyrus•2mo ago
it looks like some default url associated with my configured domain. I don't see dev-y02f2bpr8skxu785.us.auth0.com but it doesn't look like the right url either It is probbaly some misconfiguration on my end I think I got it to work for login. But log out url is still broken @mariobuikhuizen @iisakkirotko Looking at the get_logout_url function I see that it returns 
f"{url}?returnTo={return_to}&redirect_uri={return_to}&post_logout_redirect_uri={return_to}&client_id={client_id}"`
f"{url}?returnTo={return_to}&redirect_uri={return_to}&post_logout_redirect_uri={return_to}&client_id={client_id}"`
Looking at this the url seems to have redundancy and combine elements from the Auth0 logout endpoint
v2/logout?
  client_id={yourClientId}&
  returnTo=LOGOUT_URL
v2/logout?
  client_id={yourClientId}&
  returnTo=LOGOUT_URL
and the OICD logout endpoint 
/oidc/logout?
  post_logout_redirect_uri=LOGOUT_URL&
  id_token_hint=ID_TOKEN_HINT
/oidc/logout?
  post_logout_redirect_uri=LOGOUT_URL&
  id_token_hint=ID_TOKEN_HINT
Is this a bug or expected? When I use as is in my app (which expects the oidc format) it leads to an error. Note, that I am setting SOLARA_OAUTH_LOGOUT_PATH="oauth2/v1/logout" because otherwise it uses v2/logout . From https://{api_base_url}/.well-known/openid-configuration, these are the endpoints that I would need to use: 
{
  "issuer": "https://{api_base_url}",
  "authorization_endpoint": "https://{api_base_url}/oauth2/v1/authorize",
  "token_endpoint": "https://{api_base_url}/oauth2/v1/token",
  "userinfo_endpoint": "https://{v}/oauth2/v1/userinfo",
  "end_session_endpoint": "https://{api_base_url}/oauth2/v1/logout",
  // Other metadata
}
{
  "issuer": "https://{api_base_url}",
  "authorization_endpoint": "https://{api_base_url}/oauth2/v1/authorize",
  "token_endpoint": "https://{api_base_url}/oauth2/v1/token",
  "userinfo_endpoint": "https://{v}/oauth2/v1/userinfo",
  "end_session_endpoint": "https://{api_base_url}/oauth2/v1/logout",
  // Other metadata
}
but solara doesn't seem to be making use of these. Do you know if I have to write my own custom functions to get urls and make requests to handle auth, or can solara support this out of the box and I am somehow not doing it properly? Update. I can make the app auth work by using this 
def get_logout_url():
    return '_solara/auth/logout'
def get_logout_url():
    return '_solara/auth/logout'
I am still wondering why auth.utils.get_logout_url returns that other url.
Want results from more Discord servers?
Add your server