Force solara to use https in redirect uris
Using Chrome's Dev Tools, I observed the following network requests after clicking the login button in my application:
Initial Login Request:
https://example.com/_solara/auth/login?redirect_uri=https%3A//example.com/return_to_path
This request looks correct as it uses https.
Authorization Request to Okta:
https://my-okta-domain.oktapreview.com/oauth2/v1/authorize?response_type=code&client_id=MY_CLIENT_ID&redirect_uri=http%3A%2F%2Fexample.com%2F_solara%2Fauth%2Fauthorize&scope=openid+profile+email&state=MY_STATE&nonce=MY_NONCE
The issue here is that the redirect_uri parameter is using http instead of https.
Is there a way to force a solara application to use https scheme/protocol for redirect URIs (for auth). I tried setting SOLARA_SESSION_HTTPS_ONLY=True and SOLARA_BASE_URL=https://example.com/ but I still see http. Maybe I could mount my solara app to a Starlette app with an added HTTPSRedirectMiddleware middleware?26 Replies
Strange, because everywhere at https://github.com/widgetti/solara/blob/master/packages/solara-enterprise/solara_enterprise/auth/starlette.py it uses SOLARA_BASE_URL (via settings.main.base_url), so if that env var is set, I don't understand why it still takes http.
A few ideas: make sure you remove cookies and cache (i've once had an old session cookie act weird).
print out
settings.main.base_url in the solara source code as a sanity checkGitHub
solara/packages/solara-enterprise/solara_enterprise/auth/starlette....
A Pure Python, React-style Framework for Scaling Your Jupyter and Web Apps - widgetti/solara
I tried incognito mode with fresh cookies and also verified that
settings.main.base_url prints the correct base url. Deploying locally I can modify solara source code to also print request.scope in the /login endpoint and it prints something like this
Given this scope (with 'scheme': 'http') I think then here my url gets defaulted to have 'http' sheme?
Shouldn't the login endpoint here be using session.main.base_url instead of request.base_url? When I set SOLARA_BASE_URL then settings.main.base_url correctly updates, while request.base_url doesn'tYes, you may be right!
I am pretty sure that is a bug, and I'll open an issue (if you don't)
However, if the proxy server is configured correctly, this should not be a problem, I think
X-Forwarded-Proto is not set in your reverse proxysee https://solara.dev/documentation/advanced/enterprise/oauth and https://solara.dev/documentation/getting_started/deploying/self-hosted
Using OAuth in your Solara app
Open Authorization can be readily integrated into your Solara applications via the Solara-Enterprise package.
Deploying and hosting your own Solara app
Solara is compatible with many different hosting solutions, such as Flask, Starlette, FastAPI, and Voila.
What load balancer are you using (that should behave as a reverse proxy)
It is a AWS Application Load Balancer (ALB) configured to listen for https requests (the security group only accepts https). I am not too knowledgeable about infra but I think the
X-Forwarded-Proto header should automatically be forwarded in our setup to indicate the protocol used by the client.@mariobuikhuizen maybe you have an idea how this can happen (i can update you tomorrow)
@Cyrus could you print out the headers you get from any request? I'd like to see what headers ALB sends
similar to the print out you did above (if it contains sensitive data, you can send it to maartenbreddels@widgetti.io)
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/x-forwarded-headers.html they should be in there
HTTP headers and Application Load Balancers - Elastic Load Balancing
Learn about the X-Forwarded request headers for Elastic Load Balancing.
I was able to grab the OAuth2 authorization request/response headers from chrome dev tool. The request chain starts when I click on my app's Login button (which href's to
auth.get_login_url).
The first request is (using placeholders to hide some stuff):
you can see the ":scheme": "https", in the request header but then http in the response location redirect_uri, which doesn't align with the redirect uris allowed in the app, thus breaking the auth flowI mean the request headers solara sees, because the load balancer will add extra headers that you don’t see in the dev console, you need to modify the Python code with a print statement for that like you did above
Ah, to print
request before I just modified solara source code locally. For the remote version connected to the ALB I can try embedding my solara app in Starlette and then overwriting the _solara/auth/login route to point to a custom endpoint in the app with logging statements. Will let you know how it goes.
OK, so with my own custom login function I was able to fix the problem by implementing the bug fix suggested in the issue. I was also able to add print statements and verify that indeed request.base_url is using http compared to settings.main.base_url. I also printed headers confirming that the ALB is forwarding things correctly (with 'x-forwarded-proto': 'https'):
So it looks like it was the bug that we discussed above
@MaartenBreddels Would you like me to create a (tiny) PR for this?Hi Cyrus, no thanks, not yet, I need to dig into starlette a bit to see why this does not work, because everything is setup correctly
I think this is something that uvicorn should be told to do..
Uvicorn
The lightning-fast ASGI server.
could you try that?