Experimental OAuth credential path for bfabric_asgi_auth + rest_proxy service-user migration#513
Draft
leoschwarz wants to merge 3 commits into
Draft
Experimental OAuth credential path for bfabric_asgi_auth + rest_proxy service-user migration#513leoschwarz wants to merge 3 commits into
leoschwarz wants to merge 3 commits into
Conversation
Contributor
📝 "TODO" Changes DetectedSummary: ➕ 3 "TODO"s added ➕ Added "TODO"s (3)
This comment is automatically updated when "TODO" changes are detected. |
…513) Replaces the parallel OAuth stack in bfabric_asgi_auth with a thin layer over new public primitives in bfabric.experimental, fixes four confirmed defects, and eliminates all private cross-package imports. Core (bfabric): - Add `bfabric.experimental.webapp_oauth`: public entry point exposing `exchange_launch_token`, `UrlTokenContext`, `DEFAULT_OAUTH_SCOPE` - Add `bfabric.experimental.webapp_oauth_settings`: `WebappOAuthSettings` and `OAuthClientCredentials` config models - Add `Bfabric.connect_oauth_token`: single refresh-token-grant builder shared by WebappClient, connect_pkce, connect_device_code, and the ASGI per-request rebuild - Add `on_token_update` callback hook to `OAuthCredentialProvider`; fires after each refresh, dropped on pickle (correct — cookie is source of truth) - Add opt-in `audience`/`issuer` params to `verify_jwt` (default None, no behaviour change until server claims are confirmed) ASGI (bfabric_asgi_auth): - Add `session_factory`/`user_factory` seam to `BfabricAuthMiddleware`; defaults reproduce legacy SOAP path for backward compatibility - Add `BfabricOAuthUser` with entity-context properties and refresh write-back via `_on_token_refresh` into the live Starlette session dict - Add `OAuthSessionData`: minimal (base_url, token, context) cookie payload - Add `OAuthExchangeSuccess` discriminated-union member and `create_oauth_validator` factory - Fix mock `job_id` determinism: `abs(hash(username))` → `zlib.crc32` - Zero private `bfabric._oauth.*` imports remain in bfabric_asgi_auth/src Tests: 716 passing; 0 basedpyright errors/warnings on both packages
leoschwarz
force-pushed
the
worktree-greedy-splashing-shore
branch
from
db3cf68 to
e3489df
Compare
Delete BfabricUser, SessionData, create_bfabric_validator, create_mock_validator, TokenValidationSuccess, and the session_factory/user_factory middleware seam. BfabricAuthMiddleware now takes explicit client_id/client_secret and builds BfabricOAuthUser directly, threading the live session dict so refresh tokens are written back to the encrypted cookie automatically. AuthHooks.on_success payload changes from TokenData to UrlTokenContext. Eviction deferred to a follow-up (behaviour note in changelog). BDD suite repointed to the new mock OAuth validator.
The suppress comment was on the closing `)` line rather than the line containing the expression (`dict(self._session.token)`), causing four basedpyright warnings (two real + two "unnecessary ignore"). Move the comment to the dict(...) line, matching the identical pattern in _persist.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
bfabric_asgi_authalongside the existing legacy path — all legacy BDD tests continue to pass unchangedbfabric_rest_proxyservice account from legacy feeder-user (webservice password) to OAuthclient_credentialsgrantWebappOAuthSettings+OAuthClientCredentialsinbfabric.experimentalto supersede the deprecatedWebappIntegrationSettingsbfabric core (
experimental/)webapp_oauth_settings.py—OAuthClientCredentials(client_id, client_secret, scope)andWebappOAuthSettings(base_url, credentials); these supersedeWebappIntegrationSettingsfor OAuth deploymentswebapp_integration_settings.pynow emitsDeprecationWarningat import; retained until prod OAuth cutoverbfabric_asgi_auth
create_oauth_validator(settings)— exchanges a B-Fabric launch JWT for access+refresh tokens via RFC 8693 (exchange_token) and verifies claims locally against JWKS (verify_jwt)OAuthExchangeSuccess/OAuthSessionData/BfabricOAuthUser— parallel data model to the legacy trio;client_secretis never stored in the cookie sessionmake_oauth_session_factory/make_oauth_user_factory— pluggable factories; injected via newsession_factory/user_factorykwargs onBfabricAuthMiddleware(defaults preserve legacy)create_mock_oauth_validator+OAuthMockFixturefor testing without a live serveroauth_authentication.feature(6 scenarios)docs/design/oauth_migration.md— three-layer model, per-user token storage constraint,starlette-authlibverdict, migration timelinetoken_context.featurewas unregistered; unit tests were excluded fromtestpathsbfabric_rest_proxy
ServerSettings.service_user_credentials: dict[str, OAuthClientCredentials]replaces legacyfeeder_user_credentialsget_bfabric_service_client(renamed fromget_bfabric_feeder_client) builds the privileged client viaBfabric.connect_oauthwith shared disk cache (correct for service identity)/validate_tokenreturns 501 whenvalidation_bfabric_instanceis not configuredBfabricAuthParam//read) deferred to prod OAuth cutoverKey design constraint
Per-user OAuth tokens are stored in the encrypted cookie session (
OAuthSessionData.token) andOAuthCredentialProvideris always constructed withtoken_cache_path=None— the shared disk cache keyed by(base_url, client_id)cannot distinguish users. Known limitation: refreshed tokens are not written back to the cookie mid-request (documented in the migration doc as future work).