AI/ragflow
1
0
Fork 0
mirror of https://git.mirrors.martin98.com/https://github.com/infiniflow/ragflow.git synced 2025-06-20 18:24:13 +08:00
Code Issues Packages Projects Releases Wiki Activity
ragflow/api/apps/auth
History
Chaoxi Weng 6ed81d6774
Feat: Add OAuth state parameter for CSRF protection (#7709) 
### What problem does this PR solve?

Add OAuth `state` parameter for CSRF protection:
- Updated `get_authorization_url()` to accept an optional state
parameter
- Generated a unique state value during OAuth login and stored in
session
- Verified state parameter in callback to ensure request legitimacy

This PR follows OAuth 2.0 security best practices by ensuring that the
authorization request originates from the same user who initiated the
flow.

### Type of change

- [x] New Feature (non-breaking change which adds functionality)
2025-05-20 09:40:31 +08:00
..
__init__.py
Refa: Deprecate /github_callback in favor of /oauth/callback/<channel> for GitHub OAuth integration (#7587)
2025-05-15 14:39:37 +08:00
github.py
Refa: Deprecate /github_callback in favor of /oauth/callback/<channel> for GitHub OAuth integration (#7587)
2025-05-15 14:39:37 +08:00
oauth.py
Feat: Add OAuth state parameter for CSRF protection (#7709)
2025-05-20 09:40:31 +08:00
oidc.py
Feat: Add /login/channels route and improve auth logic for frontend third-party login integration (#7521)
2025-05-08 10:23:19 +08:00
README.md
Docs: Improve oauth configuration documentation and examples (#7675)
2025-05-16 14:17:39 +08:00

README.md

Auth

The Auth module provides implementations of OAuth2 and OpenID Connect (OIDC) authentication for integration with third-party identity providers.

Features

  • Supports both OAuth2 and OIDC authentication protocols
  • Automatic OIDC configuration discovery (via /.well-known/openid-configuration)
  • JWT token validation
  • Unified user information handling

Usage

# OAuth2 configuration
oauth_config = {
    "type": "oauth2",
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
    "authorization_url": "https://your-oauth-provider.com/oauth/authorize",
    "token_url": "https://your-oauth-provider.com/oauth/token",
    "userinfo_url": "https://your-oauth-provider.com/oauth/userinfo",
    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
}

# OIDC configuration
oidc_config = {
    "type": "oidc",
    "issuer": "https://your-oauth-provider.com/oidc",
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
}

# Github OAuth configuration
github_config = {
    "type": "github"
    "client_id": "your_client_id",
    "client_secret": "your_client_secret",
    "redirect_uri": "https://your-app.com/v1/user/oauth/callback/<channel>"
}

# Get client instance
client = get_auth_client(oauth_config)

Authentication Flow

  1. Get authorization URL:
auth_url = client.get_authorization_url()
  1. After user authorization, exchange authorization code for token:
token_response = client.exchange_code_for_token(authorization_code)
access_token = token_response["access_token"]
  1. Fetch user information:
user_info = client.fetch_user_info(access_token)

User Information Structure

All authentication methods return user information following this structure:

{
    "email": "user@example.com",
    "username": "username",
    "nickname": "User Name",
    "avatar_url": "https://example.com/avatar.jpg"
}