fspijkerman / dash-okta-auth Goto Github PK

currently, if a user has logged in okta but his session has expired, the dash app is not updated anymore as the calls to /_dash-... are receiving a redirect (302) they cannot manage.
I have hacked the following solution that appears to work:

1. add an element of type dcc.Location(refresh=True, id="URL_OUT"), in the app layout
2. trigger a change on this element when Dash is sending a /_dash-update-component and the session is not authorized. For this, change in the "login_request" (https://github.com/fspijkerman/dash-okta-auth/blob/master/dash_okta_auth/okta_oauth.py#L45) from

    def login_request(self):
        # send to okta auth page
        return redirect(url_for("okta.login"))

to

    def login_request(self):
        # send to okta auth page
        if request.path.startswith("/_dash-update-component"):
            import json
            return json.dumps({"response": {"URL_OUT": {"href": "http://127.0.0.1:8051/login/okta"}}, "multi": True})
        return redirect(url_for("okta.login"))

Today, the ID of the dcc.Location is hardcoded but it could be passed as a configuration parameter.

Is this a reasonable fix ?

I have the impression the library will, on every request, the wrapper calls is_authorized which calls self.okta.session.get(f'{self.base_url}/userinfo') (https://github.com/fspijkerman/dash-okta-auth/blob/master/dash_okta_auth/okta_oauth.py#L37) to retrieve the 'email' of the user. Is that correct ?

If so, it adds latency to each call just to get the email which is often already available in the JWT.
Is it possible to disable this call ?

i'm using a virtual env and installing from the requirements.txt file.

application will run if i remove auth='auth' but then I get an error from Okta:

"Description: The 'redirect_uri' parameter must be an absolute URI that is whitelisted in the client app settings."

I'm following https://github.com/okta/samples-python-flask/tree/master/okta-hosted-login
to set up the app on Okta (only difference a use of port 8050 for call back). The link to okta set up for flask-dance does not work btw.

any ideas?

thanks!!

The okta provider was removed in flask_dance. I was able to reuse most of your code replacing okta using the OAuth2ConsumerBlueprint.
You can find my demo application here: github.com/nicohein/dash-okta-oauth2
Let me know if you are interested in a pull request for your project. I haven't forked your project yet because I used a slightly different structure.