📣 New release v2.3.0 of dash-auth

RenaudLN · March 19, 2024, 7:42am

Hey all, dash-auth 2.3 is now available it adds the following capabilities:

OIDC authentication, you can now ask your users to log into your app via social login or SSO
Protect parts of your app (page, callbacks, functions) by checking that users are part of the right groups (or have the roles)
BasicAuth also gets an uplift:
- the username of the user is available in the flask session
- Usernames can be linked to groups to enable the above RBAC feature

Read more about implementing this in your apps at GitHub - plotly/dash-auth: Basic Auth and Plotly Authentication for Dash Apps

adamschroeder · March 19, 2024, 12:51pm

This is big news. Thank you so much for the hard work and the PR, @RenaudLN .

And it also works with Pages for a multi-page Dash app

warrenon · March 19, 2024, 1:16pm

great additions! thanks @RenaudLN

Tobs · March 19, 2024, 1:26pm

Does this update allow you to authenticate with Azure B2C? What if multiple users login simultaneously, how is that managed?

warrenon · March 19, 2024, 1:28pm

how do you access the username in the flask session?

dash-beginner · March 20, 2024, 5:46pm

@RenaudLN - Was just looking through the latest release changes for this and was wondering whether the group-based permission check is all that secure? I’m probably missing something, but could the end-user not just change the session[“groups”] key to “admin” if they wanted to, or does that somehow invalidate access token?

Edit: I guess looking into it a bit more, Flask sessions are tamper-proof because they’re signed by the Flask server’s secret key, so the above should be moot.

jinnyzor · March 20, 2024, 6:07pm

@dash-beginner, yes and no.

It is easy to pull the info from the cookie, and if you have a non-secure key, the cookies themselves can be crafted, albeit the person needs to know the key.

dash-beginner · March 20, 2024, 6:15pm

By the “key” are you referring to the access token that’s stored in the cookie from the OIDC handshake or the secret key that’s used to sign the cookie?

jinnyzor · March 20, 2024, 6:22pm

This is the key I am referring to:

This key is used to craft the cookie that is stored on the client.

To this point, I often times will see people generate random keys because its secure. It is, but if you have multiple backends, then these keys will never match and cause headaches.

Even in one instance, every time your server reboots you have to log in again…

RenaudLN · March 20, 2024, 8:33pm

You should use the flask option secure session cookie so that you can’t decrypt it even if you have the secret key. I added a parameter in OIDCAuth to automatically set this.

See this article for more detail about securing your session Cookie Security for Flask Applications - miguelgrinberg.com

frankfnl · May 21, 2024, 7:45am

Awesome work! I’m wondering how to change the redirect_url? I couldn’t find a specific example in the documentation.

RenaudLN · May 21, 2024, 8:18am

Glad it helps you can change the redirect URI with the callback_route argument. Note that it needs to have a <idp> route placeholder in there. The default value is "/oidc/<idp>/callback"

frankfnl · May 21, 2024, 9:29am

Thanks I tried this but it didn’t affect the redirect uri sent by Dash.

auth = OIDCAuth(app, secret_key=secret_key)
auth.register_provider(
    "idp",
    token_endpoint_auth_method="client_secret_post",
    client_id=client_id,
    client_secret=client_secret,
    server_metadata_url=server_metadata_url,
    callback_route="/oidc/<idp>/something_else",
)

The redirect uri is still http://localhost:8050/oidc/idp/callback
Sorry if its very obvious!

RenaudLN · May 21, 2024, 9:37am

Callback_route is defined on OIDCAuth, not on register_provider

frankfnl · May 21, 2024, 11:05am

It works like a charm!

mkm · May 31, 2024, 6:32pm

The addition of OIDC is really awesome! Thank you for your work on this.

Is it possible to add an authorization hook somewhere in the process? I have OIDC authentication set up successfully with Google as the IdP, but now I’d like to control authorization based on membership in a specific Google Group within our org. That would involve calling a Google API to check group membership with the user’s access token before returning the page.

jinnyzor · May 31, 2024, 7:26pm

Hello @mkm,

Welcome the community!

Check out my PR here and see if this is something that you are interested in?

github.com/plotly/dash-auth

auth-flow adjustments

plotly:main ← BSd3v:auth-adjustments

opened 06:38PM - 21 Mar 24 UTC

BSd3v

+431 -37

added: - user groups to the OIDC flow - added the ability to pass your own log…in_user_callback to be able to customize the flow - restritected users as a list or a function - when a function is passed, it will execute during the function of `check_groups` with the `restricted_users_lookup` dict passed as kwargs - this will also use a `user_session_key` to know whether this is matched in the returning list of `restricted_users` - `protect_layouts` to protect all layouts in the app - `auth_protect_layouts` tells the app to invoke the `protect_layouts` with the `public_routes` passed to not protect the layouts of public routes. - `auth_protect_layouts_kwargs` is the same are the additional `kwargs` passed to the function - `page_container` as the `id` of your container element for a page container, it will only check the route if it is an output. changed: - if a `idp_selection_route` is available, it will cater this even if there is only one provider, this allows for legacy logins - groups is now a list of strings or a function - when a function is passed, it will execute during the function of `check_groups` with the `group_lookup` dict passed as kwargs

mkm · May 31, 2024, 7:51pm

Yes, this looks perfect for what I’m trying to do! Looks like I could just pass my lookup function to the groups parameter in check_groups.

jinnyzor · May 31, 2024, 8:17pm

Yeah, I think that would work.

David22 · June 5, 2024, 2:32pm

Thank you for the hint, @jinnyzor

I just started using the dash_auth a few min ago, I had followed instructions available on Authentication | Dash for Python Documentation | Plotly and a very simple dash app, running on localhost.

However, after every chart update my console was literally spammed with a red “WARNING:root:Session is not available. Have you set a secret key?”

A Google search sent me to

github.com

plotly/dash-auth/blob/main/dash_auth/basic_auth.py

import base64
import logging
from typing import Dict, List, Optional, Union, Callable
import flask
from dash import Dash

from .auth import Auth

UserGroups = Dict[str, List[str]]


class BasicAuth(Auth):
    def __init__(
        self,
        app: Dash,
        username_password_list: Union[list, dict] = None,
        auth_func: Callable = None,
        public_routes: Optional[list] = None,
        user_groups: Optional[
            Union[UserGroups, Callable[[str], UserGroups]]

This file has been truncated. show original

And then, while reading your reply, I realized how stupid I was, as the place where I had to put this secret key was actually in the

dash_auth.BasicAuth(
    app, 
    VALID_USERNAME_PASSWORD_PAIRS, 
    secret_key="somestring"
)

Thanks. Writting this reply here as it might help others

Topic		Replies	Views
Adding Microsoft Authentication to Dash App Dash Python question	10	1976	January 8, 2025
Duo 2FA Integration? Dash Python	7	520	October 5, 2022
App crashes after a week or so, general question (basic auth + ldap auth, flask.session) Dash Python question	8	21	March 25, 2025
Get username for authenticated user with Dash Basic Auth Dash Python	15	10545	April 9, 2025
Can you add Azure AD login with flask oauth or flask oidc? Dash Python	2	1453	November 3, 2020

📣 New release v2.3.0 of dash-auth

Related topics