OIDC Cognito dash_auth

I am using dash_auth with OIDC to connect to my Cognito IdP.

I have the following code to connect to my OIDC provider with a multi-page configuration:

app = Dash(__name__, use_pages=True)
auth = OIDCAuth(app, secret_key="SecretKeyGeneratedWithFunction", callback_route='/<idp>/page1')
auth.register_provider(
    idp_name="folder",
    client_id="client_id",
    server_metadata_url='"mymetadataurl",
)
app.layout = html.Div(dash.page_container)

if __name__ == '__main__':
    app.run(debug=True, port=8052)

I am successfully redirected to my Cognito login page. However, when Cognito redirects back to my app, the page I am redirecting to (pages/folder/page1.py) receives a 302 response and is redirected to localhost:8052. During this redirection, the ?code parameter (which I need to obtain the auth token) is lost.

Does anyone know why this is happening or how to fix it?

Additionally, when I don’t use OIDCAuth, the URL /folder/page1 works as expected.

This is the request that gets 302
http://localhost:8052/folder/page1?code=cb8ea654-1882-4334-8cc1-318ff576612c&state=IEZVHAVKjHKmv7BqhyVud5cSlSjuXb

and gets redirected to : http://localhost:8052, where is lost the query param: ?code

Thanks in advance for your time!

Hi @josemiguely, welcome to the community!

The callback route is not the route the OIDC server redirects to when the user is authenticated, but the route that handles the “oidc dance”. You have overwritten that route with your page route, thats why the token gets lost.
Setting the redirect URI is usually done with the OIDC provider, at least is that the case for microsoft oidc.

Hope this helps,
kind regards Christian

Hi Daten,

Thanks for your quick response! I’m still pretty new to OIDC, so I appreciate your patience. When you mention the route that handles the “OIDC dance,” could you clarify what that means? What exactly should I put there?

From what I understand in the documentation, I thought that it refered to the redirect uri:
Here’s what I found in the docs:

callback_route: str, optional
The route for the OIDC redirect URI, it requires an <idp> placeholder, by default "/oidc/<idp>/callback".

Just want to make sure I’m on the right track. Thanks again for your help!

I think this describes it pretty well, but would do some deeper research. But the callback takes care of step 5. and 6.

You dont have to set a callback_route, dash auth handles that on its own the function for that is:

def callback(self, idp: str):  # pylint: disable=C0116
        """Handle the OIDC dance and post-login actions."""
        if idp not in self.oauth._registry:
            return f"'{idp}' is not a valid registered idp", 400

        oauth_client = self.get_oauth_client(idp)
        oauth_kwargs = self.get_oauth_kwargs(idp)
        try:
            token = oauth_client.authorize_access_token(
                **oauth_kwargs.get("authorize_token_kwargs", {}),
            )
        except OAuthError as err:
            return str(err), 401

        user = token.get("userinfo")
        return self.after_logged_in(user, idp, token)

that function is registered as viewfunction behind the callback_route.

The function is from the dash-auth repo. Can recommend reading it together with the authlib documentation.

Thanks, man! You were right! It was step 5-6—thank you so much!

I was really confused because, in another frontend, I had to handle that part myself (exchanging the code with the auth server for a token) and manually set the redirect_uri.

Have a great weekend!