Cookies and GitHub authentication

[davidbrochart]

I'll summarize what I did:

• Open an incognito window in Google Chrome at http://127.0.0.1:8000 (my local server).
• In the "Welcome back" page, I click on "# with GitHub".
• I # with my email address and password.
• I authorize through two-factor authentication.
• I finalize the # with the same email address.
• I get lots of 403, and refreshing the page doesn't help.
• I delete cookies for 127.0.0.1 and reload the page.
• Now everything works fine.

I don't understand why deleting cookies helps?

[frankie567]

Would you be able to catch the 403 errors and see if there is an error message? Look in the response body and in the headers.

We use cookies extensively to maintain the login flow through the multiple redirections done with OAuth2, so that might explain why flushing cookies help.

[davidbrochart]

There is nothing except {detail: "Forbidden"}.
I think this is the result of the FiefAuth.current_user(permissions) dependency, and it might be related to what I'm trying to do: set the user permissions in the auth callback by making requests to POST /admin/api/users/{user_id}/permissions. These requests are successful, but maybe the auth callback's response doesn't take into account the new permissions when setting the cookie?

[frankie567]

Ah yes, that's expected. The list of permissions is bundled in the access_token, so even if you update it with the API, the access token still has the previous set of permissions.

Two things to try then:

• You can set a Role as granted by default. This way, Fief will automatically assign a Role and the related set of permissions to a user when they register. However, this is not dynamic, so it may not fit your use-case if you need to assign permissions based on some specific logic.
• After having updated the permissions on the user, you can request a new access_token using the refresh_token. If you ask for the scope offline_access (besides openid), you'll get this refresh token. You can use it with the auth_refresh_token method.

[davidbrochart]

• You can set a Role as granted by default.

That seems to be the easiest, thanks!
One thing I noticed when adding permissions to the new role, I get a list of 10 permissions only, so I cannot set all of them. Maybe it's because GET /permissions/ lists 10 permissions by default?
Actually, it would be nice to have a "Add all permissions" button, then I could remove the ones I don't want.

[davidbrochart]

Actually, granting a role by default doesn't help. I still have to remove the cookie, then it works fine.

[davidbrochart]

• After having updated the permissions on the user, you can request a new access_token using the refresh_token. If you ask for the scope offline_access (besides openid), you'll get this refresh token. You can use it with the auth_refresh_token method.

That works, thanks!

[frankie567]

• You can set a Role as granted by default.

That seems to be the easiest, thanks! One thing I noticed when adding permissions to the new role, I get a list of 10 permissions only, so I cannot set all of them. Maybe it's because GET /permissions/ lists 10 permissions by default? Actually, it would be nice to have a "Add all permissions" button, then I could remove the ones I don't want.

You can use the limit parameter to have more items on one page (up to 100). If there's more than that (😮), you'll need to make several requests until you reach the end, thanks to the skip parameter.

Actually, granting a role by default doesn't help. I still have to remove the cookie, then it works fine.

Hmm, right. The current implementation does the operation in the worker; so when the callback happens, the worker still hasn't processed the roles. I think we can consider it a bug!

[davidbrochart]

You can use the limit parameter to have more items on one page (up to 100). If there's more than that (), you'll need to make several requests until you reach the end, thanks to the skip parameter.

Yes I do that, that's why I'm suspecting that Fief doesn't do it. I'm talking about this form where only 10 permissions are shown:

[frankie567]

Ah yes, from the UI! I designed it to be more of a search box where you look for the permissions. But I understand it may not be practical when having lot of permissions.

[davidbrochart]

Ah I didn't know you could search, maybe it could have something like "Search permission" as a background text?
But then I think that when there are lots of permissions this becomes really useful:

Actually, it would be nice to have a "Add all permissions" button, then I could remove the ones I don't want.