Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

State set by Chainlit before call to auth provider is not base64 encoded #972

Open
ankitgupta-ag opened this issue May 7, 2024 · 1 comment
Open

State set by Chainlit before call to auth provider is not base64 encoded #972

ankitgupta-ag opened this issue May 7, 2024 · 1 comment
Labels
needs-triage

Comments

@ankitgupta-ag
Copy link

ankitgupta-ag commented May 7, 2024
edited

Describe the bug
AWS Cognito requires that calls to /oauth2/authorize endpoint must have the state parameter base64 encoded https://docs.aws.amazon.com/cognito/latest/developerguide/authorization-endpoint.html#get-authorize .

Chainlit however simply creates a 32 character state randomly without encoding the string to base64. https://github.com/Chainlit/chainlit/blob/main/backend/chainlit/server.py#L370

This issue occurs randomly whenever the 32 character state has characters not typically found in a base64 string (like $,%,^).

To Reproduce
Steps to reproduce the behavior:

  1. Go to an endpoint running Chainlit with auth providers configured. I tested this with AWS Cognito.
  2. Start inspecting the network calls on the browser.
  3. Try to login through Cognito. Continue with the authorization flow.
  4. Observe the calls made to /oauth2/authorize.
  5. Check the state parameter set in the location header in the response received from the Chainlit application.
  6. If the state parameter has special characters, observe the 400 bad request error code from calls to the Cognito domain.
  7. Retry steps 1-6 above and expect the calls to /oauth2/authorize succeed when state parameter no longer has special characters.

Expected behavior
The expectation is that Chainlit encodes the string to base64 before setting it as the state and call the configured auth providers.

Screenshots
If applicable, add screenshots to help explain your problem.

Desktop (please complete the following information):

  • OS: MacOS
  • Browser [e.g. chrome, safari] Firefox, Chrome
  • Version [e.g. 22]
@aniruddha-adhikary
Copy link

This has affected and prevented us from using AWS Cognito.

https://github.com/Chainlit/chainlit/blob/main/backend/chainlit/secret.py#L5

The ^ character is not accepted by AWS Cognito in a value to the state during /oauth2/authorize. We monkey-patched the issue for now. By including this in our chainlit app.

from chainlit import secret

# We have to do this because, `^` in the OAuth /authorize step
# trips up AWS Cognito. So we are monkey-patching out this
# character.
# FIXME: Remove this monkeypatch once chainlit fixes it
secret.chars = secret.chars.replace("^", "")

Looking forward to a long-term fix!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@aniruddha-adhikary @ankitgupta-ag