API / python client access to application secured via oauth

[blenzi]

• [ x] I have searched to see if a similar issue already exists.

Is your feature request related to a problem? Please describe.

I have a gradio application that is secured via oauth like in the example here: https://www.gradio.app/guides/sharing-your-app#o-auth-with-external-providers. I would like to access it using the python client as well. Is there a way to do it securely, for exemple adding a password authentication or some other method on top ? It looks like auth and auth_dependency cannot be used together in gr.mount_gradio_app

[abidlabs]

Not yet, but this is something we could look into supporting!

[blenzi]

Thanks! Any ideas what and how long this could take, please ?

[mussonero]

for a workaround i am using this for API calling:

@app.post('/api_auth')
async def api_auth(request: Request):
    try:
        form = await request.form()
        username, password = form.get('username'), form.get('password')
        if not username or not password or 'api_gradio' not in username:
            return RedirectResponse(url='/logout')
        
        access_token_data = keycloak_openid.token(username, password)
        access_token_data.pop('id_token', None)
        access_token = access_token_data.pop('access_token', None)
        request.session.update({
            'keycloak_token': access_token_data,
            'expires_at': int(time()) + 5 * 60,
        })
        
        user_info = keycloak_openid.userinfo(access_token)
        if user_info:
            session_id = get_hashed_session_id(request.cookies.get('session_id'))
            if session_id:
                await SessionDatabase(db_name=keycloak_sessions_db_file).set_user(
                    user_info['preferred_username'], session_id, user_info, request.session['keycloak_token'])
        
        request.session['user'] = user_info
        if any(group['name'] == KEYCLOAK_GROUP or group['path'] == KEYCLOAK_GROUP_PATH for group in keycloakadmin.get_user_groups(user_info['sub'])):
            return
        return RedirectResponse(url='/logout')
    except Exception as e:
        print(f"Authentication failed: {e}")
        return RedirectResponse(url=f'{root_path}/logout')


@app.route('/login', methods=['GET', 'POST'])
async def login(request: Request):
    try:
        request.session.clear()
        request.session['nonce'] = generate_nonce()
        
        form = await request.form()
        username, password = form.get('username'), form.get('password')
       # Here  you can implement other method, if the call is an API call
        if username and 'api_gradio' in username and password:
            return RedirectResponse(url=f'{root_path}/api_auth')
        
        auth_url = keycloak_openid.auth_url(
            redirect_uri=request.url_for('auth'), scope='openid offline_access profile email', nonce=request.session['nonce'])
        return RedirectResponse(auth_url)
    except Exception as e:
        print(f"Login failed: {e}")
        return RedirectResponse(url=f'{root_path}/logout')

[abidlabs]

Hi @blenzi we looked into this but allowing either password authentication or OAuth complicates the security model and workflow and will likely lead to security issues, so I don't think we'll implement this in core. You could either refer to @mussonero's suggestion above as a workaround!