Separate Authorization Request Validation and Response

[imgurbot12]

Is your feature request related to a problem? Please describe.

Currently, it seems it is not possible to validate an authorization request separately from generating an authorization response.
This means that a user must be redirected to a login and be logged in before the initial authorization request processing can be made. Otherwise the request fails due to missing user information

This is very problematic because it means only after the user has properly logged in does the oauth-server report an error with the criteria passed ahead of time to the server making the login virtually pointless.

Describe the solution you'd like

It would be very beneficial to have some sort of workflow like this:

def authorize(request):
  server = AuthorizationServer(storage=storage)
  state = server.validate_authorization_request(request)
  redirect('/login')
  
def post_login(request, state):
  server   = AuthorizationServer(storage=storage)
  response = server.create_authorization_response(state)
  return response

Looking at the existing fastapi example it does not seem
like a solution or workaround exists otherwise.

[aliev]

Hi @imgurbot12 ! I'll review your PR ASAP. Thanks for your contribution!

[imgurbot12]

Hi @imgurbot12 ! I'll review your PR ASAP. Thanks for your contribution!

awesome, thanks :)

[shawn-monadical]

Another important reason to have this is to validate the request URI so that you can safely return an error to the downstream client if there's a problem during the upstream authentication process.

For example, imagine a client sends a request to your authorize endpoint, and before calling AuthorizationServer.create_authorization_response, you first want to present them with a login page. Then on the login page, the user clicks cancel. In that case you should redirect back to the client with an access_denied error code, but since you haven't called create_authorization_response yet, you can't be sure if the redirect URI is valid for that client.

With this change, you would be able to first call validate_authorization_request before presenting the login page, and then if there's an error during the login process, you can safely redirect them to the redirect URI with the error code specified since the redirect URI has been validated already.

[thearchitector]

I support splitting validation from authorization code generation; as it stands, expecting the user to be logged in before validating the auth request (or as a part of it, as currently happens) is actually not compliant with the OIDC specification, where it's explicitly stated that login should be happening after the initial authorization request is validated.

Seems like this package also doesn't follow the proper error OIDC codes for failures, either.

[aliev]

Hey, @thearchitector!

I'm currently working on the v2 version of aioauth, but progress is very slow as I lack the time to fully focus on the project and address all issues of the previous version. If you already have ideas on splitting validation and response, I would be very happy to see your contribution! The master branch currently contains the latest changes for v2.