feat(auth): add allow_sign_up environment variable for OpenID Connect

[RogerHYang]

resolves #7255

Add OAuth2 Sign-Up Control

This PR introduces OAuth2 authentication support with granular control over user sign-up behavior. Key changes include:

1. Sign-Up Control:

   • Added PHOENIX_OAUTH2_{IDP_NAME}_ALLOW_SIGN_UP environment variable for each OAuth2 identity provider
   • When set to false, only existing users can sign in via OAuth2
   • New users attempting to sign in are redirected to login page with error message
   • Existing users with password authentication cannot switch to OAuth2

2. Database Migration:

   • Added new auth_method column to users table to distinguish between LOCAL and OAUTH2 authentication
   • Implemented migration script to populate auth_method based on existing credentials
   • Added CHECK constraints to ensure data integrity:
     • Valid auth_method values ('LOCAL' or 'OAUTH2')
     • Proper credential combinations (password_hash for LOCAL, OAuth2 credentials for OAUTH2)
   • Removed legacy constraints replaced by new auth_method column
   • Added comprehensive migration tests for both upgrade and downgrade paths
   • Ensured compatibility with both SQLite and PostgreSQL backends

3. Core Authentication Changes:

   • Added OAuth2 authentication method alongside existing local authentication
   • Enhanced user model to support OAuth2 credentials (client_id and user_id)
   • Added auth_method field to distinguish between LOCAL and OAUTH2 users
   • Implemented proper handling of OAuth2 user credentials and validation

4. Testing and Validation:

   • Added comprehensive test coverage for OAuth2 authentication flows
   • Test cases for both allowed and disallowed sign-up scenarios
   • Validation of OAuth2 credentials and user information
   • Error handling tests for various edge cases
   • Integration tests for complete OAuth2 authentication flow

5. Security and Error Handling:

   • Proper validation of OAuth2 client IDs and user IDs
   • Secure handling of OAuth2 tokens and credentials
   • Clear error messages for authentication failures
   • Protection against unauthorized authentication method changes

The changes maintain backward compatibility with existing local authentication while adding robust support for OAuth2 authentication. The implementation includes proper validation, error handling, and comprehensive test coverage for various authentication scenarios, with particular focus on the new ability to control OAuth2 sign-up behavior through environment variables.

[axiomofjoy]

Chatted with @RogerHYang. I'm thinking we ought to weaken the exactly_one_auth_method constraint on the users table to avoid the dummy values in the OAuth-related columns.

One option:

• auth_type enum column for LOCAL and OAUTH2
• constraint that if auth_type is LOCAL the password hash should be non-null and the OAuth2-related columns should be null
• constraint that if auth_type is OAUTH2 the password hash should be null

[axiomofjoy]

Suggested change

	if username := self.username:
	object.__setattr__(self, "username", username.strip())
	if profile_picture_url := self.profile_picture_url:
	object.__setattr__(self, "profile_picture_url", profile_picture_url.strip())
	if (username := self.username) and (stripped_username := username.strip()):
	object.__setattr__(self, "username", stripped_username)
	if (profile_picture_url := self.profile_picture_url) and (stripped_profile_picture_url := profile_picture_url.strip()):
	object.__setattr__(self, "profile_picture_url", stripped_profile_picture_url)

[RogerHYang]

it's not clear to me why these local variables are more clear, since they are just a rearrangement of letters

stripped_profile_picture_url := profile_picture_url.strip()

[axiomofjoy]

Instead of relying on the password being blank, can we make add a authType enum to the input with LOCAL or OAUTH2 values and make the password an optional?

[mikeldking]

I agree that we need to make this more declarative. The code block below is not self evident and requires tribal knowledge.

The UI is also going to have to build affordances for this for it to actually work so using an enum makes the most sense here to me.

[mikeldking]

I think since this is basically just additive and low-risk it makes sense to merge this. I do still have a bit of concern around the UX in the UI where it's not entirely gonna be obvious that this new method if invitation should be used.

Wouldn't in this case the entire system have to be disabled for signups such that the admins are forced to invite only via "TBD" flow? Obviously these things don't need to be solved in this PR but I think it's worth brainstorming the invitation flow a bit more from a UX perspective.

[mikeldking]

Not sure I follow what these are?

[mikeldking]

I think I get it moving down - but I think you should add a docstring here sincde as raw constants it's hard to tell what they do.

[axiomofjoy]

For context, these are dummy values that are being added to satisfy the exactly_one_auth_method check constraint:

phoenix/src/phoenix/db/models.py

Line 1085 in f882faf

CheckConstraint(

I think it makes sense to relax that constraint since it too restrictive in a world where an OAuth2 user can be added before their OAuth2 client and user IDs have been recorded.

[axiomofjoy]

Then the dummy values become unnecessary.

[axiomofjoy]

It sounds like you would prefer to keep the constraint and use dummy values @mikeldking?

[mikeldking]

I agree that we need to make this more declarative. The code block below is not self evident and requires tribal knowledge.

The UI is also going to have to build affordances for this for it to actually work so using an enum makes the most sense here to me.

[axiomofjoy]

Looks like there's an empty file constants.py

[axiomofjoy]

Suggested change

	if match := re.match(r"(?P<email>.*)\((?P<auth_method>\w+)\)$", email_part, re.IGNORECASE):
	email_addr = match.group("email").strip()
	if match := re.match(r"(?P<email>.+)\((?P<auth_method>\w+)\)$", email_part, re.IGNORECASE):
	email_addr = match.group("email").strip()

Non-empty email??

[axiomofjoy]

This change looks like it's intended to handle a case where the user is newly created, but there is a mismatch between the newly created user's email and the email from the OIDC token. But that shouldn't be possible since we use that exact email when creating the user.

[RogerHYang]

yea, this one is unintentional

[RogerHYang]

not sure how it got changed. good catch

[axiomofjoy]

These comments look out of date.

[RogerHYang]

you're right. very sharp eyes

[axiomofjoy]

Suggested change

	def __post_init__(self) -> None:
	if self.auth_method is AuthMethod.OAUTH2:
	if self.password:
	raise ValueError("Password is not allowed for OAuth2 authentication")
	elif not self.password:
	raise ValueError("Password is required for local authentication")
	def __post_init__(self) -> None:
	if self.auth_method is AuthMethod.OAUTH2:
	if self.password:
	raise BadRequest("Password is not allowed for OAuth2 authentication")
	elif not self.password:
	raise BadRequest("Password is required for local authentication")

Given some of the issues that have been coming into community around inscrutable error messages, I want to make sure these APIs make it back to the user.

[RogerHYang]

ok sg. thx

[axiomofjoy]

Nix?

[axiomofjoy]

We still want this constraint, no?

[axiomofjoy]

Suggested change

	batch_op.create_check_constraint("auth_method", "auth_method IN ('LOCAL', 'OAUTH2')")
	batch_op.create_check_constraint("valid_auth_method", "auth_method IN ('LOCAL', 'OAUTH2')")

[axiomofjoy]

The ordering doesn't mirror the up migration.

[RogerHYang]

ok i can change, but this one seems to be ok because the migration tests passes, so the order is not an issue here

[axiomofjoy]

The only time the ordering would matter would be if the migration fails partway and we need to comment out a portion of the down migration to run manually. I think it's worth keeping the order mirrored to facilitate that in a worst-case scenario.

[axiomofjoy]

Can we make this explicit at the call site rather than implicit?

[RogerHYang]

This is only for testing situations. The helper classes below are intended for normal use, which accomplishes the objective that you're probably referring to.

[axiomofjoy]

Not sure I grok. Where do we rely on this?

[RogerHYang]

Ok i can remove it. I was just too lazy to go through and update all the tests

[review-notebook-app]

Check out this pull request on 

See visual diffs & provide feedback on Jupyter Notebooks.

---

Powered by ReviewNB

[RogerHYang]

superseded by #7582