-
Notifications
You must be signed in to change notification settings - Fork 242
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
💥 Fix oauth name & username mixup #1050
Conversation
45ce7c1
to
2cd06cd
Compare
@coyotte508 FYI I saw the review request. I'm taking the advantage to recreate (-ish) the same on the Python side to better understand the PR and then I'll comment back here |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me! Better to have an approval from a JS dev though ^^
Is the expectation that using localStorage
will fix all cookie-related issues? Also just to be sure, if someone adds a "Sign in with HF" button in their Space using this, only the front-end will be able to make calls on behalf of the user, right?
(EDIT: I took heavy inspiration from this PR and especially the test part for huggingface/huggingface_hub#2684)
hubUrl: TEST_HUB_URL, | ||
}); | ||
const resp = await fetch(url, { | ||
method: "POST", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how of curiosity, is there any reason to do a POST instead of a GET (or vice-versa) here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The POST is to grant the oauth app the authorization. GET works for subsequent calls, but not the first time ever for the user <-> app tuple
At least currently it doesn't suffer the same issues as cookie Just to be clear, it's already been implemented for a long time, but some fields were mixed up...
yes (unless the frontend passes the oauth token to the backend...) |
/** | ||
* OpenID Connect field. The user's full name. | ||
*/ | ||
name: string; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
except sub
, none of the user-related fields are necessarily provided, no? (particularly given that it seems you can pass a custom list of scopes to oauthLoginUrl
)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the profile ones are, technically we could not send them but we always do
res.json({
...getIdTokenInfo(auth.u, [...(auth.oauth?.scope ?? []), "profile"]),
userInfo
returned, use raw response from the hubDue to breaking change, will need major version upgrade
In the end I decided to go with the raw response, without transforming it.
Because a lot of the fields are standard openID connect fields (eg
preferred_username
), and to make the developer's job easier when they search docs or they already have other OpenID integrations in their app.Even if it's snake_case while the rest of the API is camelCase.