Skip to content

Basic OAuth and JWT support #649

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
antirotor wants to merge 10 commits into
base: develop
Choose a base branch
from
Draft

Basic OAuth and JWT support #649

antirotor wants to merge 10 commits into from
+1,578 −1

Conversation

@antirotor
Copy link
Member

@antirotor antirotor commented Jul 10, 2025

OAuth Provider Implementation for AYON Server

This implementation provides a basicOAuth 2.0 authorization server for AYON Server, allowing third-party applications to securely access user data through standardized OAuth processes. It is using oauthlib

Authorization Endpoints

  • GET /api/oauth/authorize - OAuth authorization endpoint
  • POST /api/oauth/consent - User consent handling
  • POST /api/oauth/token - Token exchange endpoint
  • POST /api/oauth/introspect - Token introspection endpoint
  • GET /api/oauth/userinfo - User information endpoint

JWT Token Endpoints

  • POST /api/oauth/jwt - Generate JWT tokens (authenticated users)
  • POST /api/oauth/jwt/exchange - Exchange OAuth tokens for JWT tokens
  • GET /api/oauth/validate - Validate JWT tokens
  • GET /.well-known/jwks.json - JSON Web Key Set

Client Management (Admin Only)

  • GET /api/oauth/clients - List OAuth clients
  • POST /api/oauth/clients - Create OAuth client
  • GET /api/oauth/clients/{client_id} - Get OAuth client
  • DELETE /api/oauth/clients/{client_id} - Delete OAuth client

Discovery

  • GET /.well-known/openid_configuration - OpenID Connect Discovery

Notes

  • Clients are presisted in DB but tokens are Redis-based.
  • This PR doesn't handle scopes and all the proper token validations and processing (like client can be determined from the provided token, etc. - some logic relies on currently logged user).
  • Consent page (the page where the user is redirected to express consent about using his information to log on connecting client) is missing and needs to be implemented in the frontend.
  • Tests will be added to test repo

@antirotor
✨ initial commit of OAuth and JWT support
d2596b7 
This needs some love in validation and token processing
@antirotor antirotor requested review from Copilot and martastain July 10, 2025 16:08
@antirotor antirotor self-assigned this Jul 10, 2025
@antirotor antirotor added the type: feature Adding something new and exciting to the product label Jul 10, 2025
Copilot AI reviewed Jul 10, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

The PR implements foundational OAuth 2.0 and JWT support for the AYON Server.

  • Adds oauth_clients table, indexes, and triggers to the database schema.
  • Introduces OAuthStorage, OAuth server logic, and JWT utilities for token issuance and validation.
  • Exposes OAuth and OpenID Connect endpoints, including discovery, token, introspection, and userinfo.

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
schemas/schema.public.sql Add oauth_clients table, indexes, and updated_at trigger
schemas/migrations/00000007_oauth.sql Migration script mirroring the new oauth_clients schema
ayon_server/oauth/storage.py Implement client and token persistence in PostgreSQL and Redis
ayon_server/oauth/server.py Core OAuth2 server implementation using oauthlib
ayon_server/oauth/jwt_manager.py JWT access and ID token creation, decoding, and JWKS endpoint
ayon_server/api/server.py Add OpenID Connect discovery and JWKS endpoints
api/oauth/oauth_provider.py Define FastAPI OAuth endpoints (authorize, token, consent, etc.)

@antirotor
Copy link
Member Author

antirotor commented Jul 18, 2025

So I've tested it and it sort of works but there are several weak points/questions to be answered

access token vs. oauth

once you get oauth access token, you shouldn't need ayon access token but you still do. Maybe we should support Authentication: Bearer ... as well as x-api-key

JWT issuer

I wasn't able to figure out how to get the server name without access to Request object. Now, issuer is stupidly hardcoded and not validated.

Keys

Now we use HS256 symmetrical key, but we should use RS256 asymmetric ones

JWT endpoint

Is very useful but right now it is using some hardcoded values. Maybe this should be turned into helper method to be used in individual addons for better context?

@antirotor
Copy link
Member Author

antirotor commented Jul 18, 2025
edited
Loading

you can use this little script for testing btw: https://gist.github.com/antirotor/7f5720a5ba168edac2c6c31825f46a2b

  1. first, you need to create new client - use api/oauth/clients with payload:
{
"clientName": "demo-client",
"redirectUris": [
"http://localhost:5000/callback"
],
"grantTypes": [
"authorization_code"
],
"responseTypes": [
"code"
],
"scope": "openid",
"clientType": "confidential"
}

(note that redirectUris must match with redirection_uri in the gist script linked above)

  1. get the clientId from the response and use it in the script
  2. the script will open browser with the redirect URL filled with the codes, just post that back to the script prompt

@antirotor antirotor mentioned this pull request Nov 6, 2025
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@martastain martastain Awaiting requested review from martastain

Assignees

@antirotor antirotor

Labels

type: feature Adding something new and exciting to the product

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@antirotor