Skip to content

[DO NOT MERGE]feature: FGI-1574 add connected account support #67

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 11 commits into
base: main
Choose a base branch
from
Open

[DO NOT MERGE]feature: FGI-1574 add connected account support #67

wants to merge 11 commits into from

Conversation

@sam-muncke
Copy link

@sam-muncke sam-muncke commented Nov 6, 2025
edited
Loading

Changes

This change adds support for the new Connected Accounts flow.

  • Adds two new config values:
    -- use_mrrt - which indicates whether to use Multi-Resource Refresh Tokens (required for connected accounts)
    -- mount_connected_account_routes - Adds the /auth/connect-account route and allows /auth/callback to handle the connnected account callback
  • Adds /auth/connect-account route to initiate connected account flow
  • Modifies /auth/callback to handle connected account callback to complete the flow if the connect_code param is present

Note: This change depends on the functionality in [this PR]:auth0/auth0-server-python#57 and requires a version bump to auth0-server-python lib.

References

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

  • This change adds unit test coverage
  • This change adds integration test coverage
  • This change has been tested on the latest version of the platform/language or why not

Checklist

@sam-muncke sam-muncke mentioned this pull request Nov 6, 2025
Open
6 tasks
adamjmcgrath
adamjmcgrath reviewed Nov 7, 2025
View reviewed changes
src/auth0_fastapi/server/routes.py

# Extract the returnTo URL from the appState if available.
return_to = session_data.get("app_state", {}).get("returnTo")
return_to = app_state.get("returnTo")
Copy link

@adamjmcgrath adamjmcgrath Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not the fault of this PR, but this SDK should have something like this https://github.com/auth0/nextjs-auth0/blob/main/EXAMPLES.md#oncallback-hook - otherwise the api response gets lost

Copy link
Author

@sam-muncke sam-muncke Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeh I struggled with what to do after completion. I thought this was the best option for expediency to get something functional for the GA date as there's not actually a lot thats useful in the response. This SDK is pretty bare feature wise though compared to the JS SDK. I can add something like this in in a follow up PR

@sam-muncke
Copy link
Author

sam-muncke commented Nov 7, 2025

@claude

@github-actions
Copy link

github-actions bot commented Nov 7, 2025
edited
Loading

Claude finished @sam-muncke's task —— View job

Code Review Complete

  • Read PR diff and understand changes
  • Read project context
  • Perform code quality review
  • Perform security review
  • Perform performance review
  • Provide inline feedback on specific issues
  • Provide overall assessment

Overall Assessment

❌ This PR has critical security and correctness issues that must be addressed before merging. The most significant concern is an open redirect vulnerability in the callback handler where the returnTo parameter is not validated. Additionally, there are incorrect type annotations and docstrings that will cause confusion and potential runtime errors.

Job Run | Branch

github-actions[bot]
github-actions bot reviewed Nov 7, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Nov 7, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Nov 7, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Nov 7, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Nov 7, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Nov 7, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Nov 7, 2025
View reviewed changes
github-actions[bot]
github-actions bot reviewed Nov 7, 2025
View reviewed changes
pmalouin
pmalouin reviewed Nov 7, 2025
View reviewed changes
src/auth0_fastapi/server/routes.py Outdated
return Response(status_code=204)

if config.mount_connected_account_routes:
@router.get("/auth/connect-account")
Copy link

@pmalouin pmalouin Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For symmetry, this should be the same as the nextjs-auth0 implementation:

Suggested change
@router.get("/auth/connect-account")
@router.get("/auth/connect")

This makes it easier for the front-end library to behave the same no matter what back-end framework+sdk is used.

Copy link

@pmalouin pmalouin Nov 7, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

oh, I see that /auth/connect is already used for account linking 😬 I think that the account-linking approach should be discontinued (to be confirmed based on the deprecation plan). Is it intended to keep it as-is for now?

(if that's the case, I might need to override the url used by the front-end... We already have a way to do it, just a bit more complex setup for our customers)

Copy link
Author

@sam-muncke sam-muncke Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeh would have preferred /auth/connect but its taken. Would love to remove it but its a breaking change so think I had to avoid it. The other option would be to make mount_connect_routes and mount_connected_account_routes mutually exclusive, so the meaning of the /auth/connect route is dependent on which config setting you have enabled.

src/auth0_fastapi/config.py Outdated
audience: Optional[str] = Field(None, description="Target audience for tokens (if applicable)")
authorization_params: Optional[dict[str, Any]] = Field(None, description="Additional parameters to include in the authorization request")
pushed_authorization_requests: bool = Field(False, description="Whether to use pushed authorization requests")
use_mrrt: bool = Field(False, description="Whether to use Multi-Resource Refresh Tokens (MRRT)")
Copy link

@pmalouin pmalouin Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the nextjs-auth0 SDK, we did not have to explicitly enable mrrt. Is there a reason why we have an explicit toggle here?

Copy link
Author

@sam-muncke sam-muncke Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I took inspiration from auth0-spa-js which does require it to be explicitly enabled https://github.com/auth0/auth0-spa-js/blob/main/src/global.ts#L285C19-L285C20

I'm fine either way - its not hard to remove - just depends which one we want to be consistent with 🤷

src/auth0_fastapi/config.py
# Route-mounting flags with desired defaults
mount_routes: bool = Field(True, description="Controls /auth/* routes: login, logout, callback, backchannel-logout")
mount_connect_routes: bool = Field(False, description="Controls /auth/connect routes (account-linking)")
mount_connected_account_routes: bool = Field(False, description="Controls /auth/connect-account routes (for connected accounts)")
Copy link

@pmalouin pmalouin Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

just pointing out that this config is named enableConnectAccountEndpoint in nextjs-auth0. Any way to make them more similar?

One tiny nitpick here is that there's only 1 route, but we use the routes plural.

Copy link
Author

@sam-muncke sam-muncke Nov 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to but that makes in more different from the other mount_routes and mount_connect_routes in this SDK
As for routes vs route this does also extend the /auth/callback route functionality as well as adding the new route

@pmalouin pmalouin mentioned this pull request Nov 12, 2025
Draft
@sam-muncke sam-muncke changed the title feature: FGI-1574 add connected account support [DO NOT MERGE]feature: FGI-1574 add connected account support Nov 12, 2025
@sam-muncke sam-muncke marked this pull request as ready for review November 12, 2025 17:37
@sam-muncke sam-muncke requested a review from a team as a code owner November 12, 2025 17:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamjmcgrath adamjmcgrath adamjmcgrath left review comments

@github-actions github-actions[bot] github-actions[bot] left review comments

+1 more reviewer

@pmalouin pmalouin pmalouin left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@sam-muncke @adamjmcgrath @pmalouin