Fix auto login

[ModEnter]

Fix the automatic enter of the only oauth providers, which makes it unable to logout

[ModEnter]

@dokterbob I did a new PR from the good branch this time 😉

[dokterbob]

I just reviewed the functionality (in our own app, with a single oauth provider).

What I hoped this would do, was to remove the intermittent login step before the redirect, which our users have found confusing (as there's no user interaction required).

What instead happened, is that now there is a single button for the user to click; there is a choice to be made but nothing to choose. Remember those websites back in the 90's with the 'Click here to ender the website'-button?

Of course, users need to be able to log out and I see the pain there. Our own users also have this issue.

What's happening AFAIK, is that when a user logs out from chainlit, the oauth authentication is immediately initiated again. If a user was not logged out from the oauth provider, this means that they are automatically logged in again. What the user's expectation is instead, is that when they're logging out, they are presented a prompt to log in again. If there's a single OAuth provider, they should end up seeing that provider's oauth login screen again (not a page with a single button).

So IMHO, what's necessary is that logging a user out in the frontend also logs them out on the oauth backend. The proper way might be to add an optional async def logout() method to OAuthProvider which for each OAuth provider uses the available credentials to have the provider revoke their credentials.

Alternatively, if 'properly' implementing OAuth (logout) (not a trivial matter!), perhaps we could make this behaviour configurable, setting prior behaviour as the default (e.g. single_oauth_auto_redirect = True, allowing users to specifically disable it?

[dokterbob]

I could not help myself from digging a little deeper and it seems that OAuth2 has a prompt=consent option to the auth request. This way, a user is not logged out from their OAuth provider (we don't want users to log out from GH if they use GH to login to Chainlit!), but it will require users to confirm their login (and allow them to change to a different user).

To implement this, we could add prompt=consent on all outgoing auth requests -- which AFAIK (we need to test this) only happens when a user as logged out, requiring chainlit to send the request in the first place.

That seems like a much simpler and elegant solution!

[dokterbob]

Ref: https://developers.google.com/identity/openid-connect/openid-connect#prompt

[ModEnter]

Hello, this method is interesting, I'm going to dig that.

[ModEnter]

@dokterbob I restored the previous behaviour and added prompt=consent to the authorization params for each one of the 9 chainlit external providers, as refered here

[dokterbob]

here

Great! Could you please indicate to what extent you manually tested it? It's essential for this we do extensive manual testing!

[ModEnter]

Sure, I only tested it on github oauth, but since it is defined in the OpenID connect core 1.0 spec, it should be sure that it work with the other one. If you want to test them, it would be great, I personnaly do not have the possibility to do so...