arize-phoenix 12.2.0__py3-none-any.whl → 12.3.0__py3-none-any.whl

{arize_phoenix-12.2.0.dist-info → arize_phoenix-12.3.0.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: arize-phoenix
-Version: 12.2.0
+Version: 12.3.0
 Summary: AI Observability and Evaluation
 Project-URL: Documentation, https://arize.com/docs/phoenix/
 Project-URL: Issues, https://github.com/Arize-ai/phoenix/issues

{arize_phoenix-12.2.0.dist-info → arize_phoenix-12.3.0.dist-info}/RECORD

@@ -6,7 +6,7 @@ phoenix/exceptions.py,sha256=n2L2KKuecrdflB9MsCdAYCiSEvGJptIsfRkXMoJle7A,169
 phoenix/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
 phoenix/services.py,sha256=ngkyKGVatX3cO2WJdo2hKdaVKP-xJCMvqthvga6kJss,5196
 phoenix/settings.py,sha256=2kHfT3BNOVd4dAO1bq-syEQbHSG8oX2-7NhOwK2QREk,896
-phoenix/version.py,sha256=p9gY3XMRcwNNqpNvGH72AMcUYju-jWhtfef9jZuN95Q,23
+phoenix/version.py,sha256=joovLOjrezzyo7EzpCd_GmtqwFzRWnqjgTP-wu-ic5w,23
 phoenix/core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 phoenix/core/embedding_dimension.py,sha256=zKGbcvwOXgLf-yrJBpQyKtd-LEOPRKHnUToyAU8Owis,87
 phoenix/core/model.py,sha256=qBFraOtmwCCnWJltKNP18DDG0mULXigytlFsa6YOz6k,4837
@@ -102,7 +102,7 @@ phoenix/pointcloud/pointcloud.py,sha256=SN_1wXZcwKrtSnHGZLDZGx71orqE1WyVF7E-D58d
 phoenix/pointcloud/projectors.py,sha256=TQgwc9cJDjJkin1WZyZzgl3HsYrLLiyWD7Czy4jNW3U,1088
 phoenix/pointcloud/umap_parameters.py,sha256=db_WEPoamuWtopZx7tQfAXPnoE0MS8FkAV0_ThjEx_Q,1735
 phoenix/server/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-phoenix/server/app.py,sha256=bN92VbiRRaay3cwBn6U60CCQFkz5JycBD6mrV8qjPp8,50490
+phoenix/server/app.py,sha256=Nkm7xwzed5H_ArLWiqn4Id5ERxB-k-1sJSsvvtWw4Pk,50868
 phoenix/server/authorization.py,sha256=OxROn7ibpKtCTrcgDkzWuNxVaQcSQ8MAx7zbjZiliK0,3201
 phoenix/server/bearer_auth.py,sha256=f4v4W94KyTdGGCPsK1tXOe0vouPuvanAEa03XSdCvPE,6650
 phoenix/server/dml_event.py,sha256=HgUsIkzyXxCGasjnrqubegWbNaAcAgjrtWrKc3aRwxA,3245
@@ -110,7 +110,7 @@ phoenix/server/dml_event_handler.py,sha256=71_iPcHiJ4E-8Z7sGL2j0vx_RpkmcMVEUFIBs
 phoenix/server/grpc_server.py,sha256=THDdkMKXQEC3gZjFG2nUgXHFbUnWsRHgFM9oh5WtAX0,4758
 phoenix/server/jwt_store.py,sha256=B6uVildN_dQDTG_-aHHvuVSI7wIVK1yvED-_y6se2GU,16905
 phoenix/server/main.py,sha256=UBwxrQIEE7ci-SbE6GAlRYmbMHooI6JYG6sG-UpBFFs,18905
-phoenix/server/oauth2.py,sha256=GvUqZBoZ5dG-l2G1RMl1SUcN10jNAjaMXFznMSWz2Zs,3336
+phoenix/server/oauth2.py,sha256=l6jugh-lHq0h7h7TBzvk6oTrHKXe1aX9-j7UAat5Eac,3224
 phoenix/server/prometheus.py,sha256=ovh6Hrw2mLUC6KddGydT0_lv-yK0upV9mL-T9UjqlcE,9373
 phoenix/server/rate_limiters.py,sha256=cFc73D2NaxqNZZDbwfIDw4So-fRVOJPBtqxOZ8Qky_s,7155
 phoenix/server/retention.py,sha256=MQe1FWuc_NxhqgIq5q2hfFhWT8ddAmpppgI74xYEQ6c,3064
@@ -122,6 +122,7 @@ phoenix/server/utils.py,sha256=zTgY07W9GOpAFvIIPVBfXAGQb6kwGla2lhj1VGTCeIU,3057
 phoenix/server/api/README.md,sha256=Pyq1PLPgTzXAswrfIhGXrjI3Skq8it2jTVnanT6Ba4Q,1162
 phoenix/server/api/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 phoenix/server/api/auth.py,sha256=AyYhnZIbY9ALVjg2K6aC2UXSa3Pva5GVDBXyaZ3nD3o,2749
+phoenix/server/api/auth_messages.py,sha256=15oqogBNS2BgJLLDecfXz62G9LdiOAEyzPv6jX9BxYE,1912
 phoenix/server/api/context.py,sha256=rdjGb0Ce-XBFVF5lj-lA8VoyKmrrPpLdU_BKT0qhFyQ,10450
 phoenix/server/api/exceptions.py,sha256=9gB4nBRNX6k4_fsQZ12yxw6Tw53h_915l06DYK-qkPQ,1442
 phoenix/server/api/interceptor.py,sha256=ykDnoC_apUd-llVli3m1CW18kNSIgjz2qZ6m5JmPDu8,1294
@@ -280,7 +281,7 @@ phoenix/server/api/openapi/schema.py,sha256=WGmHWSIyJhtc5EIh_M3vlXU-EgHkFuTlyVof
 phoenix/server/api/routers/__init__.py,sha256=YIzHsIFOOXuCRbDkMUHx-McrANFJK5UfUn6a4BNIzmo,277
 phoenix/server/api/routers/auth.py,sha256=hPkMmLgy9oV-V8WSlwemIbb3jiwXzzLZDW10GAfkY-o,11928
 phoenix/server/api/routers/embeddings.py,sha256=BpZGJee0pdL0W5Rp1L0b30dEtZTgJeVqXky8LgZ0ZXw,898
-phoenix/server/api/routers/oauth2.py,sha256=HFBYyPlUZXsik36uyzcIOFfVZHNda8X5BuB36TU7Tyw,23989
+phoenix/server/api/routers/oauth2.py,sha256=AwfWqTQyHpXdJ3BUTkIvsgUiALAlFbERPs1pyJOM3Lo,25313
 phoenix/server/api/routers/utils.py,sha256=M41BoH-fl37izhRuN2aX7lWm7jOC20A_3uClv9TVUUY,583
 phoenix/server/api/routers/v1/__init__.py,sha256=Ga6SjcX6X6Aw5VTvbiPOIXfzQS8lbVERY0BHdx5Dlks,2881
 phoenix/server/api/routers/v1/annotation_configs.py,sha256=xp5lJmKYlRsINCUrRD9-lTAElw2v4hdFndS5BWrxICA,16048
@@ -398,7 +399,7 @@ phoenix/server/cost_tracking/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NM
 phoenix/server/cost_tracking/cost_details_calculator.py,sha256=Tt0YcuLhgPuXKWJemWVmYQfG0xQUvH4VziIj6KcDnoA,8945
 phoenix/server/cost_tracking/cost_model_lookup.py,sha256=jhtVdnQBzrTUHeOGPWgOebk-Io5hpJ1vAgWOu8ojeJ4,6801
 phoenix/server/cost_tracking/helpers.py,sha256=Pk6ECjnYreTxrldtRwxnwFcxIPVsvDq_yAwDA_spkOc,2122
-phoenix/server/cost_tracking/model_cost_manifest.json,sha256=rS_jFEJijHH93LDnh3Zadmfwzr7GJAlcjvWZ0xR4He4,68561
+phoenix/server/cost_tracking/model_cost_manifest.json,sha256=qPDorKVjL9O9OtBTcHUW38yq6WfGSw2lYjnDTAlbb6s,68581
 phoenix/server/cost_tracking/regex_specificity.py,sha256=9kqWuQ68C-hlwW25hr7BhFlRt5y2Nnpy0Ax3n9UN6Xk,11622
 phoenix/server/cost_tracking/token_cost_calculator.py,sha256=2JEZnvusx2-xbhp8krp9EarjWuyGH2KO4e-ZwJX-K0s,1598
 phoenix/server/daemons/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -427,19 +428,19 @@ phoenix/server/static/apple-touch-icon-76x76.png,sha256=CT_xT12I0u2i0WU8JzBZBuOQ
 phoenix/server/static/apple-touch-icon.png,sha256=fOfpjqGpWYbJ0eAurKsyoZP1EAs6ZVooBJ_SGk2ZkDs,3801
 phoenix/server/static/favicon.ico,sha256=bY0vvCKRftemZfPShwZtE93DiiQdaYaozkPGwNFr6H8,34494
 phoenix/server/static/modernizr.js,sha256=mvK-XtkNqjOral-QvzoqsyOMECXIMu5BQwSVN_wcU9c,2564
-phoenix/server/static/.vite/manifest.json,sha256=rzd1dpIB-2jzG1MUY69jIZxY7fHIDnSVfIl3SHJrmTw,2328
-phoenix/server/static/assets/components-BG6v0EM8.js,sha256=OlwDlPZR35cYxPcpZu7nTvuX-XJ5bMAKb91GBT7rbF8,717341
-phoenix/server/static/assets/index-CSVcULw1.js,sha256=MxKVdXMdZV8wxvcl47H-BUzsRCuihATaJefd_uxKa88,63600
-phoenix/server/static/assets/pages-DgaM7kpM.js,sha256=b0KVlxRkpFTZ9S7DCZiE06Qruc7Ua2CTKLxhfiyHGDM,1331042
+phoenix/server/static/.vite/manifest.json,sha256=Pu8-OxoLf8RlAl-i0K8pAuKfVy6h7ZuOBJR9psD5frE,2328
+phoenix/server/static/assets/components-Bs8eJEpU.js,sha256=ml92PuSdVdsbHS8q6c4sHSWJ9nBSjo1l1qvjzM6EVF4,723590
+phoenix/server/static/assets/index-C6WEu5UP.js,sha256=mY6KSmhD7Okipz8iEqbzZpyFQG_fVUIpNfKiT8ND8OM,63680
+phoenix/server/static/assets/pages-D-n2pkoG.js,sha256=rtkn8DSkEKuvyFlbSF6dUn_uGCVyUBZZh--yByZSEmI,1341008
 phoenix/server/static/assets/vendor-BGzfc4EU.css,sha256=Nx5Lmx-bqYR7nsO_O4kEBcrJ8cwknWjZ6seHN3_s4UQ,3171
-phoenix/server/static/assets/vendor-BqTEkGQU.js,sha256=_reetQ4kYw-0cLbQgK-Ce_bu8P-udNgkFAxAMWAOuIQ,2602283
-phoenix/server/static/assets/vendor-arizeai-DlOj0PQQ.js,sha256=fvk6Zfq3daaYLB4RiZRJHpJm5GIyzqNV4JXt74ZWeCg,107800
-phoenix/server/static/assets/vendor-codemirror-B2PHH5yZ.js,sha256=QjUU6KX46yAL8tjl7SsEsj1jTY6M33GwtK8S4eaE4uk,413211
-phoenix/server/static/assets/vendor-recharts-CKsi4IjN.js,sha256=d07g7qsq4yG80ekO_0m5RQ20ZMVEfnJvXV8boHnGHZc,231652
-phoenix/server/static/assets/vendor-shiki-DN26BkKE.js,sha256=gCX22-6kpVbLa_zs_Mapak8jPzvBcXMQ5WpCiIv2T5s,305160
+phoenix/server/static/assets/vendor-D2eEI-6h.js,sha256=DcZ_ov-x3PP13qfDh2X0hhQTuuSnxoMnYVBW98YBo0Q,2709850
+phoenix/server/static/assets/vendor-arizeai-kfOei7nf.js,sha256=AlUQvzFvgUY2d5qzujvi4N7VXbhmpcnrKAYk9Ilpzt4,107788
+phoenix/server/static/assets/vendor-codemirror-1bq_t1Ec.js,sha256=cjHHniUz2eOaXgg3iPcyd3d8hRz_2z7tW_UTPiMyGiA,413211
+phoenix/server/static/assets/vendor-recharts-DQ4xfrf4.js,sha256=tTNG6AAxOGuPbEnjQkr3EzR7COVhDnN37QJFV6BNQg8,231652
+phoenix/server/static/assets/vendor-shiki-GGmcIQxA.js,sha256=U357g2RSPGwucCoww2yscGQcLyWIcP3EQxlkMgR9CJg,305160
 phoenix/server/static/assets/vendor-three-BLWp5bic.js,sha256=vfSCVXS20jA0Ceo_O0mDxYBcROinWMdPE6RR4JXmtec,620972
 phoenix/server/templates/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-phoenix/server/templates/index.html,sha256=QAYh0TG5mg-GvDQUR09aD9ebl9Sfq0fYAcfIa5G7J6E,7148
+phoenix/server/templates/index.html,sha256=_iKIyXEDDr5cTTnrUCjCd617U6Alc1k-IXtdKSt8g14,7215
 phoenix/session/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 phoenix/session/client.py,sha256=bFw3RzSdCCQBDNDbgxgaao4kCsP9_YWXG1VQfJvNveA,38532
 phoenix/session/data_extractor.py,sha256=y_21QYW5emZ-SFYN9GtpUwDBMPCWtbRk3ZGxfR3k8K0,3178
@@ -476,9 +477,9 @@ phoenix/utilities/project.py,sha256=auVpARXkDb-JgeX5f2aStyFIkeKvGwN9l7qrFeJMVxI,
 phoenix/utilities/re.py,sha256=6YyUWIkv0zc2SigsxfOWIHzdpjKA_TZo2iqKq7zJKvw,2081
 phoenix/utilities/span_store.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 phoenix/utilities/template_formatters.py,sha256=gh9PJD6WEGw7TEYXfSst1UR4pWWwmjxMLrDVQ_CkpkQ,2779
-arize_phoenix-12.2.0.dist-info/METADATA,sha256=WjI2-I68gw_gsPc4SQ945twJ3uGSp0t66IFzKXRJOsQ,34045
-arize_phoenix-12.2.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
-arize_phoenix-12.2.0.dist-info/entry_points.txt,sha256=Pgpn8Upxx9P8z8joPXZWl2LlnAlGc3gcQoVchb06X1Q,94
-arize_phoenix-12.2.0.dist-info/licenses/IP_NOTICE,sha256=JBqyyCYYxGDfzQ0TtsQgjts41IJoa-hiwDrBjCb9gHM,469
-arize_phoenix-12.2.0.dist-info/licenses/LICENSE,sha256=HFkW9REuMOkvKRACuwLPT0hRydHb3zNg-fdFt94td18,3794
-arize_phoenix-12.2.0.dist-info/RECORD,,
+arize_phoenix-12.3.0.dist-info/METADATA,sha256=NBdFfBR6OscGNJ7RHEM0IhHe2mnvNAie9rm_UlWvHmA,34045
+arize_phoenix-12.3.0.dist-info/WHEEL,sha256=qtCwoSJWgHk21S1Kb4ihdzI2rlJ1ZKaIurTj_ngOhyQ,87
+arize_phoenix-12.3.0.dist-info/entry_points.txt,sha256=Pgpn8Upxx9P8z8joPXZWl2LlnAlGc3gcQoVchb06X1Q,94
+arize_phoenix-12.3.0.dist-info/licenses/IP_NOTICE,sha256=JBqyyCYYxGDfzQ0TtsQgjts41IJoa-hiwDrBjCb9gHM,469
+arize_phoenix-12.3.0.dist-info/licenses/LICENSE,sha256=HFkW9REuMOkvKRACuwLPT0hRydHb3zNg-fdFt94td18,3794
+arize_phoenix-12.3.0.dist-info/RECORD,,

phoenix/server/api/auth_messages.py

@@ -0,0 +1,46 @@
+# ruff: noqa: E501
+"""
+Authentication error and success message codes.
+
+These codes are used in authentication flows to safely communicate status
+to users via query parameters. Using codes instead of raw messages prevents
+social engineering and phishing attacks.
+
+The messages are passed to the frontend via window.Config to ensure a single
+source of truth between backend and frontend.
+"""
+
+from types import MappingProxyType
+from typing import Literal, Mapping, get_args
+
+# Error code type - used for type hints in redirect functions
+AuthErrorCode = Literal[
+    "unknown_idp",
+    "auth_failed",
+    "invalid_state",
+    "unsafe_return_url",
+    "oauth_error",
+    "no_oidc_support",
+    "missing_email_scope",
+    "email_in_use",
+    "sign_in_not_allowed",
+]
+
+# Error messages - passed to frontend via window.Config.authErrorMessages
+# Backend generates these codes when redirecting users after OAuth errors
+AUTH_ERROR_MESSAGES: Mapping[AuthErrorCode, str] = MappingProxyType(
+    {
+        "unknown_idp": "Unknown identity provider.",
+        "auth_failed": "Authentication failed. Please contact your administrator.",
+        "invalid_state": "Invalid authentication state. Please try again.",
+        "unsafe_return_url": "Invalid return URL. Please try again.",
+        "oauth_error": "Authentication failed. Please try again.",
+        "no_oidc_support": "Your identity provider does not appear to support OpenID Connect. Please contact your administrator.",
+        "missing_email_scope": "Please ensure your identity provider is configured to use the 'email' scope.",
+        "email_in_use": "An account with this email already exists.",
+        "sign_in_not_allowed": "Sign in is not allowed. Please contact your administrator.",
+    }
+)
+
+# Runtime assertion to ensure AUTH_ERROR_MESSAGES keys match AuthErrorCode Literal values
+assert set(AUTH_ERROR_MESSAGES.keys()) == set(get_args(AuthErrorCode))

phoenix/server/api/routers/oauth2.py

@@ -1,3 +1,4 @@
+import logging
 import re
 from dataclasses import dataclass
 from datetime import timedelta
@@ -38,8 +39,8 @@ from phoenix.config import (
     get_env_disable_rate_limit,
 )
 from phoenix.db import models
+from phoenix.server.api.auth_messages import AuthErrorCode
 from phoenix.server.bearer_auth import create_access_and_refresh_tokens
-from phoenix.server.oauth2 import OAuth2Client
 from phoenix.server.rate_limiters import (
     ServerRateLimiter,
     fastapi_ip_rate_limiter,
@@ -50,6 +51,8 @@ from phoenix.server.utils import get_root_path, prepend_root_path
 
 _LOWERCASE_ALPHANUMS_AND_UNDERSCORES = r"[a-z0-9_]+"
 
+logger = logging.getLogger(__name__)
+
 login_rate_limiter = fastapi_ip_rate_limiter(
     ServerRateLimiter(
         per_second_rate_limit=0.2,
@@ -88,11 +91,12 @@ async def login(
     idp_name: Annotated[str, Path(min_length=1, pattern=_LOWERCASE_ALPHANUMS_AND_UNDERSCORES)],
     return_url: Optional[str] = Query(default=None, alias="returnUrl"),
 ) -> RedirectResponse:
+    # Security Note: Query parameters should be treated as untrusted user input. Never display
+    # these values directly to users as they could be manipulated for XSS, phishing, or social
+    # engineering attacks.
+    if (oauth2_client := request.app.state.oauth2_clients.get_client(idp_name)) is None:
+        return _redirect_to_login(request=request, error="unknown_idp")
     secret = request.app.state.get_secret()
-    if not isinstance(
-        oauth2_client := request.app.state.oauth2_clients.get_client(idp_name), OAuth2Client
-    ):
-        return _redirect_to_login(request=request, error=f"Unknown IDP: {idp_name}.")
     if (referer := request.headers.get("referer")) is not None:
         # if the referer header is present, use it as the origin URL
         parsed_url = urlparse(referer)
@@ -132,28 +136,42 @@ async def create_tokens(
     request: Request,
     idp_name: Annotated[str, Path(min_length=1, pattern=_LOWERCASE_ALPHANUMS_AND_UNDERSCORES)],
     state: str = Query(),
-    authorization_code: str = Query(alias="code"),
+    authorization_code: Optional[str] = Query(default=None, alias="code"),
+    error: Optional[str] = Query(default=None),
+    error_description: Optional[str] = Query(default=None),
     stored_state: str = Cookie(alias=PHOENIX_OAUTH2_STATE_COOKIE_NAME),
     stored_nonce: str = Cookie(alias=PHOENIX_OAUTH2_NONCE_COOKIE_NAME),
 ) -> RedirectResponse:
+    # Security Note: Query parameters should be treated as untrusted user input. Never display
+    # these values directly to users as they could be manipulated for XSS, phishing, or social
+    # engineering attacks.
+    if (oauth2_client := request.app.state.oauth2_clients.get_client(idp_name)) is None:
+        return _redirect_to_login(request=request, error="unknown_idp")
+    if error or error_description:
+        logger.error(
+            "OAuth2 authentication failed for IDP %s: error=%s, description=%s",
+            idp_name,
+            error,
+            error_description,
+        )
+        return _redirect_to_login(request=request, error="auth_failed")
+    if authorization_code is None:
+        logger.error("OAuth2 callback missing authorization code for IDP %s", idp_name)
+        return _redirect_to_login(request=request, error="auth_failed")
     secret = request.app.state.get_secret()
     if state != stored_state:
-        return _redirect_to_login(request=request, error=_INVALID_OAUTH2_STATE_MESSAGE)
+        return _redirect_to_login(request=request, error="invalid_state")
     try:
         payload = _parse_state_payload(secret=secret, state=state)
     except JoseError:
-        return _redirect_to_login(request=request, error=_INVALID_OAUTH2_STATE_MESSAGE)
+        return _redirect_to_login(request=request, error="invalid_state")
     if (return_url := payload.get("return_url")) is not None and not _is_relative_url(
         unquote(return_url)
     ):
-        return _redirect_to_login(request=request, error="Attempting login with unsafe return URL.")
+        return _redirect_to_login(request=request, error="unsafe_return_url")
     assert isinstance(access_token_expiry := request.app.state.access_token_expiry, timedelta)
     assert isinstance(refresh_token_expiry := request.app.state.refresh_token_expiry, timedelta)
     token_store: TokenStore = request.app.state.get_token_store()
-    if not isinstance(
-        oauth2_client := request.app.state.oauth2_clients.get_client(idp_name), OAuth2Client
-    ):
-        return _redirect_to_login(request=request, error=f"Unknown IDP: {idp_name}.")
     try:
         token_data = await oauth2_client.fetch_access_token(
             state=state,
@@ -162,19 +180,19 @@ async def create_tokens(
                 request=request, origin_url=payload["origin_url"], idp_name=idp_name
             ),
         )
-    except OAuthError as error:
-        return _redirect_to_login(request=request, error=str(error))
+    except OAuthError as e:
+        logger.error("OAuth2 error for IDP %s: %s", idp_name, e)
+        return _redirect_to_login(request=request, error="oauth_error")
     _validate_token_data(token_data)
     if "id_token" not in token_data:
-        return _redirect_to_login(
-            request=request,
-            error=f"OAuth2 IDP {idp_name} does not appear to support OpenID Connect.",
-        )
+        logger.error("OAuth2 IDP %s does not appear to support OpenID Connect", idp_name)
+        return _redirect_to_login(request=request, error="no_oidc_support")
     user_info = await oauth2_client.parse_id_token(token_data, nonce=stored_nonce)
     try:
         user_info = _parse_user_info(user_info)
-    except MissingEmailScope as error:
-        return _redirect_to_login(request=request, error=str(error))
+    except MissingEmailScope as e:
+        logger.error("Missing email scope for IDP %s: %s", idp_name, e)
+        return _redirect_to_login(request=request, error="missing_email_scope")
 
     try:
         async with request.app.state.db() as session:
@@ -184,8 +202,12 @@ async def create_tokens(
                 user_info=user_info,
                 allow_sign_up=oauth2_client.allow_sign_up,
             )
-    except (EmailAlreadyInUse, SignInNotAllowed) as error:
-        return _redirect_to_login(request=request, error=str(error))
+    except EmailAlreadyInUse as e:
+        logger.error("Email already in use for IDP %s: %s", idp_name, e)
+        return _redirect_to_login(request=request, error="email_in_use")
+    except SignInNotAllowed as e:
+        logger.error("Sign in not allowed for IDP %s: %s", idp_name, e)
+        return _redirect_to_login(request=request, error="sign_in_not_allowed")
     access_token, refresh_token = await create_access_and_refresh_tokens(
         user=user,
         token_store=token_store,
@@ -560,9 +582,10 @@ class MissingEmailScope(Exception):
     pass
 
 
-def _redirect_to_login(*, request: Request, error: str) -> RedirectResponse:
+def _redirect_to_login(*, request: Request, error: AuthErrorCode) -> RedirectResponse:
     """
-    Creates a RedirectResponse to the login page to display an error message.
+    Creates a RedirectResponse to the login page to display an error code.
+    The error code will be validated and mapped to a user-friendly message on the frontend.
     """
     # TODO: this needs some cleanup
     login_path = prepend_root_path(
@@ -661,7 +684,4 @@ def _is_oauth2_state_payload(maybe_state_payload: Any) -> TypeGuard[_OAuth2State
 
 
 _JWT_ALGORITHM = "HS256"
-_INVALID_OAUTH2_STATE_MESSAGE = (
-    "Received invalid state parameter during OAuth2 authorization code flow for IDP {idp_name}."
-)
 _RELATIVE_URL_PATTERN = re.compile(r"^/($|\w)")

phoenix/server/app.py

@@ -81,6 +81,7 @@ from phoenix.db.facilitator import Facilitator
 from phoenix.db.helpers import SupportedSQLDialect
 from phoenix.exceptions import PhoenixMigrationError
 from phoenix.pointcloud.umap_parameters import UMAPParameters
+from phoenix.server.api.auth_messages import AUTH_ERROR_MESSAGES, AuthErrorCode
 from phoenix.server.api.context import Context, DataLoaders
 from phoenix.server.api.dataloaders import (
     AnnotationConfigsByProjectDataLoader,
@@ -250,6 +251,8 @@ class AppConfig(NamedTuple):
     web_manifest_path: Path
     authentication_enabled: bool
     """ Whether authentication is enabled """
+    auth_error_messages: dict[AuthErrorCode, str]
+    """ Mapping of auth error codes to user-friendly messages """
     oauth2_idps: Sequence[OAuth2Idp]
     basic_auth_disabled: bool = False
     auto_login_idp_name: Optional[str] = None
@@ -326,6 +329,7 @@ class Static(StaticFiles):
                     "support_email": self._app_config.support_email,
                     "has_db_threshold": self._app_config.has_db_threshold,
                     "allow_external_resources": self._app_config.allow_external_resources,
+                    "auth_error_messages": self._app_config.auth_error_messages,
                 },
             )
         except Exception as e:
@@ -1146,6 +1150,7 @@ def create_app(
                         and get_env_database_usage_insertion_blocking_threshold_percentage()
                     ),
                     allow_external_resources=get_env_allow_external_resources(),
+                    auth_error_messages=dict(AUTH_ERROR_MESSAGES) if authentication_enabled else {},
                 ),
             ),
             name="static",

phoenix/server/cost_tracking/model_cost_manifest.json

@@ -449,6 +449,60 @@
         }
       ]
     },
+    {
+      "name": "claude-sonnet-4-5",
+      "name_pattern": "claude-sonnet-4-5",
+      "source": "litellm",
+      "token_prices": [
+        {
+          "base_rate": 3e-6,
+          "is_prompt": true,
+          "token_type": "input"
+        },
+        {
+          "base_rate": 0.000015,
+          "is_prompt": false,
+          "token_type": "output"
+        },
+        {
+          "base_rate": 3e-7,
+          "is_prompt": true,
+          "token_type": "cache_read"
+        },
+        {
+          "base_rate": 3.75e-6,
+          "is_prompt": true,
+          "token_type": "cache_write"
+        }
+      ]
+    },
+    {
+      "name": "claude-sonnet-4-5-20250929",
+      "name_pattern": "claude-sonnet-4-5-20250929",
+      "source": "litellm",
+      "token_prices": [
+        {
+          "base_rate": 3e-6,
+          "is_prompt": true,
+          "token_type": "input"
+        },
+        {
+          "base_rate": 0.000015,
+          "is_prompt": false,
+          "token_type": "output"
+        },
+        {
+          "base_rate": 3e-7,
+          "is_prompt": true,
+          "token_type": "cache_read"
+        },
+        {
+          "base_rate": 3.75e-6,
+          "is_prompt": true,
+          "token_type": "cache_write"
+        }
+      ]
+    },
     {
       "name": "gemini-2.0-flash",
       "name_pattern": "gemini-2.0-flash(@[a-zA-Z0-9]+)?",
@@ -1028,60 +1082,6 @@
         }
       ]
     },
-    {
-      "name": "gemini-flash-latest",
-      "name_pattern": "gemini-flash-latest",
-      "source": "litellm",
-      "token_prices": [
-        {
-          "base_rate": 3e-7,
-          "is_prompt": true,
-          "token_type": "input"
-        },
-        {
-          "base_rate": 2.5e-6,
-          "is_prompt": false,
-          "token_type": "output"
-        },
-        {
-          "base_rate": 7.5e-8,
-          "is_prompt": true,
-          "token_type": "cache_read"
-        },
-        {
-          "base_rate": 1e-6,
-          "is_prompt": true,
-          "token_type": "audio"
-        }
-      ]
-    },
-    {
-      "name": "gemini-flash-lite-latest",
-      "name_pattern": "gemini-flash-lite-latest",
-      "source": "litellm",
-      "token_prices": [
-        {
-          "base_rate": 1e-7,
-          "is_prompt": true,
-          "token_type": "input"
-        },
-        {
-          "base_rate": 4e-7,
-          "is_prompt": false,
-          "token_type": "output"
-        },
-        {
-          "base_rate": 2.5e-8,
-          "is_prompt": true,
-          "token_type": "cache_read"
-        },
-        {
-          "base_rate": 3e-7,
-          "is_prompt": true,
-          "token_type": "audio"
-        }
-      ]
-    },
     {
       "name": "gpt-3.5-turbo",
       "name_pattern": "gpt-(35|3.5)-turbo",

phoenix/server/oauth2.py

@@ -83,10 +83,8 @@ class OAuth2Clients:
             self._auto_login_client = client
         self._clients[config.idp_name] = client
 
-    def get_client(self, idp_name: str) -> OAuth2Client:
-        if (client := self._clients.get(idp_name)) is None:
-            raise ValueError(f"unknown or unregistered OAuth2 client: {idp_name}")
-        return client
+    def get_client(self, idp_name: str) -> Optional[OAuth2Client]:
+        return self._clients.get(idp_name)
 
     @classmethod
     def from_configs(cls, configs: Iterable[OAuth2ClientConfig]) -> "OAuth2Clients":

phoenix/server/static/.vite/manifest.json

@@ -1,32 +1,32 @@
 {
-  "_components-BG6v0EM8.js": {
-    "file": "assets/components-BG6v0EM8.js",
+  "_components-Bs8eJEpU.js": {
+    "file": "assets/components-Bs8eJEpU.js",
     "name": "components",
     "imports": [
-      "_vendor-BqTEkGQU.js",
-      "_pages-DgaM7kpM.js",
-      "_vendor-arizeai-DlOj0PQQ.js",
-      "_vendor-codemirror-B2PHH5yZ.js",
+      "_vendor-D2eEI-6h.js",
+      "_pages-D-n2pkoG.js",
+      "_vendor-arizeai-kfOei7nf.js",
+      "_vendor-codemirror-1bq_t1Ec.js",
       "_vendor-three-BLWp5bic.js"
     ]
   },
-  "_pages-DgaM7kpM.js": {
-    "file": "assets/pages-DgaM7kpM.js",
+  "_pages-D-n2pkoG.js": {
+    "file": "assets/pages-D-n2pkoG.js",
     "name": "pages",
     "imports": [
-      "_vendor-BqTEkGQU.js",
-      "_components-BG6v0EM8.js",
-      "_vendor-arizeai-DlOj0PQQ.js",
-      "_vendor-codemirror-B2PHH5yZ.js",
-      "_vendor-recharts-CKsi4IjN.js"
+      "_vendor-D2eEI-6h.js",
+      "_components-Bs8eJEpU.js",
+      "_vendor-arizeai-kfOei7nf.js",
+      "_vendor-codemirror-1bq_t1Ec.js",
+      "_vendor-recharts-DQ4xfrf4.js"
     ]
   },
   "_vendor-BGzfc4EU.css": {
     "file": "assets/vendor-BGzfc4EU.css",
     "src": "_vendor-BGzfc4EU.css"
   },
-  "_vendor-BqTEkGQU.js": {
-    "file": "assets/vendor-BqTEkGQU.js",
+  "_vendor-D2eEI-6h.js": {
+    "file": "assets/vendor-D2eEI-6h.js",
     "name": "vendor",
     "imports": [
       "_vendor-three-BLWp5bic.js"
@@ -35,39 +35,39 @@
       "assets/vendor-BGzfc4EU.css"
     ]
   },
-  "_vendor-arizeai-DlOj0PQQ.js": {
-    "file": "assets/vendor-arizeai-DlOj0PQQ.js",
+  "_vendor-arizeai-kfOei7nf.js": {
+    "file": "assets/vendor-arizeai-kfOei7nf.js",
     "name": "vendor-arizeai",
     "imports": [
-      "_vendor-BqTEkGQU.js"
+      "_vendor-D2eEI-6h.js"
     ]
   },
-  "_vendor-codemirror-B2PHH5yZ.js": {
-    "file": "assets/vendor-codemirror-B2PHH5yZ.js",
+  "_vendor-codemirror-1bq_t1Ec.js": {
+    "file": "assets/vendor-codemirror-1bq_t1Ec.js",
     "name": "vendor-codemirror",
     "imports": [
-      "_vendor-BqTEkGQU.js",
-      "_vendor-shiki-DN26BkKE.js"
+      "_vendor-D2eEI-6h.js",
+      "_vendor-shiki-GGmcIQxA.js"
     ],
     "dynamicImports": [
-      "_vendor-shiki-DN26BkKE.js",
-      "_vendor-shiki-DN26BkKE.js",
-      "_vendor-shiki-DN26BkKE.js"
+      "_vendor-shiki-GGmcIQxA.js",
+      "_vendor-shiki-GGmcIQxA.js",
+      "_vendor-shiki-GGmcIQxA.js"
     ]
   },
-  "_vendor-recharts-CKsi4IjN.js": {
-    "file": "assets/vendor-recharts-CKsi4IjN.js",
+  "_vendor-recharts-DQ4xfrf4.js": {
+    "file": "assets/vendor-recharts-DQ4xfrf4.js",
     "name": "vendor-recharts",
     "imports": [
-      "_vendor-BqTEkGQU.js"
+      "_vendor-D2eEI-6h.js"
     ]
   },
-  "_vendor-shiki-DN26BkKE.js": {
-    "file": "assets/vendor-shiki-DN26BkKE.js",
+  "_vendor-shiki-GGmcIQxA.js": {
+    "file": "assets/vendor-shiki-GGmcIQxA.js",
     "name": "vendor-shiki",
     "isDynamicEntry": true,
     "imports": [
-      "_vendor-BqTEkGQU.js"
+      "_vendor-D2eEI-6h.js"
     ]
   },
   "_vendor-three-BLWp5bic.js": {
@@ -75,19 +75,19 @@
     "name": "vendor-three"
   },
   "index.tsx": {
-    "file": "assets/index-CSVcULw1.js",
+    "file": "assets/index-C6WEu5UP.js",
     "name": "index",
     "src": "index.tsx",
     "isEntry": true,
     "imports": [
-      "_vendor-BqTEkGQU.js",
-      "_vendor-arizeai-DlOj0PQQ.js",
-      "_pages-DgaM7kpM.js",
-      "_components-BG6v0EM8.js",
+      "_vendor-D2eEI-6h.js",
+      "_vendor-arizeai-kfOei7nf.js",
+      "_pages-D-n2pkoG.js",
+      "_components-Bs8eJEpU.js",
       "_vendor-three-BLWp5bic.js",
-      "_vendor-codemirror-B2PHH5yZ.js",
-      "_vendor-shiki-DN26BkKE.js",
-      "_vendor-recharts-CKsi4IjN.js"
+      "_vendor-codemirror-1bq_t1Ec.js",
+      "_vendor-shiki-GGmcIQxA.js",
+      "_vendor-recharts-DQ4xfrf4.js"
     ]
   }
 }