arize-phoenix 12.3.0__py3-none-any.whl → 12.4.0__py3-none-any.whl

phoenix/server/api/routers/auth.py

@@ -7,15 +7,6 @@ from urllib.parse import urlencode, urlparse, urlunparse
 from fastapi import APIRouter, Depends, HTTPException, Request, Response
 from sqlalchemy import func, select
 from sqlalchemy.orm import joinedload
-from starlette.status import (
-    HTTP_204_NO_CONTENT,
-    HTTP_302_FOUND,
-    HTTP_401_UNAUTHORIZED,
-    HTTP_403_FORBIDDEN,
-    HTTP_404_NOT_FOUND,
-    HTTP_422_UNPROCESSABLE_ENTITY,
-    HTTP_503_SERVICE_UNAVAILABLE,
-)
 
 from phoenix.auth import (
     DEFAULT_SECRET_LENGTH,
@@ -76,7 +67,7 @@ router = APIRouter(prefix="/auth", include_in_schema=False, dependencies=auth_de
 @router.post("/login")
 async def login(request: Request) -> Response:
     if get_env_disable_basic_auth():
-        raise HTTPException(status_code=HTTP_403_FORBIDDEN)
+        raise HTTPException(status_code=403)
     assert isinstance(access_token_expiry := request.app.state.access_token_expiry, timedelta)
     assert isinstance(refresh_token_expiry := request.app.state.refresh_token_expiry, timedelta)
     token_store: TokenStore = request.app.state.get_token_store()
@@ -85,7 +76,7 @@ async def login(request: Request) -> Response:
     password = data.get("password")
 
     if not email or not password:
-        raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail="Email and password required")
+        raise HTTPException(status_code=401, detail="Email and password required")
 
     # Sanitize email by trimming and lowercasing
     email = sanitize_email(email)
@@ -101,14 +92,14 @@ async def login(request: Request) -> Response:
             or (password_hash := user.password_hash) is None
             or (salt := user.password_salt) is None
         ):
-            raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail=LOGIN_FAILED_MESSAGE)
+            raise HTTPException(status_code=401, detail=LOGIN_FAILED_MESSAGE)
 
     loop = asyncio.get_running_loop()
     password_is_valid = partial(
         is_valid_password, password=password, salt=salt, password_hash=password_hash
     )
     if not await loop.run_in_executor(None, password_is_valid):
-        raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail=LOGIN_FAILED_MESSAGE)
+        raise HTTPException(status_code=401, detail=LOGIN_FAILED_MESSAGE)
 
     access_token, refresh_token = await create_access_and_refresh_tokens(
         token_store=token_store,
@@ -116,7 +107,7 @@ async def login(request: Request) -> Response:
         access_token_expiry=access_token_expiry,
         refresh_token_expiry=refresh_token_expiry,
     )
-    response = Response(status_code=HTTP_204_NO_CONTENT)
+    response = Response(status_code=204)
     response = set_access_token_cookie(
         response=response, access_token=access_token, max_age=access_token_expiry
     )
@@ -146,7 +137,7 @@ async def logout(
         await token_store.log_out(user_id)
     redirect_path = "/logout" if get_env_disable_basic_auth() else "/login"
     redirect_url = prepend_root_path(request.scope, redirect_path)
-    response = Response(status_code=HTTP_302_FOUND, headers={"Location": redirect_url})
+    response = Response(status_code=302, headers={"Location": redirect_url})
     response = delete_access_token_cookie(response)
     response = delete_refresh_token_cookie(response)
     response = delete_oauth2_state_cookie(response)
@@ -159,7 +150,7 @@ async def refresh_tokens(request: Request) -> Response:
     assert isinstance(access_token_expiry := request.app.state.access_token_expiry, timedelta)
     assert isinstance(refresh_token_expiry := request.app.state.refresh_token_expiry, timedelta)
     if (refresh_token := request.cookies.get(PHOENIX_REFRESH_TOKEN_COOKIE_NAME)) is None:
-        raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail="Missing refresh token")
+        raise HTTPException(status_code=401, detail="Missing refresh token")
     token_store: TokenStore = request.app.state.get_token_store()
     refresh_token_claims = await token_store.read(Token(refresh_token))
     if (
@@ -169,9 +160,9 @@ async def refresh_tokens(request: Request) -> Response:
         or (user_id := int(refresh_token_claims.subject)) is None
         or (expiration_time := refresh_token_claims.expiration_time) is None
     ):
-        raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail="Invalid refresh token")
+        raise HTTPException(status_code=401, detail="Invalid refresh token")
     if expiration_time.timestamp() < datetime.now().timestamp():
-        raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail="Expired refresh token")
+        raise HTTPException(status_code=401, detail="Expired refresh token")
     await token_store.revoke(refresh_token_id)
 
     if (
@@ -189,14 +180,14 @@ async def refresh_tokens(request: Request) -> Response:
                 select(models.User).filter_by(id=user_id).options(joinedload(models.User.role))
             )
         ) is None:
-            raise HTTPException(status_code=HTTP_404_NOT_FOUND, detail="User not found")
+            raise HTTPException(status_code=404, detail="User not found")
     access_token, refresh_token = await create_access_and_refresh_tokens(
         token_store=token_store,
         user=user,
         access_token_expiry=access_token_expiry,
         refresh_token_expiry=refresh_token_expiry,
     )
-    response = Response(status_code=HTTP_204_NO_CONTENT)
+    response = Response(status_code=204)
     response = set_access_token_cookie(
         response=response, access_token=access_token, max_age=access_token_expiry
     )
@@ -209,7 +200,7 @@ async def refresh_tokens(request: Request) -> Response:
 @router.post("/password-reset-email")
 async def initiate_password_reset(request: Request) -> Response:
     if get_env_disable_basic_auth():
-        raise HTTPException(status_code=HTTP_403_FORBIDDEN)
+        raise HTTPException(status_code=403)
     data = await request.json()
     if not (email := data.get("email")):
         raise MISSING_EMAIL
@@ -231,7 +222,7 @@ async def initiate_password_reset(request: Request) -> Response:
         )
     if user is None or user.auth_method != "LOCAL":
         # Withold privileged information
-        return Response(status_code=HTTP_204_NO_CONTENT)
+        return Response(status_code=204)
     token_store: TokenStore = request.app.state.get_token_store()
     if user.password_reset_token:
         await token_store.revoke(PasswordResetTokenId(user.password_reset_token.id))
@@ -247,13 +238,13 @@ async def initiate_password_reset(request: Request) -> Response:
     components = (url.scheme, url.netloc, path, "", query_string, "")
     reset_url = urlunparse(components)
     await sender.send_password_reset_email(email, reset_url)
-    return Response(status_code=HTTP_204_NO_CONTENT)
+    return Response(status_code=204)
 
 
 @router.post("/password-reset")
 async def reset_password(request: Request) -> Response:
     if get_env_disable_basic_auth():
-        raise HTTPException(status_code=HTTP_403_FORBIDDEN)
+        raise HTTPException(status_code=403)
     data = await request.json()
     if not (password := data.get("password")):
         raise MISSING_PASSWORD
@@ -270,7 +261,7 @@ async def reset_password(request: Request) -> Response:
         user = await session.scalar(select(models.User).filter_by(id=int(user_id)))
     if user is None or user.auth_method != "LOCAL":
         # Withold privileged information
-        return Response(status_code=HTTP_204_NO_CONTENT)
+        return Response(status_code=204)
     validate_password_format(password)
     user.password_salt = secrets.token_bytes(DEFAULT_SECRET_LENGTH)
     loop = asyncio.get_running_loop()
@@ -281,7 +272,7 @@ async def reset_password(request: Request) -> Response:
     async with request.app.state.db() as session:
         session.add(user)
         await session.flush()
-    response = Response(status_code=HTTP_204_NO_CONTENT)
+    response = Response(status_code=204)
     assert (token_id := claims.token_id)
     await token_store.revoke(token_id)
     await token_store.log_out(UserId(user.id))
@@ -291,18 +282,18 @@ async def reset_password(request: Request) -> Response:
 LOGIN_FAILED_MESSAGE = "Invalid email and/or password"
 
 MISSING_EMAIL = HTTPException(
-    status_code=HTTP_422_UNPROCESSABLE_ENTITY,
+    status_code=422,
     detail="Email required",
 )
 MISSING_PASSWORD = HTTPException(
-    status_code=HTTP_422_UNPROCESSABLE_ENTITY,
+    status_code=422,
     detail="Password required",
 )
 SMTP_UNAVAILABLE = HTTPException(
-    status_code=HTTP_503_SERVICE_UNAVAILABLE,
+    status_code=503,
     detail="SMTP server not configured",
 )
 INVALID_TOKEN = HTTPException(
-    status_code=HTTP_401_UNAUTHORIZED,
+    status_code=401,
     detail="Invalid token",
 )

phoenix/server/api/routers/oauth2.py

@@ -1,6 +1,6 @@
 import logging
 import re
-from dataclasses import dataclass
+from dataclasses import dataclass, field
 from datetime import timedelta
 from random import randrange
 from typing import Any, Optional, TypedDict
@@ -19,17 +19,19 @@ from sqlean.dbapi2 import IntegrityError as SQLiteIntegrityError  # type: ignore
 from starlette.datastructures import URL, Secret, URLPath
 from starlette.responses import RedirectResponse
 from starlette.routing import Router
-from starlette.status import HTTP_302_FOUND
 from typing_extensions import Annotated, NotRequired, TypeGuard
 
 from phoenix.auth import (
     DEFAULT_OAUTH2_LOGIN_EXPIRY_MINUTES,
+    PHOENIX_OAUTH2_CODE_VERIFIER_COOKIE_NAME,
     PHOENIX_OAUTH2_NONCE_COOKIE_NAME,
     PHOENIX_OAUTH2_STATE_COOKIE_NAME,
+    delete_oauth2_code_verifier_cookie,
     delete_oauth2_nonce_cookie,
     delete_oauth2_state_cookie,
     sanitize_email,
     set_access_token_cookie,
+    set_oauth2_code_verifier_cookie,
     set_oauth2_nonce_cookie,
     set_oauth2_state_cookie,
     set_refresh_token_cookie,
@@ -41,6 +43,7 @@ from phoenix.config import (
 from phoenix.db import models
 from phoenix.server.api.auth_messages import AuthErrorCode
 from phoenix.server.bearer_auth import create_access_and_refresh_tokens
+from phoenix.server.oauth2 import OAuth2Client
 from phoenix.server.rate_limiters import (
     ServerRateLimiter,
     fastapi_ip_rate_limiter,
@@ -117,7 +120,7 @@ async def login(
     assert isinstance(authorization_url := authorization_url_data.get("url"), str)
     assert isinstance(state := authorization_url_data.get("state"), str)
     assert isinstance(nonce := authorization_url_data.get("nonce"), str)
-    response = RedirectResponse(url=authorization_url, status_code=HTTP_302_FOUND)
+    response = RedirectResponse(url=authorization_url, status_code=302)
     response = set_oauth2_state_cookie(
         response=response,
         state=state,
@@ -128,6 +131,12 @@ async def login(
         nonce=nonce,
         max_age=timedelta(minutes=DEFAULT_OAUTH2_LOGIN_EXPIRY_MINUTES),
     )
+    if code_verifier := authorization_url_data.get("code_verifier"):
+        response = set_oauth2_code_verifier_cookie(
+            response=response,
+            code_verifier=code_verifier,
+            max_age=timedelta(minutes=DEFAULT_OAUTH2_LOGIN_EXPIRY_MINUTES),
+        )
     return response
 
 
@@ -135,12 +144,15 @@ async def login(
 async def create_tokens(
     request: Request,
     idp_name: Annotated[str, Path(min_length=1, pattern=_LOWERCASE_ALPHANUMS_AND_UNDERSCORES)],
-    state: str = Query(),
-    authorization_code: Optional[str] = Query(default=None, alias="code"),
-    error: Optional[str] = Query(default=None),
+    state: str = Query(),  # RFC 6749 §4.1.1: CSRF protection via state parameter
+    authorization_code: Optional[str] = Query(default=None, alias="code"),  # RFC 6749 §4.1.2
+    error: Optional[str] = Query(default=None),  # RFC 6749 §4.1.2.1: Error response
     error_description: Optional[str] = Query(default=None),
     stored_state: str = Cookie(alias=PHOENIX_OAUTH2_STATE_COOKIE_NAME),
-    stored_nonce: str = Cookie(alias=PHOENIX_OAUTH2_NONCE_COOKIE_NAME),
+    stored_nonce: str = Cookie(alias=PHOENIX_OAUTH2_NONCE_COOKIE_NAME),  # OIDC Core §3.1.2.1
+    code_verifier: Optional[str] = Cookie(
+        default=None, alias=PHOENIX_OAUTH2_CODE_VERIFIER_COOKIE_NAME
+    ),  # RFC 7636 §4.1
 ) -> RedirectResponse:
     # Security Note: Query parameters should be treated as untrusted user input. Never display
     # these values directly to users as they could be manipulated for XSS, phishing, or social
@@ -159,6 +171,7 @@ async def create_tokens(
         logger.error("OAuth2 callback missing authorization code for IDP %s", idp_name)
         return _redirect_to_login(request=request, error="auth_failed")
     secret = request.app.state.get_secret()
+    # RFC 6749 §10.12: CSRF protection - validate state parameter
     if state != stored_state:
         return _redirect_to_login(request=request, error="invalid_state")
     try:
@@ -173,13 +186,26 @@ async def create_tokens(
     assert isinstance(refresh_token_expiry := request.app.state.refresh_token_expiry, timedelta)
     token_store: TokenStore = request.app.state.get_token_store()
     try:
-        token_data = await oauth2_client.fetch_access_token(
+        # RFC 6749 §4.1.3: Token request - exchange authorization code for tokens
+        fetch_kwargs: dict[str, Any] = dict(
             state=state,
             code=authorization_code,
-            redirect_uri=_get_create_tokens_endpoint(
+            redirect_uri=_get_create_tokens_endpoint(  # RFC 6749 §3.1.2
                 request=request, origin_url=payload["origin_url"], idp_name=idp_name
             ),
         )
+        # PKCE validation: code_verifier is required when PKCE is enabled (RFC 7636 §4.5)
+        if oauth2_client.use_pkce:
+            if not code_verifier:
+                logger.error(
+                    "PKCE enabled but code_verifier cookie missing for IDP %s. "
+                    "This may indicate a cookie issue, CORS misconfiguration, or "
+                    "browser compatibility problem.",
+                    idp_name,
+                )
+                return _redirect_to_login(request=request, error="auth_failed")
+            fetch_kwargs["code_verifier"] = code_verifier
+        token_data = await oauth2_client.fetch_access_token(**fetch_kwargs)
     except OAuthError as e:
         logger.error("OAuth2 error for IDP %s: %s", idp_name, e)
         return _redirect_to_login(request=request, error="oauth_error")
@@ -187,13 +213,28 @@ async def create_tokens(
     if "id_token" not in token_data:
         logger.error("OAuth2 IDP %s does not appear to support OpenID Connect", idp_name)
         return _redirect_to_login(request=request, error="no_oidc_support")
-    user_info = await oauth2_client.parse_id_token(token_data, nonce=stored_nonce)
+
+    id_token_claims = await oauth2_client.parse_id_token(token_data, nonce=stored_nonce)
+
+    if oauth2_client.has_sufficient_claims(id_token_claims):
+        user_claims = id_token_claims
+    else:
+        user_claims = await _fetch_and_merge_userinfo_claims(
+            oauth2_client, token_data, id_token_claims
+        )
+
     try:
-        user_info = _parse_user_info(user_info)
-    except MissingEmailScope as e:
-        logger.error("Missing email scope for IDP %s: %s", idp_name, e)
+        user_info = _parse_user_info(user_claims)
+    except (MissingEmailScope, InvalidUserInfo) as e:
+        logger.error("Error parsing user info for IDP %s: %s", idp_name, e)
         return _redirect_to_login(request=request, error="missing_email_scope")
 
+    try:
+        oauth2_client.validate_access(user_info.claims)
+    except PermissionError as e:
+        logger.error("Access validation failed for IDP %s: %s", idp_name, e)
+        return _redirect_to_login(request=request, error="auth_failed")
+
     try:
         async with request.app.state.db() as session:
             user = await _process_oauth2_user(
@@ -217,7 +258,7 @@ async def create_tokens(
     redirect_path = prepend_root_path(request.scope, return_url or "/")
     response = RedirectResponse(
         url=redirect_path,
-        status_code=HTTP_302_FOUND,
+        status_code=302,
     )
     response = set_access_token_cookie(
         response=response, access_token=access_token, max_age=access_token_expiry
@@ -227,6 +268,7 @@ async def create_tokens(
     )
     response = delete_oauth2_state_cookie(response)
     response = delete_oauth2_nonce_cookie(response)
+    response = delete_oauth2_code_verifier_cookie(response)
     return response
 
 
@@ -236,6 +278,7 @@ class UserInfo:
     email: str
     username: Optional[str] = None
     profile_picture_url: Optional[str] = None
+    claims: dict[str, Any] = field(default_factory=dict)
 
     def __post_init__(self) -> None:
         if not (idp_user_id := (self.idp_user_id or "").strip()):
@@ -250,9 +293,64 @@ class UserInfo:
             object.__setattr__(self, "profile_picture_url", profile_picture_url)
 
 
+async def _fetch_and_merge_userinfo_claims(
+    oauth2_client: OAuth2Client,
+    token_data: dict[str, Any],
+    id_token_claims: dict[str, Any],
+) -> dict[str, Any]:
+    """
+    Fetch claims from UserInfo endpoint and merge with ID token claims.
+
+    Why this is necessary (OIDC Core §5.4, §5.5):
+    When claims are requested via scopes (e.g., "profile", "email"), OIDC Core §5.4
+    specifies which claims are "REQUESTED" but does not mandate WHERE they must be
+    returned. Similarly, §5.5 allows requesting specific claims via the "claims"
+    parameter, but providers have discretion on whether to return them in the ID token
+    or UserInfo response. In practice, providers often return certain claims (especially
+    large ones like groups) only via UserInfo to keep ID tokens compact.
+
+    The UserInfo endpoint (OIDC Core §5.3) provides additional claims beyond what's
+    in the ID token, such as group memberships or custom attributes. This function:
+
+    1. Calls the UserInfo endpoint using the access token (OIDC Core §5.3.1, RFC 6750)
+    2. Merges userinfo claims with ID token claims
+    3. ID token claims override userinfo claims when both contain the same claim
+
+    Why ID token takes precedence (OIDC Core §5.3.2):
+    - ID tokens are signed JWTs that have been cryptographically verified
+    - UserInfo responses may be unsigned
+    - Signed claims are the authoritative source when present in both
+
+    Fallback behavior:
+    If the UserInfo request fails, returns only ID token claims. The returned claims
+    may be incomplete (missing email or groups), but subsequent validation will catch this:
+    - Missing email: _parse_user_info() raises MissingEmailScope
+    - Missing groups: validate_access() raises PermissionError if access is denied
+
+    Args:
+        oauth2_client: The OAuth2 client to use for fetching userinfo
+        token_data: Token response containing the access token (RFC 6749 §5.1)
+        id_token_claims: Claims from the verified ID token (OIDC Core §3.1.3.3)
+
+    Returns:
+        Merged claims dictionary with ID token claims overriding userinfo claims
+    """
+    try:
+        # OIDC Core §5.3.1: UserInfo request authenticated with access token
+        userinfo_claims = await oauth2_client.userinfo(token=token_data)
+        # ID token claims take precedence (signed and verified)
+        return {**userinfo_claims, **id_token_claims}
+    except Exception:
+        # Fallback: ID token has essential claims for authentication
+        return id_token_claims
+
+
 def _validate_token_data(token_data: dict[str, Any]) -> None:
     """
     Performs basic validations on the token data returned by the IDP.
+
+    RFC 6749 §5.1: Successful response must include access_token and token_type.
+    RFC 6750 §1.1: Bearer token type for HTTP authentication.
     """
     assert isinstance(token_data.get("access_token"), str)
     assert isinstance(token_type := token_data.get("token_type"), str)
@@ -262,25 +360,107 @@ def _validate_token_data(token_data: dict[str, Any]) -> None:
 def _parse_user_info(user_info: dict[str, Any]) -> UserInfo:
     """
     Parses user info from the IDP's ID token.
-    """
-    assert isinstance(subject := user_info.get("sub"), (str, int))
-    idp_user_id = str(subject)
+
+    Validates required OIDC claims and extracts user information according to the
+    OpenID Connect Core 1.0 specification.
+
+    Args:
+        user_info: Claims from the ID token (validated JWT payload)
+
+    Returns:
+        UserInfo object with validated user data
+
+    Raises:
+        InvalidUserInfo: If required claims are missing or malformed
+        MissingEmailScope: If email claim is missing or invalid
+
+    ID Token Required Claims (OIDC Core §2, §3.1.3.3):
+        - iss (issuer): Identifier for the OpenID Provider
+        - sub (subject): Unique identifier for the End-User at the Issuer
+        - aud (audience): Client ID this ID token is intended for
+        - exp (expiration): Expiration time
+        - iat (issued at): Time the JWT was issued
+        - nonce (if sent in auth request): Value sent in the Authentication Request
+
+    Application-Required Claims:
+        - email: Required by this application for user identification
+
+    Optional Standard Claims (OIDC Core §5.1):
+        - name: Full name
+        - picture: Profile picture URL
+        - Other profile, email, address, and phone claims
+
+    Note: While iss, sub, aud, exp, iat are REQUIRED in all ID tokens per spec,
+    other claims like email, name, groups are optional and may appear in the ID token,
+    UserInfo response, or both depending on what was requested and provider implementation.
+    """
+    # Validate 'sub' claim (OIDC required, MUST be a string per spec)
+    subject = user_info.get("sub")
+    if subject is None:
+        raise InvalidUserInfo(
+            "Missing required 'sub' claim in ID token. "
+            "Please check your OIDC provider configuration."
+        )
+
+    # OIDC spec: sub MUST be a string, but some IDPs send integers
+    # Convert to string for compatibility
+    if isinstance(subject, (str, int)):
+        idp_user_id = str(subject).strip()
+    else:
+        raise InvalidUserInfo(
+            f"Invalid 'sub' claim type: {type(subject).__name__}. Expected string or integer."
+        )
+
+    if not idp_user_id:
+        raise InvalidUserInfo("The 'sub' claim cannot be empty.")
+
+    # Validate 'email' claim (application requirement)
     email = user_info.get("email")
-    if not isinstance(email, str):
+    if not isinstance(email, str) or not email.strip():
         raise MissingEmailScope(
-            "Please ensure your OIDC provider is configured to use the 'email' scope."
+            "Missing or invalid 'email' claim. "
+            "Please ensure your OIDC provider is configured to include the 'email' scope."
         )
+    email = email.strip()
+
+    # Optional: 'name' claim (Full name)
+    username = user_info.get("name")
+    if username is not None:
+        if not isinstance(username, str):
+            # Some IDPs might send unexpected types; ignore gracefully
+            username = None
+        else:
+            username = username.strip() or None
+
+    # Optional: 'picture' claim (Profile picture URL)
+    profile_picture_url = user_info.get("picture")
+    if profile_picture_url is not None:
+        if not isinstance(profile_picture_url, str):
+            # Some IDPs might send unexpected types; ignore gracefully
+            profile_picture_url = None
+        else:
+            profile_picture_url = profile_picture_url.strip() or None
+
+    # Keep only non-empty claim values for downstream processing
+    def _has_value(v: Any) -> bool:
+        """Check if a claim value is considered non-empty."""
+        if v is None:
+            return False
+        if isinstance(v, str):
+            return bool(v.strip())
+        if isinstance(v, (list, dict, set, tuple)):
+            return len(v) > 0
+        # Include all other types (numbers, booleans, etc.)
+        return True
+
+    filtered_claims = {k: v for k, v in user_info.items() if _has_value(v)}
 
-    assert isinstance(username := user_info.get("name"), str) or username is None
-    assert (
-        isinstance(profile_picture_url := user_info.get("picture"), str)
-        or profile_picture_url is None
-    )
     return UserInfo(
         idp_user_id=idp_user_id,
         email=email,
         username=username,
         profile_picture_url=profile_picture_url,
+        claims=filtered_claims,
     )
 
 
@@ -582,6 +762,14 @@ class MissingEmailScope(Exception):
     pass
 
 
+class InvalidUserInfo(Exception):
+    """
+    Raised when the OIDC user info is malformed or missing required claims.
+    """
+
+    pass
+
+
 def _redirect_to_login(*, request: Request, error: AuthErrorCode) -> RedirectResponse:
     """
     Creates a RedirectResponse to the login page to display an error code.
@@ -595,6 +783,7 @@ def _redirect_to_login(*, request: Request, error: AuthErrorCode) -> RedirectRes
     response = RedirectResponse(url=url)
     response = delete_oauth2_state_cookie(response)
     response = delete_oauth2_nonce_cookie(response)
+    response = delete_oauth2_code_verifier_cookie(response)
     return response
 
 

phoenix/server/api/routers/v1/__init__.py

@@ -1,6 +1,5 @@
 from fastapi import APIRouter, Depends, HTTPException, Request
 from fastapi.security import APIKeyHeader
-from starlette.status import HTTP_403_FORBIDDEN
 
 from phoenix.server.bearer_auth import is_authenticated
 
@@ -30,7 +29,7 @@ async def prevent_access_in_read_only_mode(request: Request) -> None:
     if request.app.state.read_only:
         raise HTTPException(
             detail="The Phoenix REST API is disabled in read-only mode.",
-            status_code=HTTP_403_FORBIDDEN,
+            status_code=403,
         )
 
 
@@ -57,7 +56,7 @@ def create_v1_router(authentication_enabled: bool) -> APIRouter:
         dependencies=dependencies,
         responses=add_errors_to_responses(
             [
-                HTTP_403_FORBIDDEN  # adds a 403 response to routes in the generated OpenAPI schema
+                403  # adds a 403 response to routes in the generated OpenAPI schema
             ]
         ),
     )