arize-phoenix 12.3.0__py3-none-any.whl → 12.4.0__py3-none-any.whl

phoenix/server/authorization.py

@@ -23,7 +23,6 @@ Usage:
 """
 
 from fastapi import HTTPException, Request
-from fastapi import status as fastapi_status
 
 from phoenix.config import get_env_support_email
 from phoenix.server.bearer_auth import PhoenixUser
@@ -49,7 +48,7 @@ def require_admin(request: Request) -> None:
     # System users have all privileges
     if not (isinstance(user, PhoenixUser) and user.is_admin):
         raise HTTPException(
-            status_code=fastapi_status.HTTP_403_FORBIDDEN,
+            status_code=403,
             detail="Only admin or system users can perform this action.",
         )
 
@@ -82,6 +81,6 @@ def is_not_locked(request: Request) -> None:
         if support_email := get_env_support_email():
             detail += f" Need help? Contact us at {support_email}"
         raise HTTPException(
-            status_code=fastapi_status.HTTP_507_INSUFFICIENT_STORAGE,
+            status_code=507,
             detail=detail,
         )

phoenix/server/bearer_auth.py

@@ -9,7 +9,6 @@ from fastapi import HTTPException, Request, WebSocket, WebSocketException
 from grpc_interceptor import AsyncServerInterceptor
 from starlette.authentication import AuthCredentials, AuthenticationBackend, BaseUser
 from starlette.requests import HTTPConnection
-from starlette.status import HTTP_401_UNAUTHORIZED
 from typing_extensions import override
 
 from phoenix import config
@@ -144,16 +143,16 @@ async def is_authenticated(
     """
     assert request or websocket
     if request and not isinstance((user := request.user), PhoenixUser):
-        raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail="Invalid token")
+        raise HTTPException(status_code=401, detail="Invalid token")
     if websocket and not isinstance((user := websocket.user), PhoenixUser):
-        raise WebSocketException(code=HTTP_401_UNAUTHORIZED, reason="Invalid token")
+        raise WebSocketException(code=401, reason="Invalid token")
     if isinstance(user, PhoenixSystemUser):
         return
     claims = user.claims
     if claims.status is ClaimSetStatus.EXPIRED:
-        raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail="Expired token")
+        raise HTTPException(status_code=401, detail="Expired token")
     if claims.status is not ClaimSetStatus.VALID:
-        raise HTTPException(status_code=HTTP_401_UNAUTHORIZED, detail="Invalid token")
+        raise HTTPException(status_code=401, detail="Invalid token")
 
 
 async def create_access_and_refresh_tokens(

phoenix/server/oauth2.py

@@ -1,6 +1,7 @@
 from collections.abc import Iterable
 from typing import Any, Iterator, Optional
 
+import jmespath
 from authlib.integrations.base_client import BaseApp
 from authlib.integrations.base_client.async_app import AsyncOAuth2Mixin
 from authlib.integrations.base_client.async_openid import AsyncOpenIDMixin
@@ -25,13 +26,58 @@ class OAuth2Client(AsyncOAuth2Mixin, AsyncOpenIDMixin, BaseApp):  # type:ignore[
         display_name: str,
         allow_sign_up: bool,
         auto_login: bool,
+        use_pkce: bool = False,
+        groups_attribute_path: Optional[str] = None,
+        allowed_groups: Optional[list[str]] = None,
         **kwargs: Any,
     ) -> None:
         self._display_name = display_name
         self._allow_sign_up = allow_sign_up
         self._auto_login = auto_login
+        self._use_pkce = use_pkce
+
+        self._groups_attribute_path = (
+            groups_attribute_path.strip()
+            if groups_attribute_path and groups_attribute_path.strip()
+            else None
+        )
+
+        if allowed_groups:
+            self._allowed_groups = {g for g in allowed_groups if g.strip()}
+        else:
+            self._allowed_groups = set()
+
+        if self._allowed_groups and not self._groups_attribute_path:
+            raise ValueError(
+                "groups_attribute_path must be specified when allowed_groups is configured. "
+                "Group-based access control requires both parameters to be set."
+            )
+
+        if self._groups_attribute_path and not self._allowed_groups:
+            raise ValueError(
+                "allowed_groups must be specified when groups_attribute_path is configured. "
+                "Group-based access control requires both parameters to be set. "
+                "If you don't need group-based access control, remove groups_attribute_path."
+            )
+
+        self._compiled_groups_path = self._compile_jmespath_expression(self._groups_attribute_path)
         super().__init__(framework=None, *args, **kwargs)
-        self._allow_sign_up = allow_sign_up
+
+    @staticmethod
+    def _compile_jmespath_expression(path: Optional[str]) -> Optional[jmespath.parser.ParsedResult]:
+        """Validate and compile JMESPath expression at startup for fail-fast behavior."""
+        if not path:
+            return None
+
+        try:
+            return jmespath.compile(path)
+        except (jmespath.exceptions.JMESPathError, jmespath.exceptions.ParseError) as e:
+            raise ValueError(
+                f"Invalid JMESPath expression in GROUPS_ATTRIBUTE_PATH: '{path}'. Error: {e}. "
+                "Hint: Claim keys with special characters (colons, dots, slashes, hyphens) "
+                "must be enclosed in double quotes. "
+                "Examples: '\"cognito:groups\"', '\"https://myapp.com/groups\"'"
+            ) from e
 
     @property
     def allow_sign_up(self) -> bool:
@@ -45,6 +91,113 @@ class OAuth2Client(AsyncOAuth2Mixin, AsyncOpenIDMixin, BaseApp):  # type:ignore[
     def display_name(self) -> str:
         return self._display_name
 
+    @property
+    def use_pkce(self) -> bool:
+        return self._use_pkce
+
+    def has_sufficient_claims(self, claims: dict[str, Any]) -> bool:
+        """
+        Check if the ID token contains all application-required claims.
+
+        OIDC Core §2 mandates that ID tokens contain authentication claims (iss, sub, aud,
+        exp, iat), but user profile claims (email, name, groups) are optional and may only
+        be available via UserInfo endpoint (§5.4, §5.5). This method determines if we need
+        to call UserInfo.
+
+        Application-required claims:
+        - email: Required for user identification and account creation
+        - groups: Required if group-based access control is configured
+
+        If any required claim is missing, returns False to trigger UserInfo endpoint call.
+
+        Args:
+            claims: Claims from ID token (OIDC Core §3.1.3.3)
+
+        Returns:
+            True if all application-required claims are present (UserInfo not needed)
+            False if additional claims must be fetched from UserInfo endpoint
+        """
+        # Check for email claim (required by application)
+        email = claims.get("email")
+        if not email or not isinstance(email, str) or not email.strip():
+            # Email missing or invalid, need UserInfo
+            return False
+
+        # Check for group claims if group-based access control is configured
+        if self._compiled_groups_path:
+            groups = self._extract_groups_from_claims(claims)
+            if len(groups) == 0:
+                # Groups required but not present, need UserInfo
+                return False
+
+        # All required claims present
+        return True
+
+    def validate_access(self, user_claims: dict[str, Any]) -> None:
+        """
+        Validate that the user has access based on configured claim-based access control.
+
+        Currently supports group-based access control. In the future, this may be extended
+        to support organization-based or other claim-based authorization mechanisms.
+
+        Args:
+            user_claims: Claims from the OIDC ID token (OIDC Core §3.1.3.3) or userinfo
+                endpoint (OIDC Core §5.3). Custom claims for groups/roles are extracted
+                per OIDC Core §5.1.2 (Additional Claims).
+
+        Raises:
+            PermissionError: If user doesn't meet the access requirements
+        """
+        if not self._allowed_groups or not self._groups_attribute_path:
+            return
+
+        user_groups = self._extract_groups_from_claims(user_claims)
+
+        if not any(group in self._allowed_groups for group in user_groups):
+            raise PermissionError(
+                "Access denied. Your account does not belong to any authorized groups."
+            )
+
+    def _extract_groups_from_claims(self, claims: dict[str, Any]) -> list[str]:
+        """Extract group values from claims using the configured JMESPath expression."""
+        if not self._compiled_groups_path:
+            return []
+
+        result = self._compiled_groups_path.search(claims)
+        return self._normalize_to_string_list(result)
+
+    @staticmethod
+    def _normalize_to_string_list(value: Any) -> list[str]:
+        """
+        Normalize a JMESPath result to a list of strings.
+
+        Handles common OIDC claim formats: single values, lists, and scalar types.
+        Non-scalar items (dicts, nested lists) are silently skipped.
+
+        Args:
+            value: Result from JMESPath query
+
+        Returns:
+            List of string values, or empty list if value cannot be normalized
+        """
+        if value is None:
+            return []
+
+        if isinstance(value, str):
+            return [value]
+
+        if isinstance(value, (int, float, bool)):
+            return [str(value)]
+
+        if isinstance(value, list):
+            return [
+                str(item) if isinstance(item, (int, float, bool)) else item
+                for item in value
+                if isinstance(item, (str, int, float, bool))
+            ]
+
+        return []
+
 
 class OAuth2Clients:
     def __init__(self) -> None:
@@ -67,16 +220,30 @@ class OAuth2Clients:
     def add_client(self, config: OAuth2ClientConfig) -> None:
         if (idp_name := config.idp_name) in self._clients:
             raise ValueError(f"oauth client already registered: {idp_name}")
+        # RFC 6749 §3.3: scope parameter (space-delimited list of scopes)
+        client_kwargs = {"scope": config.scopes}
+
+        if config.token_endpoint_auth_method:
+            # OIDC Core §9: Client authentication method at token endpoint
+            client_kwargs["token_endpoint_auth_method"] = config.token_endpoint_auth_method
+        if config.use_pkce:
+            # Always use S256 for PKCE (RFC 7636 §4.2: SHA-256 code challenge method)
+            client_kwargs["code_challenge_method"] = "S256"
+
         client = OAuth2Client(
             name=config.idp_name,
-            client_id=config.client_id,
-            client_secret=config.client_secret,
-            server_metadata_url=config.oidc_config_url,
-            client_kwargs={"scope": "openid email profile"},
+            client_id=config.client_id,  # RFC 6749 §2.2
+            client_secret=config.client_secret,  # RFC 6749 §2.3.1
+            server_metadata_url=config.oidc_config_url,  # OIDC Discovery §4
+            client_kwargs=client_kwargs,
             display_name=config.idp_display_name,
             allow_sign_up=config.allow_sign_up,
             auto_login=config.auto_login,
+            use_pkce=config.use_pkce,
+            groups_attribute_path=config.groups_attribute_path,
+            allowed_groups=config.allowed_groups,
         )
+
         if config.auto_login:
             if self._auto_login_client:
                 raise ValueError("only one auto-login client is allowed")

phoenix/server/static/.vite/manifest.json

@@ -1,21 +1,21 @@
 {
-  "_components-Bs8eJEpU.js": {
-    "file": "assets/components-Bs8eJEpU.js",
+  "_components-BvsExS75.js": {
+    "file": "assets/components-BvsExS75.js",
     "name": "components",
     "imports": [
       "_vendor-D2eEI-6h.js",
-      "_pages-D-n2pkoG.js",
+      "_pages-Ckg4SLQ9.js",
       "_vendor-arizeai-kfOei7nf.js",
       "_vendor-codemirror-1bq_t1Ec.js",
       "_vendor-three-BLWp5bic.js"
     ]
   },
-  "_pages-D-n2pkoG.js": {
-    "file": "assets/pages-D-n2pkoG.js",
+  "_pages-Ckg4SLQ9.js": {
+    "file": "assets/pages-Ckg4SLQ9.js",
     "name": "pages",
     "imports": [
       "_vendor-D2eEI-6h.js",
-      "_components-Bs8eJEpU.js",
+      "_components-BvsExS75.js",
       "_vendor-arizeai-kfOei7nf.js",
       "_vendor-codemirror-1bq_t1Ec.js",
       "_vendor-recharts-DQ4xfrf4.js"
@@ -75,15 +75,15 @@
     "name": "vendor-three"
   },
   "index.tsx": {
-    "file": "assets/index-C6WEu5UP.js",
+    "file": "assets/index-iq8WDxat.js",
     "name": "index",
     "src": "index.tsx",
     "isEntry": true,
     "imports": [
       "_vendor-D2eEI-6h.js",
       "_vendor-arizeai-kfOei7nf.js",
-      "_pages-D-n2pkoG.js",
-      "_components-Bs8eJEpU.js",
+      "_pages-Ckg4SLQ9.js",
+      "_components-BvsExS75.js",
       "_vendor-three-BLWp5bic.js",
       "_vendor-codemirror-1bq_t1Ec.js",
       "_vendor-shiki-GGmcIQxA.js",