arize-phoenix 4.36.0__py3-none-any.whl → 5.1.0__py3-none-any.whl

phoenix/auth.py

@@ -1,29 +1,61 @@
+from __future__ import annotations
+
 import re
+from dataclasses import dataclass
+from datetime import datetime, timedelta
+from enum import Enum, auto
 from hashlib import pbkdf2_hmac
+from typing import Any, Literal, Optional, Protocol
+
+from starlette.responses import Response
+from typing_extensions import TypeVar
+
+from phoenix.config import get_env_phoenix_use_secure_cookies
 
+ResponseType = TypeVar("ResponseType", bound=Response)
 
-def compute_password_hash(*, password: str, salt: str) -> str:
+
+def compute_password_hash(*, password: str, salt: bytes) -> bytes:
     """
     Salts and hashes a password using PBKDF2, HMAC, and SHA256.
+
+    Args:
+        password (str): the password to hash
+        salt (bytes): the salt to use, must not be zero-length
+    Returns:
+        bytes: the hashed password
     """
+    assert salt
     password_bytes = password.encode("utf-8")
-    salt_bytes = salt.encode("utf-8")
-    password_hash_bytes = pbkdf2_hmac("sha256", password_bytes, salt_bytes, NUM_ITERATIONS)
-    password_hash = password_hash_bytes.hex()
-    return password_hash
+    return pbkdf2_hmac("sha256", password_bytes, salt, NUM_ITERATIONS)
 
 
-def is_valid_password(*, password: str, salt: str, password_hash: str) -> bool:
+def is_valid_password(*, password: str, salt: bytes, password_hash: bytes) -> bool:
     """
     Determines whether the password is valid by salting and hashing the password
     and comparing against the existing hash value.
+
+    Args:
+        password (str): the password to validate
+        salt (bytes): the salt to use, must not be zero-length
+        password_hash (bytes): the hash to compare against
+    Returns:
+        bool: True if the password is valid, False otherwise
     """
+    assert salt
     return password_hash == compute_password_hash(password=password, salt=salt)
 
 
 def validate_email_format(email: str) -> None:
     """
     Checks that the email has a valid format.
+
+    Args:
+        email (str): the email address to validate
+    Returns:
+        None
+    Raises:
+        ValueError: if the email address is invalid
     """
     if EMAIL_PATTERN.match(email) is None:
         raise ValueError("Invalid email address")
@@ -33,16 +65,245 @@ def validate_password_format(password: str) -> None:
     """
     Checks that the password has a valid format.
     """
-    if not password:
-        raise ValueError("Password must be non-empty")
-    if any(char.isspace() for char in password):
-        raise ValueError("Password cannot contain whitespace characters")
-    if not password.isascii():
-        raise ValueError("Password can contain only ASCII characters")
-    if not len(password) >= MIN_PASSWORD_LENGTH:
-        raise ValueError(f"Password must be at least {MIN_PASSWORD_LENGTH} characters long")
+    PASSWORD_REQUIREMENTS.validate(password)
+
+
+def set_access_token_cookie(
+    *, response: ResponseType, access_token: str, max_age: timedelta
+) -> ResponseType:
+    return _set_cookie(
+        response=response,
+        cookie_name=PHOENIX_ACCESS_TOKEN_COOKIE_NAME,
+        cookie_max_age=max_age,
+        samesite="strict",
+        value=access_token,
+    )
+
+
+def set_refresh_token_cookie(
+    *, response: ResponseType, refresh_token: str, max_age: timedelta
+) -> ResponseType:
+    return _set_cookie(
+        response=response,
+        cookie_name=PHOENIX_REFRESH_TOKEN_COOKIE_NAME,
+        cookie_max_age=max_age,
+        samesite="strict",
+        value=refresh_token,
+    )
+
+
+def set_oauth2_state_cookie(
+    *, response: ResponseType, state: str, max_age: timedelta
+) -> ResponseType:
+    return _set_cookie(
+        response=response,
+        cookie_name=PHOENIX_OAUTH2_STATE_COOKIE_NAME,
+        cookie_max_age=max_age,
+        samesite="lax",
+        value=state,
+    )
+
+
+def set_oauth2_nonce_cookie(
+    *, response: ResponseType, nonce: str, max_age: timedelta
+) -> ResponseType:
+    return _set_cookie(
+        response=response,
+        cookie_name=PHOENIX_OAUTH2_NONCE_COOKIE_NAME,
+        cookie_max_age=max_age,
+        samesite="lax",
+        value=nonce,
+    )
+
+
+def _set_cookie(
+    *,
+    response: ResponseType,
+    cookie_name: str,
+    cookie_max_age: timedelta,
+    samesite: Literal["strict", "lax"],
+    value: str,
+) -> ResponseType:
+    response.set_cookie(
+        key=cookie_name,
+        value=value,
+        secure=get_env_phoenix_use_secure_cookies(),
+        httponly=True,
+        samesite=samesite,
+        max_age=int(cookie_max_age.total_seconds()),
+    )
+    return response
+
+
+def delete_access_token_cookie(response: ResponseType) -> ResponseType:
+    response.delete_cookie(key=PHOENIX_ACCESS_TOKEN_COOKIE_NAME)
+    return response
+
+
+def delete_refresh_token_cookie(response: ResponseType) -> ResponseType:
+    response.delete_cookie(key=PHOENIX_REFRESH_TOKEN_COOKIE_NAME)
+    return response
+
+
+def delete_oauth2_state_cookie(response: ResponseType) -> ResponseType:
+    response.delete_cookie(key=PHOENIX_OAUTH2_STATE_COOKIE_NAME)
+    return response
+
+
+def delete_oauth2_nonce_cookie(response: ResponseType) -> ResponseType:
+    response.delete_cookie(key=PHOENIX_OAUTH2_NONCE_COOKIE_NAME)
+    return response
+
+
+@dataclass(frozen=True)
+class _PasswordRequirements:
+    """
+    Password must be at least `length` characters long. Password must not contain whitespace
+    characters. Password can contain only ASCII characters. The arguments `special_chars`,
+    `digits`, `upper_case`, and `lower_case` control what category of characters will appear
+    in the password. If set to True, at least one character from the corresponding category
+    is guaranteed to appear. Special characters are characters from `!@#$%^&*()_+`, digits
+    are characters from `0123456789`, and uppercase and lowercase characters are characters
+    from the ASCII set of letters.
+
+    Attributes:
+        length (int): the minimum length of the password
+        digits (bool): whether the password must contain at least one digit
+        lower_case (bool): whether the password must contain at least one lowercase letter
+        upper_case (bool): whether the password must contain at least one uppercase letter
+        special_chars (bool): whether the password must contain at least one special character
+    """
+
+    length: int
+    digits: bool = False
+    lower_case: bool = False
+    upper_case: bool = False
+    special_chars: bool = False
+
+    def validate(
+        self,
+        string: str,
+        /,
+        err_msg_subject: Literal["Password", "Phoenix secret"] = "Password",
+    ) -> None:
+        """
+        Validates the password against the requirements.
+
+        Args:
+            string (str): the password to validate
+            err_msg_subject (str, optional): the subject of the error message,
+                defaults to "Password"
+        Returns:
+            None
+        Raises:
+            ValueError: if the password does not meet the requirements
+        """
+        if not string:
+            raise ValueError(f"{err_msg_subject} must be non-empty")
+        if any(char.isspace() for char in string):
+            raise ValueError(f"{err_msg_subject} must not contain whitespace characters")
+        if not string.isascii():
+            raise ValueError(f"{err_msg_subject} must contain only ASCII characters")
+        err_msg = []
+        if len(string) < self.length:
+            err_msg.append(f"must be at least {self.length} characters long")
+        if self.digits and not any(char.isdigit() for char in string):
+            err_msg.append("at least one digit")
+        if self.lower_case and not any(char.islower() for char in string):
+            err_msg.append("at least one lowercase letter")
+        if self.upper_case and not any(char.isupper() for char in string):
+            err_msg.append("at least one uppercase letter")
+        if self.special_chars and not any(char in "!@#$%^&*()_+" for char in string):
+            err_msg.append("at least one special character")
+        if not err_msg:
+            return
+        if len(err_msg) > 1:
+            err_text = f"{err_msg_subject} " + ", ".join(err_msg[:-1]) + ", and " + err_msg[-1]
+        else:
+            err_text = f"{err_msg_subject} {err_msg[0]}"
+        raise ValueError(err_text)
 
 
+DEFAULT_ADMIN_USERNAME = "admin"
+DEFAULT_ADMIN_EMAIL = "admin@localhost"
+DEFAULT_ADMIN_PASSWORD = "admin"
+DEFAULT_SYSTEM_USERNAME = "system"
+DEFAULT_SYSTEM_EMAIL = "system@localhost"
+DEFAULT_SECRET_LENGTH = 32
+DEFAULT_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES = 15
+DEFAULT_ACCESS_TOKEN_EXPIRY_MINUTES = 10
+DEFAULT_REFRESH_TOKEN_EXPIRY_MINUTES = 60 * 24 * 7
+"""The default length of a secret key in bytes."""
 EMAIL_PATTERN = re.compile(r"^[^@\s]+@[^@\s]+[.][^@\s]+\Z")
+"""The regular expression pattern for a valid email address."""
 NUM_ITERATIONS = 10_000
+"""The number of iterations to use for the PBKDF2 key derivation function."""
 MIN_PASSWORD_LENGTH = 4
+"""The minimum length of a password."""
+PASSWORD_REQUIREMENTS = _PasswordRequirements(length=MIN_PASSWORD_LENGTH)
+"""The requirements for a valid password."""
+REQUIREMENTS_FOR_PHOENIX_SECRET = _PasswordRequirements(
+    length=DEFAULT_SECRET_LENGTH, digits=True, lower_case=True
+)
+"""The requirements for the Phoenix secret key."""
+JWT_ALGORITHM = "HS256"
+"""The algorithm to use for the JSON Web Token."""
+PHOENIX_ACCESS_TOKEN_COOKIE_NAME = "phoenix-access-token"
+"""The name of the cookie that stores the Phoenix access token."""
+PHOENIX_REFRESH_TOKEN_COOKIE_NAME = "phoenix-refresh-token"
+"""The name of the cookie that stores the Phoenix refresh token."""
+PHOENIX_OAUTH2_STATE_COOKIE_NAME = "phoenix-oauth2-state"
+"""The name of the cookie that stores the state used for the OAuth2 authorization code flow."""
+PHOENIX_OAUTH2_NONCE_COOKIE_NAME = "phoenix-oauth2-nonce"
+"""The name of the cookie that stores the nonce used for the OAuth2 authorization code flow."""
+DEFAULT_OAUTH2_LOGIN_EXPIRY_MINUTES = 15
+"""
+The default amount of time in minutes that can elapse between the initial
+redirect to the IDP and the invocation of the callback URL during the OAuth2
+authorization code flow.
+"""
+
+
+class Token(str): ...
+
+
+class ClaimSetStatus(Enum):
+    VALID = auto()
+    INVALID = auto()
+    EXPIRED = auto()
+
+
+@dataclass(frozen=True)
+class TokenAttributes: ...
+
+
+@dataclass(frozen=True)
+class ClaimSet:
+    issuer: Optional[Any] = None
+    "Analog of `iss` claim in JWT RFC7519: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.1"
+    subject: Optional[Any] = None
+    "Analog of `sub` claim in JWT RFC7519: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2"
+    audience: Optional[Any] = None
+    "Analog of `aud` claim in JWT RFC7519: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.3"
+    not_before: Optional[datetime] = None
+    "Analog of `nbf` claim in JWT RFC7519: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.5"
+    issued_at: Optional[datetime] = None
+    "Analog of `iat` claim in JWT RFC7519: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6"
+    expiration_time: Optional[datetime] = None
+    "Analog of `exp` claim in JWT RFC7519: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.4"
+    token_id: Optional[Any] = None
+    "Analog of `jti` claim in JWT RFC7519: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.7"
+    attributes: Optional[TokenAttributes] = None
+    "Application/domain-specific claims"
+
+    @property
+    def status(self) -> ClaimSetStatus:
+        if self.expiration_time and self.expiration_time.timestamp() < datetime.now().timestamp():
+            return ClaimSetStatus.EXPIRED
+        if self.token_id is not None and self.subject is not None:
+            return ClaimSetStatus.VALID
+        return ClaimSetStatus.INVALID
+
+
+class CanReadToken(Protocol):
+    async def read(self, token: Token) -> Optional[ClaimSet]: ...

phoenix/config.py

@@ -2,9 +2,12 @@ import logging
 import os
 import re
 import tempfile
+from dataclasses import dataclass
+from datetime import timedelta
 from enum import Enum
 from pathlib import Path
-from typing import Dict, List, Optional, Tuple
+from typing import Dict, List, Optional, Tuple, overload
+from urllib.parse import urlparse
 
 from phoenix.utilities.logging import log_a_list
 
@@ -86,10 +89,50 @@ ENV_PHOENIX_SERVER_INSTRUMENTATION_OTLP_TRACE_COLLECTOR_GRPC_ENDPOINT = (
     "PHOENIX_SERVER_INSTRUMENTATION_OTLP_TRACE_COLLECTOR_GRPC_ENDPOINT"
 )
 
-# Auth is under active development. Phoenix users are strongly advised not to
-# set these environment variables until the feature is officially released.
-ENV_DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH = "DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH"
-ENV_DANGEROUSLY_SET_PHOENIX_SECRET = "DANGEROUSLY_SET_PHOENIX_SECRET"
+# Authentication settings
+ENV_PHOENIX_ENABLE_AUTH = "PHOENIX_ENABLE_AUTH"
+ENV_PHOENIX_DISABLE_RATE_LIMIT = "PHOENIX_DISABLE_RATE_LIMIT"
+ENV_PHOENIX_SECRET = "PHOENIX_SECRET"
+ENV_PHOENIX_API_KEY = "PHOENIX_API_KEY"
+ENV_PHOENIX_USE_SECURE_COOKIES = "PHOENIX_USE_SECURE_COOKIES"
+ENV_PHOENIX_ACCESS_TOKEN_EXPIRY_MINUTES = "PHOENIX_ACCESS_TOKEN_EXPIRY_MINUTES"
+"""
+The duration, in minutes, before access tokens expire.
+"""
+ENV_PHOENIX_REFRESH_TOKEN_EXPIRY_MINUTES = "PHOENIX_REFRESH_TOKEN_EXPIRY_MINUTES"
+"""
+The duration, in minutes, before refresh tokens expire.
+"""
+ENV_PHOENIX_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES = "PHOENIX_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES"
+"""
+The duration, in minutes, before password reset tokens expire.
+"""
+
+# SMTP settings
+ENV_PHOENIX_SMTP_HOSTNAME = "PHOENIX_SMTP_HOSTNAME"
+"""
+The SMTP server hostname to use for sending emails. SMTP is disabled if this is not set.
+"""
+ENV_PHOENIX_SMTP_PORT = "PHOENIX_SMTP_PORT"
+"""
+The SMTP server port to use for sending emails. Defaults to 587.
+"""
+ENV_PHOENIX_SMTP_USERNAME = "PHOENIX_SMTP_USERNAME"
+"""
+The SMTP server username to use for sending emails. Should be set if SMTP is enabled.
+"""
+ENV_PHOENIX_SMTP_PASSWORD = "PHOENIX_SMTP_PASSWORD"
+"""
+The SMTP server password to use for sending emails. Should be set if SMTP is enabled.
+"""
+ENV_PHOENIX_SMTP_MAIL_FROM = "PHOENIX_SMTP_MAIL_FROM"
+"""
+The email address to use as the sender when sending emails. Should be set if SMTP is enabled.
+"""
+ENV_PHOENIX_SMTP_VALIDATE_CERTS = "PHOENIX_SMTP_VALIDATE_CERTS"
+"""
+Whether to validate SMTP server certificates. Defaults to true.
+"""
 
 
 def server_instrumentation_is_enabled() -> bool:
@@ -131,12 +174,16 @@ def get_working_dir() -> Path:
     return Path.home().resolve() / ".phoenix"
 
 
-def get_boolean_env_var(env_var: str) -> Optional[bool]:
+@overload
+def _bool_val(env_var: str) -> Optional[bool]: ...
+@overload
+def _bool_val(env_var: str, default: bool) -> bool: ...
+def _bool_val(env_var: str, default: Optional[bool] = None) -> Optional[bool]:
     """
-    Parses a boolean environment variable, returning None if the variable is not set.
+    Parses a boolean environment variable, returning `default` if the variable is not set.
     """
     if (value := os.environ.get(env_var)) is None:
-        return None
+        return default
     assert (lower := value.lower()) in (
         "true",
         "false",
@@ -144,44 +191,234 @@ def get_boolean_env_var(env_var: str) -> Optional[bool]:
     return lower == "true"
 
 
+@overload
+def _float_val(env_var: str) -> Optional[float]: ...
+@overload
+def _float_val(env_var: str, default: float) -> float: ...
+def _float_val(env_var: str, default: Optional[float] = None) -> Optional[float]:
+    """
+    Parses a numeric environment variable, returning `default` if the variable is not set.
+    """
+    if (value := os.environ.get(env_var)) is None:
+        return default
+    try:
+        return float(value)
+    except ValueError:
+        raise ValueError(
+            f"Invalid value for environment variable {env_var}: {value}. "
+            f"Value must be a number."
+        )
+
+
+@overload
+def _int_val(env_var: str) -> Optional[int]: ...
+@overload
+def _int_val(env_var: str, default: int) -> int: ...
+def _int_val(env_var: str, default: Optional[int] = None) -> Optional[int]:
+    """
+    Parses a numeric environment variable, returning `default` if the variable is not set.
+    """
+    if (value := os.environ.get(env_var)) is None:
+        return default
+    try:
+        return int(value)
+    except ValueError:
+        raise ValueError(
+            f"Invalid value for environment variable {env_var}: {value}. "
+            f"Value must be an integer."
+        )
+
+
 def get_env_enable_auth() -> bool:
     """
-    Gets the value of the DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH environment variable.
+    Gets the value of the PHOENIX_ENABLE_AUTH environment variable.
     """
-    return get_boolean_env_var(ENV_DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH) is True
+    return _bool_val(ENV_PHOENIX_ENABLE_AUTH, False)
+
+
+def get_env_disable_rate_limit() -> bool:
+    """
+    Gets the value of the PHOENIX_DISABLE_RATE_LIMIT environment variable.
+    """
+    return _bool_val(ENV_PHOENIX_DISABLE_RATE_LIMIT, False)
 
 
 def get_env_phoenix_secret() -> Optional[str]:
     """
-    Gets the value of the DANGEROUSLY_SET_PHOENIX_SECRET environment variable
+    Gets the value of the PHOENIX_SECRET environment variable
     and performs validation.
     """
-    phoenix_secret = os.environ.get(ENV_DANGEROUSLY_SET_PHOENIX_SECRET)
+    phoenix_secret = os.environ.get(ENV_PHOENIX_SECRET)
     if phoenix_secret is None:
         return None
-    # todo: add validation for the phoenix secret
+    from phoenix.auth import REQUIREMENTS_FOR_PHOENIX_SECRET
+
+    REQUIREMENTS_FOR_PHOENIX_SECRET.validate(phoenix_secret, "Phoenix secret")
     return phoenix_secret
 
 
-def get_auth_settings() -> Tuple[bool, Optional[str]]:
+def get_env_phoenix_use_secure_cookies() -> bool:
+    return _bool_val(ENV_PHOENIX_USE_SECURE_COOKIES, False)
+
+
+def get_env_phoenix_api_key() -> Optional[str]:
+    return os.environ.get(ENV_PHOENIX_API_KEY)
+
+
+def get_env_auth_settings() -> Tuple[bool, Optional[str]]:
     """
     Gets auth settings and performs validation.
     """
     enable_auth = get_env_enable_auth()
     phoenix_secret = get_env_phoenix_secret()
-    if enable_auth:
-        assert phoenix_secret, (
-            "DANGEROUSLY_SET_PHOENIX_SECRET must be set "
-            "when auth is enabled with DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH"
-        )
-    else:
-        assert not phoenix_secret, (
-            "DANGEROUSLY_SET_PHOENIX_SECRET cannot be set "
-            "unless auth is enabled with DANGEROUSLY_SET_PHOENIX_ENABLE_AUTH"
+    if enable_auth and not phoenix_secret:
+        raise ValueError(
+            f"`{ENV_PHOENIX_SECRET}` must be set when "
+            f"auth is enabled with `{ENV_PHOENIX_ENABLE_AUTH}`"
         )
     return enable_auth, phoenix_secret
 
 
+def get_env_password_reset_token_expiry() -> timedelta:
+    """
+    Gets the password reset token expiry.
+    """
+    from phoenix.auth import DEFAULT_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES
+
+    minutes = _float_val(
+        ENV_PHOENIX_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES,
+        DEFAULT_PASSWORD_RESET_TOKEN_EXPIRY_MINUTES,
+    )
+    assert minutes > 0
+    return timedelta(minutes=minutes)
+
+
+def get_env_access_token_expiry() -> timedelta:
+    """
+    Gets the access token expiry.
+    """
+    from phoenix.auth import DEFAULT_ACCESS_TOKEN_EXPIRY_MINUTES
+
+    minutes = _float_val(
+        ENV_PHOENIX_ACCESS_TOKEN_EXPIRY_MINUTES,
+        DEFAULT_ACCESS_TOKEN_EXPIRY_MINUTES,
+    )
+    assert minutes > 0
+    return timedelta(minutes=minutes)
+
+
+def get_env_refresh_token_expiry() -> timedelta:
+    """
+    Gets the refresh token expiry.
+    """
+    from phoenix.auth import DEFAULT_REFRESH_TOKEN_EXPIRY_MINUTES
+
+    minutes = _float_val(
+        ENV_PHOENIX_REFRESH_TOKEN_EXPIRY_MINUTES,
+        DEFAULT_REFRESH_TOKEN_EXPIRY_MINUTES,
+    )
+    assert minutes > 0
+    return timedelta(minutes=minutes)
+
+
+def get_env_smtp_username() -> str:
+    return os.getenv(ENV_PHOENIX_SMTP_USERNAME) or ""
+
+
+def get_env_smtp_password() -> str:
+    return os.getenv(ENV_PHOENIX_SMTP_PASSWORD) or ""
+
+
+def get_env_smtp_mail_from() -> str:
+    return os.getenv(ENV_PHOENIX_SMTP_MAIL_FROM) or "noreply@arize.com"
+
+
+def get_env_smtp_hostname() -> str:
+    return os.getenv(ENV_PHOENIX_SMTP_HOSTNAME) or ""
+
+
+def get_env_smtp_port() -> int:
+    port = _int_val(ENV_PHOENIX_SMTP_PORT, 587)
+    assert 0 < port <= 65_535
+    return port
+
+
+def get_env_smtp_validate_certs() -> bool:
+    return _bool_val(ENV_PHOENIX_SMTP_VALIDATE_CERTS, True)
+
+
+@dataclass(frozen=True)
+class OAuth2ClientConfig:
+    idp_name: str
+    idp_display_name: str
+    client_id: str
+    client_secret: str
+    oidc_config_url: str
+
+    @classmethod
+    def from_env(cls, idp_name: str) -> "OAuth2ClientConfig":
+        idp_name_upper = idp_name.upper()
+        if not (
+            client_id := os.getenv(
+                client_id_env_var := f"PHOENIX_OAUTH2_{idp_name_upper}_CLIENT_ID"
+            )
+        ):
+            raise ValueError(
+                f"A client id must be set for the {idp_name} OAuth2 IDP "
+                f"via the {client_id_env_var} environment variable"
+            )
+        if not (
+            client_secret := os.getenv(
+                client_secret_env_var := f"PHOENIX_OAUTH2_{idp_name_upper}_CLIENT_SECRET"
+            )
+        ):
+            raise ValueError(
+                f"A client secret must be set for the {idp_name} OAuth2 IDP "
+                f"via the {client_secret_env_var} environment variable"
+            )
+        if not (
+            oidc_config_url := (
+                os.getenv(
+                    oidc_config_url_env_var := f"PHOENIX_OAUTH2_{idp_name_upper}_OIDC_CONFIG_URL",
+                )
+            )
+        ):
+            raise ValueError(
+                f"An OpenID Connect configuration URL must be set for the {idp_name} OAuth2 IDP "
+                f"via the {oidc_config_url_env_var} environment variable"
+            )
+        if urlparse(oidc_config_url).scheme != "https":
+            raise ValueError(
+                f"Server metadata URL for {idp_name} OAuth2 IDP "
+                "must be a valid URL using the https protocol"
+            )
+        return cls(
+            idp_name=idp_name,
+            idp_display_name=os.getenv(
+                f"PHOENIX_OAUTH2_{idp_name_upper}_DISPLAY_NAME",
+                _get_default_idp_display_name(idp_name),
+            ),
+            client_id=client_id,
+            client_secret=client_secret,
+            oidc_config_url=oidc_config_url,
+        )
+
+
+def get_env_oauth2_settings() -> List[OAuth2ClientConfig]:
+    """
+    Get OAuth2 settings from environment variables.
+    """
+
+    idp_names = set()
+    pattern = re.compile(
+        r"^PHOENIX_OAUTH2_(\w+)_(DISPLAY_NAME|CLIENT_ID|CLIENT_SECRET|OIDC_CONFIG_URL)$"
+    )
+    for env_var in os.environ:
+        if (match := pattern.match(env_var)) is not None and (idp_name := match.group(1).lower()):
+            idp_names.add(idp_name)
+    return [OAuth2ClientConfig.from_env(idp_name) for idp_name in sorted(idp_names)]
+
+
 PHOENIX_DIR = Path(__file__).resolve().parent
 # Server config
 SERVER_DIR = PHOENIX_DIR / "server"
@@ -205,8 +442,6 @@ EXPORT_DIR = ROOT_DIR / "exports"
 INFERENCES_DIR = ROOT_DIR / "inferences"
 TRACE_DATASETS_DIR = ROOT_DIR / "trace_datasets"
 
-ENABLE_AUTH, PHOENIX_SECRET = get_auth_settings()
-
 
 def ensure_working_dir() -> None:
     """
@@ -421,5 +656,22 @@ def get_env_log_migrations() -> bool:
         )
 
 
+class OAuth2Idp(Enum):
+    AWS_COGNITO = "aws_cognito"
+    GOOGLE = "google"
+    MICROSOFT_ENTRA_ID = "microsoft_entra_id"
+
+
+def _get_default_idp_display_name(idp_name: str) -> str:
+    """
+    Get the default display name for an OAuth2 IDP.
+    """
+    if idp_name == OAuth2Idp.AWS_COGNITO.value:
+        return "AWS Cognito"
+    if idp_name == OAuth2Idp.MICROSOFT_ENTRA_ID.value:
+        return "Microsoft Entra ID"
+    return idp_name.replace("_", " ").title()
+
+
 DEFAULT_PROJECT_NAME = "default"
 _KUBERNETES_PHOENIX_PORT_PATTERN = re.compile(r"^tcp://\d{1,3}[.]\d{1,3}[.]\d{1,3}[.]\d{1,3}:\d+$")