arize-phoenix 9.6.1__py3-none-any.whl → 10.0.1__py3-none-any.whl

phoenix/server/api/routers/oauth2.py

@@ -15,7 +15,7 @@ from sqlalchemy.exc import IntegrityError as PostgreSQLIntegrityError
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import joinedload
 from sqlean.dbapi2 import IntegrityError as SQLiteIntegrityError  # type: ignore[import-untyped]
-from starlette.datastructures import URL, URLPath
+from starlette.datastructures import URL, Secret, URLPath
 from starlette.responses import RedirectResponse
 from starlette.routing import Router
 from starlette.status import HTTP_302_FOUND
@@ -32,7 +32,10 @@ from phoenix.auth import (
     set_oauth2_state_cookie,
     set_refresh_token_cookie,
 )
-from phoenix.config import get_env_disable_rate_limit
+from phoenix.config import (
+    get_env_disable_basic_auth,
+    get_env_disable_rate_limit,
+)
 from phoenix.db import models
 from phoenix.db.enums import UserRole
 from phoenix.server.bearer_auth import create_access_and_refresh_tokens
@@ -77,6 +80,7 @@ else:
     create_tokens_dependencies = []
 
 
+@router.get("/{idp_name}/login", dependencies=login_dependencies)
 @router.post("/{idp_name}/login", dependencies=login_dependencies)
 async def login(
     request: Request,
@@ -169,12 +173,13 @@ async def create_tokens(
     user_info = _parse_user_info(user_info)
     try:
         async with request.app.state.db() as session:
-            user = await _ensure_user_exists_and_is_up_to_date(
+            user = await _process_oauth2_user(
                 session,
                 oauth2_client_id=str(oauth2_client.client_id),
                 user_info=user_info,
+                allow_sign_up=oauth2_client.allow_sign_up,
             )
-    except EmailAlreadyInUse as error:
+    except (EmailAlreadyInUse, SignInNotAllowed) as error:
         return _redirect_to_login(request=request, error=str(error))
     access_token, refresh_token = await create_access_and_refresh_tokens(
         user=user,
@@ -198,12 +203,24 @@ async def create_tokens(
     return response
 
 
-@dataclass
+@dataclass(frozen=True)
 class UserInfo:
     idp_user_id: str
     email: str
-    username: Optional[str]
-    profile_picture_url: Optional[str]
+    username: Optional[str] = None
+    profile_picture_url: Optional[str] = None
+
+    def __post_init__(self) -> None:
+        if not (idp_user_id := (self.idp_user_id or "").strip()):
+            raise ValueError("idp_user_id cannot be empty")
+        object.__setattr__(self, "idp_user_id", idp_user_id)
+        if not (email := (self.email or "").strip()):
+            raise ValueError("email cannot be empty")
+        object.__setattr__(self, "email", email)
+        if username := (self.username or "").strip():
+            object.__setattr__(self, "username", username)
+        if profile_picture_url := (self.profile_picture_url or "").strip():
+            object.__setattr__(self, "profile_picture_url", profile_picture_url)
 
 
 def _validate_token_data(token_data: dict[str, Any]) -> None:
@@ -235,9 +252,157 @@ def _parse_user_info(user_info: dict[str, Any]) -> UserInfo:
     )
 
 
-async def _ensure_user_exists_and_is_up_to_date(
-    session: AsyncSession, /, *, oauth2_client_id: str, user_info: UserInfo
+async def _process_oauth2_user(
+    session: AsyncSession,
+    /,
+    *,
+    oauth2_client_id: str,
+    user_info: UserInfo,
+    allow_sign_up: bool,
+) -> models.User:
+    """
+    Processes an OAuth2 user, either signing in an existing user or creating/updating one.
+
+    This function handles two main scenarios based on the allow_sign_up parameter:
+    1. When sign-up is not allowed (allow_sign_up=False):
+       - Checks if the user exists and can sign in with the given OAuth2 credentials
+       - Updates placeholder OAuth2 credentials if needed (e.g., temporary IDs)
+       - If the user doesn't exist or has a password set, raises SignInNotAllowed
+    2. When sign-up is allowed (allow_sign_up=True):
+       - Finds the user by OAuth2 credentials (client_id and user_id)
+       - Creates a new user if one doesn't exist, with default member role
+       - Updates the user's email if it has changed
+       - Handles username conflicts by adding a random suffix if needed
+
+    The allow_sign_up parameter is typically controlled by the PHOENIX_OAUTH2_{IDP_NAME}_ALLOW_SIGN_UP
+    environment variable for the specific identity provider.
+
+    Args:
+        session: The database session
+        oauth2_client_id: The ID of the OAuth2 client
+        user_info: User information from the OAuth2 provider
+        allow_sign_up: Whether to allow creating new users
+
+    Returns:
+        The user object
+
+    Raises:
+        SignInNotAllowed: When sign-in is not allowed for the user (user doesn't exist or has a password)
+        EmailAlreadyInUse: When the email is already in use by another account
+    """  # noqa: E501
+    if not allow_sign_up:
+        return await _get_existing_oauth2_user(
+            session,
+            oauth2_client_id=oauth2_client_id,
+            user_info=user_info,
+        )
+    return await _create_or_update_user(
+        session,
+        oauth2_client_id=oauth2_client_id,
+        user_info=user_info,
+    )
+
+
+async def _get_existing_oauth2_user(
+    session: AsyncSession,
+    /,
+    *,
+    oauth2_client_id: str,
+    user_info: UserInfo,
 ) -> models.User:
+    """Signs in an existing user with OAuth2 credentials.
+
+    This function handles OAuth2 authentication for existing users. It follows a two-step process:
+
+    1. First Attempt: Find user by OAuth2 credentials
+       - Searches for a user with matching oauth2_client_id and oauth2_user_id
+       - If found, updates email if it has changed from IDP info
+       - If not found, proceeds to step 2
+
+    2. Second Attempt: Find user by email
+       - Searches for a user with matching email
+       - Verifies the user is an OAuth2 user (no password set)
+       - Handles OAuth2 credential updates in three cases:
+         a) Different OAuth2 client: Updates both client and user IDs
+         b) Same client but missing user ID: Sets the user ID
+         c) Same client but different user ID: Rejects sign-in
+
+    Profile Updates:
+    - Email: Updated if different from IDP info
+    - Profile Picture: Updated if provided in user_info
+    - Username: Never updated (remains unchanged)
+    - OAuth2 Credentials: Updated based on the three cases above
+
+    Args:
+        session: The database session
+        oauth2_client_id: The ID of the OAuth2 client
+        user_info: User information from the OAuth2 provider
+
+    Returns:
+        The signed-in user
+
+    Raises:
+        ValueError: If required fields (email, oauth2_user_id, oauth2_client_id) are empty
+        SignInNotAllowed: When sign-in is not allowed because:
+            - User doesn't exist
+            - User has a password set
+            - User has mismatched OAuth2 credentials
+    """  # noqa: E501
+    if not (email := (user_info.email or "").strip()):
+        raise ValueError("Email is required.")
+    if not (oauth2_user_id := (user_info.idp_user_id or "").strip()):
+        raise ValueError("OAuth2 user ID is required.")
+    if not (oauth2_client_id := (oauth2_client_id or "").strip()):
+        raise ValueError("OAuth2 client ID is required.")
+    profile_picture_url = (user_info.profile_picture_url or "").strip()
+    stmt = select(models.User).options(joinedload(models.User.role))
+    if user := await session.scalar(
+        stmt.filter_by(oauth2_client_id=oauth2_client_id, oauth2_user_id=oauth2_user_id)
+    ):
+        if email and email != user.email:
+            user.email = email
+    else:
+        user = await session.scalar(stmt.filter_by(email=email))
+        if user is None or not isinstance(user, models.OAuth2User):
+            raise SignInNotAllowed("Sign in is not allowed.")
+        # Case 1: Different OAuth2 client - update both client and user IDs
+        if oauth2_client_id != user.oauth2_client_id:
+            user.oauth2_client_id = oauth2_client_id
+            user.oauth2_user_id = oauth2_user_id
+        # Case 2: Same client but missing user ID - set the user ID
+        elif not user.oauth2_user_id:
+            user.oauth2_user_id = oauth2_user_id
+        # Case 3: Same client but different user ID - reject sign-in
+        elif oauth2_user_id != user.oauth2_user_id:
+            raise SignInNotAllowed("Sign in is not allowed.")
+    if profile_picture_url != user.profile_picture_url:
+        user.profile_picture_url = profile_picture_url
+    if user in session.dirty:
+        await session.flush()
+    return user
+
+
+async def _create_or_update_user(
+    session: AsyncSession,
+    /,
+    *,
+    oauth2_client_id: str,
+    user_info: UserInfo,
+) -> models.User:
+    """
+    Creates a new user or updates an existing one with OAuth2 credentials.
+
+    Args:
+        session: The database session
+        oauth2_client_id: The ID of the OAuth2 client
+        user_info: User information from the OAuth2 provider
+
+    Returns:
+        The created or updated user
+
+    Raises:
+        EmailAlreadyInUse: When the email is already in use by another account
+    """
     user = await _get_user(
         session,
         oauth2_client_id=oauth2_client_id,
@@ -251,7 +416,11 @@ async def _ensure_user_exists_and_is_up_to_date(
 
 
 async def _get_user(
-    session: AsyncSession, /, *, oauth2_client_id: str, idp_user_id: str
+    session: AsyncSession,
+    /,
+    *,
+    oauth2_client_id: str,
+    idp_user_id: str,
 ) -> Optional[models.User]:
     """
     Retrieves the user uniquely identified by the given OAuth2 client ID and IDP
@@ -303,6 +472,7 @@ async def _create_user(
             email=email,
             profile_picture_url=user_info.profile_picture_url,
             reset_password=False,
+            auth_method="OAUTH2",
         )
     )
     assert isinstance(user_id, int)
@@ -366,11 +536,22 @@ class EmailAlreadyInUse(Exception):
     pass
 
 
+class SignInNotAllowed(Exception):
+    pass
+
+
+class NotInvited(Exception):
+    pass
+
+
 def _redirect_to_login(*, request: Request, error: str) -> RedirectResponse:
     """
     Creates a RedirectResponse to the login page to display an error message.
     """
-    login_path = _prepend_root_path_if_exists(request=request, path="/login")
+    # TODO: this needs some cleanup
+    login_path = _prepend_root_path_if_exists(
+        request=request, path="/login" if not get_env_disable_basic_auth() else "/logout"
+    )
     url = URL(login_path).include_query_params(error=error)
     response = RedirectResponse(url=url)
     response = delete_oauth2_state_cookie(response)
@@ -416,7 +597,7 @@ def _get_create_tokens_endpoint(*, request: Request, origin_url: str, idp_name:
 
 
 def _generate_state_for_oauth2_authorization_code_flow(
-    *, secret: str, origin_url: str, return_url: Optional[str]
+    *, secret: Secret, origin_url: str, return_url: Optional[str]
 ) -> str:
     """
     Generates a JWT whose payload contains both an OAuth2 state (generated using
@@ -432,7 +613,7 @@ def _generate_state_for_oauth2_authorization_code_flow(
     )
     if return_url is not None:
         payload["return_url"] = return_url
-    jwt_bytes: bytes = jwt.encode(header=header, payload=payload, key=secret)
+    jwt_bytes: bytes = jwt.encode(header=header, payload=payload, key=str(secret))
     return jwt_bytes.decode()
 
 
@@ -446,11 +627,11 @@ class _OAuth2StatePayload(TypedDict):
     return_url: NotRequired[str]
 
 
-def _parse_state_payload(*, secret: str, state: str) -> _OAuth2StatePayload:
+def _parse_state_payload(*, secret: Secret, state: str) -> _OAuth2StatePayload:
     """
     Validates the JWT signature and parses the return URL from the OAuth2 state.
     """
-    payload = jwt.decode(s=state, key=secret)
+    payload = jwt.decode(s=state, key=str(secret))
     if _is_oauth2_state_payload(payload):
         return payload
     raise ValueError("Invalid OAuth2 state payload.")

phoenix/server/app.py

@@ -29,13 +29,14 @@ from fastapi.utils import is_body_allowed_for_status_code
 from grpc.aio import ServerInterceptor
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncEngine, AsyncSession, async_sessionmaker
+from starlette.datastructures import URL, Secret
 from starlette.datastructures import State as StarletteState
 from starlette.exceptions import HTTPException
 from starlette.middleware import Middleware
 from starlette.middleware.authentication import AuthenticationMiddleware
 from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoint
 from starlette.requests import Request
-from starlette.responses import JSONResponse, PlainTextResponse, Response
+from starlette.responses import JSONResponse, PlainTextResponse, RedirectResponse, Response
 from starlette.staticfiles import StaticFiles
 from starlette.status import HTTP_401_UNAUTHORIZED
 from starlette.templating import Jinja2Templates
@@ -56,6 +57,7 @@ from phoenix.config import (
     get_env_gql_extension_paths,
     get_env_grpc_interceptor_paths,
     get_env_host,
+    get_env_host_root_path,
     get_env_port,
     server_instrumentation_is_enabled,
     verify_server_environment_variables,
@@ -210,6 +212,8 @@ class AppConfig(NamedTuple):
     authentication_enabled: bool
     """ Whether authentication is enabled """
     oauth2_idps: Sequence[OAuth2Idp]
+    basic_auth_disabled: bool = False
+    auto_login_idp_name: Optional[str] = None
 
 
 class Static(StaticFiles):
@@ -235,15 +239,29 @@ class Static(StaticFiles):
         return basename[:-1] if basename.endswith("/") else basename
 
     async def get_response(self, path: str, scope: Scope) -> Response:
-        response = None
+        # Redirect to the oauth2 login page if basic auth is disabled and auto_login is enabled
+        # TODO: this needs to be refactored to be cleaner
+        if (
+            path == "login"
+            and self._app_config.basic_auth_disabled
+            and self._app_config.auto_login_idp_name
+        ):
+            request = Request(scope)
+            url = URL(
+                str(
+                    Path(get_env_host_root_path())
+                    / f"oauth2/{self._app_config.auto_login_idp_name}/login"
+                )
+            )
+            url = url.include_query_params(**request.query_params)
+            return RedirectResponse(url=url)
         try:
             response = await super().get_response(path, scope)
         except HTTPException as e:
             if e.status_code != 404:
                 raise e
-            # Fallback to to the index.html
+            # Fallback to the index.html
             request = Request(scope)
-
             response = templates.TemplateResponse(
                 "index.html",
                 context={
@@ -259,6 +277,8 @@ class Static(StaticFiles):
                     "manifest": self._web_manifest,
                     "authentication_enabled": self._app_config.authentication_enabled,
                     "oauth2_idps": self._app_config.oauth2_idps,
+                    "basic_auth_disabled": self._app_config.basic_auth_disabled,
+                    "auto_login_idp_name": self._app_config.auto_login_idp_name,
                 },
             )
         except Exception as e:
@@ -564,7 +584,7 @@ def create_graphql_router(
     cache_for_dataloaders: Optional[CacheForDataLoaders] = None,
     event_queue: CanPutItem[DmlEvent],
     read_only: bool = False,
-    secret: Optional[str] = None,
+    secret: Optional[Secret] = None,
     token_store: Optional[TokenStore] = None,
     email_sender: Optional[EmailSender] = None,
 ) -> GraphQLRouter[Context, None]:
@@ -581,7 +601,7 @@ def create_graphql_router(
         corpus (Optional[Model], optional): the corpus for UMAP projection. Defaults to None.
         cache_for_dataloaders (Optional[CacheForDataLoaders], optional): GraphQL data loaders.
         read_only (bool, optional): Marks the app as read-only. Defaults to False.
-        secret (Optional[str], optional): The application secret for auth. Defaults to None.
+        secret (Optional[Secret], optional): The application secret for auth. Defaults to None.
         token_store (Optional[TokenStore], optional): The token store for auth. Defaults to None.
         email_sender (Optional[EmailSender], optional): The email sender. Defaults to None.
 
@@ -762,13 +782,14 @@ def create_app(
     serve_ui: bool = True,
     startup_callbacks: Iterable[_Callback] = (),
     shutdown_callbacks: Iterable[_Callback] = (),
-    secret: Optional[str] = None,
+    secret: Optional[Secret] = None,
     password_reset_token_expiry: Optional[timedelta] = None,
     access_token_expiry: Optional[timedelta] = None,
     refresh_token_expiry: Optional[timedelta] = None,
     scaffolder_config: Optional[ScaffolderConfig] = None,
     email_sender: Optional[EmailSender] = None,
     oauth2_client_configs: Optional[list[OAuth2ClientConfig]] = None,
+    basic_auth_disabled: bool = False,
     bulk_inserter_factory: Optional[Callable[..., BulkInserter]] = None,
     allowed_origins: Optional[list[str]] = None,
 ) -> FastAPI:
@@ -924,6 +945,9 @@ def create_app(
             OAuth2Idp(name=config.idp_name, displayName=config.idp_display_name)
             for config in oauth2_client_configs or []
         ]
+        auto_login_idp_name = next(
+            (config.idp_name for config in (oauth2_client_configs or []) if config.auto_login), None
+        )
         app.mount(
             "/",
             app=Static(
@@ -938,6 +962,8 @@ def create_app(
                     authentication_enabled=authentication_enabled,
                     web_manifest_path=web_manifest_path,
                     oauth2_idps=oauth2_idps,
+                    basic_auth_disabled=basic_auth_disabled,
+                    auto_login_idp_name=auto_login_idp_name,
                 ),
             ),
             name="static",
@@ -970,16 +996,16 @@ def create_app(
     return app
 
 
-def _add_get_secret_method(*, app: FastAPI, secret: Optional[str]) -> FastAPI:
+def _add_get_secret_method(*, app: FastAPI, secret: Optional[Secret]) -> FastAPI:
     """
     Dynamically adds a `get_secret` method to the app's `state`.
     """
     app.state._secret = secret
 
-    def get_secret(self: StarletteState) -> str:
+    def get_secret(self: StarletteState) -> Secret:
         if (secret := self._secret) is None:
             raise ValueError("app secret is not set")
-        assert isinstance(secret, str)
+        assert isinstance(secret, Secret)
         return secret
 
     app.state.get_secret = MethodType(get_secret, app.state)

phoenix/server/bearer_auth.py

@@ -20,9 +20,7 @@ from phoenix.auth import (
     Token,
 )
 from phoenix.config import get_env_phoenix_admin_secret
-from phoenix.db import enums
-from phoenix.db.enums import UserRole
-from phoenix.db.models import User as OrmUser
+from phoenix.db import enums, models
 from phoenix.server.types import (
     AccessToken,
     AccessTokenAttributes,
@@ -54,7 +52,7 @@ class BearerTokenAuthBackend(HasTokenStore, AuthenticationBackend):
                 return None
             if (
                 (admin_secret := get_env_phoenix_admin_secret())
-                and token == admin_secret
+                and token == str(admin_secret)
                 and config.SYSTEM_USER_ID is not None
             ):
                 return AuthCredentials(), PhoenixSystemUser(UserId(config.SYSTEM_USER_ID))
@@ -117,7 +115,7 @@ class ApiKeyInterceptor(HasTokenStore, AsyncServerInterceptor):
                     break
                 if (
                     (admin_secret := get_env_phoenix_admin_secret())
-                    and token == admin_secret
+                    and token == str(admin_secret)
                     and config.SYSTEM_USER_ID is not None
                 ):
                     return await method(request_or_iterator, context)
@@ -159,13 +157,13 @@ async def is_authenticated(
 async def create_access_and_refresh_tokens(
     *,
     token_store: TokenStore,
-    user: OrmUser,
+    user: models.User,
     access_token_expiry: timedelta,
     refresh_token_expiry: timedelta,
 ) -> tuple[AccessToken, RefreshToken]:
     issued_at = datetime.now(timezone.utc)
     user_id = UserId(user.id)
-    user_role = UserRole(user.role.name)
+    user_role = enums.UserRole(user.role.name)
     refresh_token_claims = RefreshTokenClaims(
         subject=user_id,
         issued_at=issued_at,

phoenix/server/jwt_store.py

@@ -11,6 +11,7 @@ from typing import Any, Generic, Optional, TypeVar
 from authlib.jose import jwt
 from authlib.jose.errors import JoseError
 from sqlalchemy import Select, delete, select
+from starlette.datastructures import Secret
 
 from phoenix.auth import (
     JWT_ALGORITHM,
@@ -50,7 +51,7 @@ class JwtStore:
     def __init__(
         self,
         db: DbSessionFactory,
-        secret: str,
+        secret: Secret,
         algorithm: str = JWT_ALGORITHM,
         sleep_seconds: int = 10,
         **kwargs: Any,
@@ -79,7 +80,7 @@ class JwtStore:
         try:
             payload = jwt.decode(
                 s=token,
-                key=self._secret,
+                key=str(self._secret),
             )
         except JoseError:
             return None
@@ -231,7 +232,7 @@ class _Store(DaemonTask, Generic[_ClaimSetT, _TokenT, _TokenIdT, _RecordT], ABC)
     def __init__(
         self,
         db: DbSessionFactory,
-        secret: str,
+        secret: Secret,
         algorithm: str = JWT_ALGORITHM,
         sleep_seconds: int = 10,
         **kwargs: Any,
@@ -247,7 +248,7 @@ class _Store(DaemonTask, Generic[_ClaimSetT, _TokenT, _TokenIdT, _RecordT], ABC)
     def _encode(self, claim: ClaimSet) -> str:
         payload: dict[str, Any] = dict(jti=claim.token_id)
         header = {"alg": self._algorithm}
-        jwt_bytes: bytes = jwt.encode(header=header, payload=payload, key=self._secret)
+        jwt_bytes: bytes = jwt.encode(header=header, payload=payload, key=str(self._secret))
         return jwt_bytes.decode()
 
     async def get(self, token_id: _TokenIdT) -> Optional[_ClaimSetT]:

phoenix/server/main.py

@@ -102,7 +102,11 @@ _WELCOME_MESSAGE = Environment(loader=BaseLoader()).from_string("""
 |
 |  🚀 Phoenix Server 🚀
 |  Phoenix UI: {{ ui_path }}
+|
 |  Authentication: {{ auth_enabled }}
+{%- if basic_auth_disabled %}
+|  Basic Auth: Disabled
+{%- endif %}
 {%- if auth_enabled_for_http or auth_enabled_for_grpc %}
 {%- if tls_enabled_for_http %}
 |  TLS: Enabled for HTTP
@@ -332,7 +336,7 @@ def main() -> None:
         reference_inferences,
     )
 
-    authentication_enabled, secret = get_env_auth_settings()
+    auth_settings = get_env_auth_settings()
 
     fixture_spans: list[Span] = []
     fixture_evals: list[pb.Evaluation] = []
@@ -390,12 +394,14 @@ def main() -> None:
         http_path=urljoin(root_path, "v1/traces"),
         storage=get_printable_db_url(db_connection_str),
         schema=get_env_database_schema(),
-        auth_enabled=authentication_enabled,
+        auth_enabled=auth_settings.enable_auth,
+        disable_basic_auth=auth_settings.disable_basic_auth,
         tls_enabled_for_http=tls_enabled_for_http,
         tls_enabled_for_grpc=tls_enabled_for_grpc,
         tls_verify_client=tls_verify_client,
         allowed_origins=allowed_origins,
     )
+
     if sys.platform.startswith("win"):
         msg = codecs.encode(msg, "ascii", errors="ignore").decode("ascii").strip()
     scaffolder_config = ScaffolderConfig(
@@ -424,7 +430,8 @@ def main() -> None:
         db=factory,
         export_path=export_path,
         model=model,
-        authentication_enabled=authentication_enabled,
+        authentication_enabled=auth_settings.enable_auth,
+        basic_auth_disabled=auth_settings.disable_basic_auth,
         umap_params=umap_params,
         corpus=corpus_model,
         debug=args.debug,
@@ -436,7 +443,7 @@ def main() -> None:
         initial_evaluations=fixture_evals,
         startup_callbacks=[lambda: print(msg)],
         shutdown_callbacks=instrumentation_cleanups,
-        secret=secret,
+        secret=auth_settings.phoenix_secret,
         password_reset_token_expiry=get_env_password_reset_token_expiry(),
         access_token_expiry=get_env_access_token_expiry(),
         refresh_token_expiry=get_env_refresh_token_expiry(),

phoenix/server/oauth2.py

@@ -1,5 +1,5 @@
 from collections.abc import Iterable
-from typing import Any
+from typing import Any, Iterator, Optional
 
 from authlib.integrations.base_client import BaseApp
 from authlib.integrations.base_client.async_app import AsyncOAuth2Mixin
@@ -19,24 +19,68 @@ class OAuth2Client(AsyncOAuth2Mixin, AsyncOpenIDMixin, BaseApp):  # type:ignore[
 
     client_cls = AsyncHttpxOAuth2Client
 
-    def __init__(self, *args: Any, **kwargs: Any) -> None:
+    def __init__(
+        self,
+        *args: Any,
+        display_name: str,
+        allow_sign_up: bool,
+        auto_login: bool,
+        **kwargs: Any,
+    ) -> None:
+        self._display_name = display_name
+        self._allow_sign_up = allow_sign_up
+        self._auto_login = auto_login
         super().__init__(framework=None, *args, **kwargs)
+        self._allow_sign_up = allow_sign_up
+
+    @property
+    def allow_sign_up(self) -> bool:
+        return self._allow_sign_up
+
+    @property
+    def auto_login(self) -> bool:
+        return self._auto_login
+
+    @property
+    def display_name(self) -> str:
+        return self._display_name
 
 
 class OAuth2Clients:
     def __init__(self) -> None:
         self._clients: dict[str, OAuth2Client] = {}
+        self._auto_login_client: Optional[OAuth2Client] = None
+
+    def __bool__(self) -> bool:
+        return bool(self._clients)
+
+    def __len__(self) -> int:
+        return len(self._clients)
+
+    def __iter__(self) -> Iterator[OAuth2Client]:
+        return iter(self._clients.values())
+
+    @property
+    def auto_login_client(self) -> Optional[OAuth2Client]:
+        return self._auto_login_client
 
     def add_client(self, config: OAuth2ClientConfig) -> None:
         if (idp_name := config.idp_name) in self._clients:
             raise ValueError(f"oauth client already registered: {idp_name}")
         client = OAuth2Client(
+            name=config.idp_name,
             client_id=config.client_id,
             client_secret=config.client_secret,
             server_metadata_url=config.oidc_config_url,
             client_kwargs={"scope": "openid email profile"},
+            display_name=config.idp_display_name,
+            allow_sign_up=config.allow_sign_up,
+            auto_login=config.auto_login,
         )
-        assert isinstance(client, OAuth2Client)
+        if config.auto_login:
+            if self._auto_login_client:
+                raise ValueError("only one auto-login client is allowed")
+            self._auto_login_client = client
         self._clients[config.idp_name] = client
 
     def get_client(self, idp_name: str) -> OAuth2Client: