dara-core 1.23.0a1__py3-none-any.whl → 1.23.1__py3-none-any.whl

dara/core/_assets/auto_js/dara.core.umd.cjs

@@ -27789,8 +27789,10 @@
 `;
   styled.div`
     display: flex;
+    align-items: center;
     gap: 0.5rem;
     width: 100%;
+    line-height: 1;
 `;
   styled.div`
     color: ${(props) => props.theme.colors.grey3};

dara/core/auth/definitions.py

@@ -18,6 +18,7 @@ limitations under the License.
 from contextvars import ContextVar
 from datetime import datetime
 
+from pydantic import ConfigDict
 from typing_extensions import TypedDict
 
 from dara.core.base_definitions import DaraBaseModel as BaseModel
@@ -60,6 +61,9 @@ class UserData(BaseModel):
     identity_email: str | None = None
     groups: list[str] | None = []
 
+    # allow extra for more flexibility in custom oidc configs
+    model_config = ConfigDict(extra='allow')
+
     @classmethod
     def from_token_data(cls, token_data: TokenData):
         return cls(

dara/core/auth/oidc/config.py

@@ -65,6 +65,7 @@ class OIDCAuthConfig(BaseAuthConfig):
     - SSO_EXTRA_AUDIENCE - if set, extra audiences to verify against the ID token in addition to `sso_client_id`
     - SSO_SCOPES - space-separated list of scopes to request from the identity provider, defaults to `openid`
     - SSO_JWT_ALGO - algorithm to use for verifying IDP-provided JWTs, defaults to `ES256`
+    - SSO_USE_USERINFO - if set to `true`, fetch additional claims from the userinfo endpoint when an access token is available
     """
 
     # NOTE: the config follows OIDC specification, but makes a few concessions
@@ -209,29 +210,84 @@ class OIDCAuthConfig(BaseAuthConfig):
         state = self.generate_state(redirect_to=body.redirect_to)
         return RedirectResponse(redirect_uri=self.get_authorization_url(state))
 
-    def extract_user_data_from_id_token(self, claims: IdTokenClaims) -> UserData:
+    async def fetch_userinfo(self, access_token: str) -> dict | None:
         """
-        Extract user data from ID token claims.
+        Fetch user information from the OIDC userinfo endpoint.
+
+        Per OpenID Connect Core 1.0 Section 5.3, the userinfo endpoint returns claims
+        about the authenticated user. This is useful when the ID token doesn't contain
+        all required claims.
+
+        :param access_token: The access token to authenticate the request
+        :return: Dictionary of userinfo claims, or None if the request fails
+        """
+        userinfo_endpoint = self.discovery.userinfo_endpoint
+        if not userinfo_endpoint:
+            dev_logger.warning('Userinfo endpoint not available in OIDC discovery')
+            return None
+
+        try:
+            response = await self.client.get(
+                userinfo_endpoint,
+                headers={'Authorization': f'Bearer {access_token}'},
+                timeout=10,
+            )
+            response.raise_for_status()
+            return response.json()
+        except httpx.HTTPStatusError as e:
+            dev_logger.warning(
+                f'Failed to fetch userinfo: HTTP {e.response.status_code}',
+            )
+            return None
+        except httpx.RequestError as e:
+            dev_logger.warning(f'Failed to fetch userinfo: {e}')
+            return None
+
+    def extract_user_data(self, claims: IdTokenClaims, userinfo: dict | None = None) -> UserData:
+        """
+        Extract user data from ID token claims and optional userinfo response.
 
         Override this method in subclasses to handle provider-specific claim structures.
         The default implementation uses standard OIDC claims, with support for the
-        non-standard 'identity' claim.
+        non-standard 'identity' claim. When userinfo is provided and SSO_USE_USERINFO
+        is enabled, userinfo claims take precedence over ID token claims.
 
         :param claims: Decoded ID token claims
+        :param userinfo: Optional userinfo response from the userinfo endpoint
         :return: UserData extracted from the claims
         """
-        # Check for non-standard 'identity' claim (Causalens IDP)
-        # This is a nested object with id, name, email fields
-        identity_claim = getattr(claims, 'identity', None)
-        if isinstance(identity_claim, dict):
-            identity_id = identity_claim.get('id') or claims.sub
-            identity_name = identity_claim.get('name')
-            identity_email = identity_claim.get('email') or claims.email
+        oidc_settings = get_oidc_settings()
+
+        # When userinfo is provided and use_userinfo is enabled, prefer userinfo claims
+        if userinfo and oidc_settings.use_userinfo:
+            # userinfo 'sub' must match id_token 'sub' per OIDC spec
+            identity_id = userinfo.get('sub') or claims.sub
+            identity_email = userinfo.get('email') or claims.email
+            identity_name = (
+                userinfo.get('name')
+                or userinfo.get('preferred_username')
+                or userinfo.get('nickname')
+                or (
+                    f'{userinfo.get("given_name", "")} {userinfo.get("family_name", "")}'.strip()
+                    if userinfo.get('given_name') or userinfo.get('family_name')
+                    else None
+                )
+            )
+            groups = userinfo.get('groups') or claims.groups
         else:
-            # Standard OIDC: use 'sub' as the identity ID
-            identity_id = claims.sub
-            identity_email = claims.email
-            identity_name = None
+            # Check for non-standard 'identity' claim (Causalens IDP)
+            # This is a nested object with id, name, email fields
+            identity_claim = getattr(claims, 'identity', None)
+            if isinstance(identity_claim, dict):
+                identity_id = identity_claim.get('id') or claims.sub
+                identity_name = identity_claim.get('name')
+                identity_email = identity_claim.get('email') or claims.email
+            else:
+                # Standard OIDC: use 'sub' as the identity ID
+                identity_id = claims.sub
+                identity_email = claims.email
+                identity_name = None
+            groups = claims.groups
 
         # Fall back to standard claims for name if not set
         if not identity_name:
@@ -252,7 +308,7 @@ class OIDCAuthConfig(BaseAuthConfig):
             identity_id=identity_id,
             identity_name=identity_name,
             identity_email=identity_email,
-            groups=claims.groups,
+            groups=groups,
         )
 
     def verify_token(self, token: str) -> TokenData:
@@ -291,7 +347,7 @@ class OIDCAuthConfig(BaseAuthConfig):
         claims = decode_id_token(token)
 
         # Extract user data (can be overridden for provider-specific claim structures)
-        user_data = self.extract_user_data_from_id_token(claims)
+        user_data = self.extract_user_data(claims)
 
         # Verify user has access based on groups
         self.verify_user_access(user_data)
@@ -390,6 +446,8 @@ class OIDCAuthConfig(BaseAuthConfig):
         :return: Tuple of (new_session_token, new_refresh_token)
         :raises HTTPException: If the refresh fails
         """
+        oidc_settings = get_oidc_settings()
+
         # Request new tokens from the IDP
         oidc_tokens = await get_token_from_idp(
             self,
@@ -406,8 +464,13 @@ class OIDCAuthConfig(BaseAuthConfig):
         # Decode and verify the new ID token
         claims = decode_id_token(oidc_tokens.id_token)
 
+        # Fetch userinfo if enabled and we have an access token
+        userinfo = None
+        if oidc_settings.use_userinfo and oidc_tokens.access_token:
+            userinfo = await self.fetch_userinfo(oidc_tokens.access_token)
+
         # Extract user data from claims
-        user_data = self.extract_user_data_from_id_token(claims)
+        user_data = self.extract_user_data(claims, userinfo=userinfo)
 
         # Verify user still has access
         self.verify_user_access(user_data)

dara/core/auth/oidc/routes.py

@@ -100,8 +100,13 @@ async def sso_callback(
         # Decode and verify the ID token
         claims = decode_id_token(oidc_tokens.id_token)
 
+        # Fetch userinfo if enabled and we have an access token
+        userinfo = None
+        if oidc_settings.use_userinfo and oidc_tokens.access_token:
+            userinfo = await auth_config.fetch_userinfo(oidc_tokens.access_token)
+
         # Extract user data from claims (handles both standard OIDC and Causalens identity claim)
-        user_data = auth_config.extract_user_data_from_id_token(claims)
+        user_data = auth_config.extract_user_data(claims, userinfo=userinfo)
 
         # Verify user has access based on groups
         auth_config.verify_user_access(user_data)

dara/core/auth/oidc/settings.py

@@ -24,6 +24,8 @@ class OIDCSettings(BaseSettings):
     verify_audience: bool = False
     extra_audience: list[str] | None = None
     allowed_identity_id: str | None = None
+    use_userinfo: bool = False
+    """If True, fetch additional claims from the userinfo endpoint when an access token is available."""
 
     model_config = SettingsConfigDict(env_file='.env', extra='allow', env_prefix='sso_')
 

{dara_core-1.23.0a1.dist-info → dara_core-1.23.1.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dara-core
-Version: 1.23.0a1
+Version: 1.23.1
 Summary: Dara Framework Core
 Home-page: https://dara.causalens.com/
 License: Apache-2.0
@@ -21,10 +21,10 @@ Requires-Dist: cachetools (>=5.0.0)
 Requires-Dist: certifi (>=2024.7.4)
 Requires-Dist: click (>=8.1.3,<9.0.0)
 Requires-Dist: colorama (>=0.4.6,<0.5.0)
-Requires-Dist: create-dara-app (==1.23.0-alpha.1)
+Requires-Dist: create-dara-app (==1.23.1)
 Requires-Dist: croniter (>=6.0.0,<7.0.0)
 Requires-Dist: cryptography (>=42.0.4)
-Requires-Dist: dara-components (==1.23.0-alpha.1) ; extra == "all"
+Requires-Dist: dara-components (==1.23.1) ; extra == "all"
 Requires-Dist: exceptiongroup (>=1.1.3,<2.0.0)
 Requires-Dist: fastapi (>=0.115.0,<0.121.0)
 Requires-Dist: fastapi_vite_dara (==0.4.0)
@@ -55,7 +55,7 @@ Description-Content-Type: text/markdown
 
 # Dara Application Framework
 
-<img src="https://github.com/causalens/dara/blob/v1.23.0-alpha.1/img/dara_light.svg?raw=true">
+<img src="https://github.com/causalens/dara/blob/v1.23.1/img/dara_light.svg?raw=true">
 
 ![Master tests](https://github.com/causalens/dara/actions/workflows/tests.yml/badge.svg?branch=master)
 [![License](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0)
@@ -100,7 +100,7 @@ source .venv/bin/activate
 dara start
 ```
 
-![Dara App](https://github.com/causalens/dara/blob/v1.23.0-alpha.1/img/components_gallery.png?raw=true)
+![Dara App](https://github.com/causalens/dara/blob/v1.23.1/img/components_gallery.png?raw=true)
 
 Note: `pip` installation uses [PEP 660](https://peps.python.org/pep-0660/) `pyproject.toml`-based editable installs which require `pip >= 21.3` and `setuptools >= 64.0.0`. You can upgrade both with:
 
@@ -117,9 +117,9 @@ Explore some of our favorite apps - a great way of getting started and getting t
 
 | Dara App                                                                                                 | Description                                                                                                                                                                                                       |
 | -------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| ![Large Language Model](https://github.com/causalens/dara/blob/v1.23.0-alpha.1/img/llm.png?raw=true)              | Demonstrates how to use incorporate a LLM chat box into your decision app to understand model insights                                                                                                            |
-| ![Plot Interactivity](https://github.com/causalens/dara/blob/v1.23.0-alpha.1/img/plot_interactivity.png?raw=true) | Demonstrates how to enable the user to interact with plots, trigger actions based on clicks, mouse movements and other interactions with `Bokeh` or `Plotly` plots                                                |
-| ![Graph Editor](https://github.com/causalens/dara/blob/v1.23.0-alpha.1/img/graph_viewer.png?raw=true)             | Demonstrates how to use the `CausalGraphViewer` component to display your graphs or networks, customising the displayed information through colors and tooltips, and updating the page based on user interaction. |
+| ![Large Language Model](https://github.com/causalens/dara/blob/v1.23.1/img/llm.png?raw=true)              | Demonstrates how to use incorporate a LLM chat box into your decision app to understand model insights                                                                                                            |
+| ![Plot Interactivity](https://github.com/causalens/dara/blob/v1.23.1/img/plot_interactivity.png?raw=true) | Demonstrates how to enable the user to interact with plots, trigger actions based on clicks, mouse movements and other interactions with `Bokeh` or `Plotly` plots                                                |
+| ![Graph Editor](https://github.com/causalens/dara/blob/v1.23.1/img/graph_viewer.png?raw=true)             | Demonstrates how to use the `CausalGraphViewer` component to display your graphs or networks, customising the displayed information through colors and tooltips, and updating the page based on user interaction. |
 
 Check out our [App Gallery](https://dara.causalens.com/gallery) for more inspiration!
 
@@ -146,9 +146,9 @@ And the supporting UI packages and tools.
 - `ui-utils` - miscellaneous utility functions
 - `ui-widgets` - widget components
 
-More information on the repository structure can be found in the [CONTRIBUTING.md](https://github.com/causalens/dara/blob/v1.23.0-alpha.1/CONTRIBUTING.md) file.
+More information on the repository structure can be found in the [CONTRIBUTING.md](https://github.com/causalens/dara/blob/v1.23.1/CONTRIBUTING.md) file.
 
 ## License
 
-Dara is open-source and licensed under the [Apache 2.0 License](https://github.com/causalens/dara/blob/v1.23.0-alpha.1/LICENSE).
+Dara is open-source and licensed under the [Apache 2.0 License](https://github.com/causalens/dara/blob/v1.23.1/LICENSE).
 

{dara_core-1.23.0a1.dist-info → dara_core-1.23.1.dist-info}/RECORD

@@ -1,7 +1,7 @@
 dara/core/__init__.py,sha256=yTp-lXT0yy9XqLGYWlmjPgFG5g2eEg2KhKo8KheTHoo,1408
 dara/core/_assets/__init__.py,sha256=13vMoWHvl1zcFcjNHh8lbTwWOvu4f7krYSco978qxwM,723
 dara/core/_assets/auto_js/dara.core.css,sha256=yT3PKpi2sKI2-kQIF8xtVbTPQqgpK7-Ua7tfzDPuSsI,4095881
-dara/core/_assets/auto_js/dara.core.umd.cjs,sha256=T9MOYSRnuHnraSboQ7NcfodV8vrBkNGISoCZQCuc4Ec,5163725
+dara/core/_assets/auto_js/dara.core.umd.cjs,sha256=hvmFXD-p5KiQFZdoyp6z-Js_DG6r2bFIzXKoGtj5QFQ,5163770
 dara/core/_assets/auto_js/react-dom.development.js,sha256=vR2Fq5LXMKS5JsTo2CMl6oGCJT8scJV2wXSteTtx8aE,1077040
 dara/core/_assets/auto_js/react-is.development.js,sha256=2IRgmaphdMq6wx2MbsmVUQ0UwapGETNjgano3XEkGcc,7932
 dara/core/_assets/auto_js/react-query.development.js,sha256=lI2fTKMvWmjbagGQaVtZYr51_-C_U_so064JwetuDS0,130366
@@ -12,12 +12,12 @@ dara/core/actions.py,sha256=rC5Tu79AFNWMv0CJuchBnoy6pETIFh_1RTSqxrolArI,947
 dara/core/auth/__init__.py,sha256=HJoYIVPzbpwzN_RUHjGpSJj4o5TmHz9yFyZGiRiObCk,906
 dara/core/auth/base.py,sha256=NJmUJqA-W8AVKIQbX_0BoHoZqtU1Iz6cJ16RKdcdIyU,3642
 dara/core/auth/basic.py,sha256=sglIaogCslG2HlDMjFsaaJhOJeXUW-QQLTIYPaUPxAU,4927
-dara/core/auth/definitions.py,sha256=OzJshDLuut8MaM_pbfyQFkSlUuMNBWNszA57jRXF0Cg,3848
+dara/core/auth/definitions.py,sha256=ZZMXJbMFY42Q5YaJCMwZT0bivnxq7TaIoug7uYqAGzE,3988
 dara/core/auth/oidc/__init__.py,sha256=UWdhFvDqLCoILaKVWbmrrJgiMgg9wlVZgCxRvf_HGHM,65
-dara/core/auth/oidc/config.py,sha256=5rDxbr3wVZdjIz8USYNeUmKwKfeucHtLgfXwM3_weaE,20835
+dara/core/auth/oidc/config.py,sha256=XdiJSC2-9g8fqM-FkmU0c079VqnrApVv-MKwEBwk50s,23753
 dara/core/auth/oidc/definitions.py,sha256=KLlUl2Y7n6prX0JSAwPde6J43iMs6uUY07OG7kumRPw,17568
-dara/core/auth/oidc/routes.py,sha256=uvNHYUieaXy9hu6MYe_5eZvflX5TmFaIv6EGpCRP-dw,5335
-dara/core/auth/oidc/settings.py,sha256=k1CKDTUKSFoCEp1ASI_R5L_lsNkFzjfAymMMIMmI1AE,2097
+dara/core/auth/oidc/routes.py,sha256=wlYp8VZP4C4BFHqJPPYHi3PdLd8SetdG2CtG3B4laBk,5579
+dara/core/auth/oidc/settings.py,sha256=wU6fmkqhTNzMNFUxizFaaavH2cKuXeqRIzMi3TpwLhA,2233
 dara/core/auth/oidc/utils.py,sha256=IL17tStRNpkAQI3M17nrzGeb4xr47zSLPo4wT7LMwBQ,5145
 dara/core/auth/routes.py,sha256=dtOxpFotnt4XQ4spW3mbyM7ThYRvfIA_oRK5X5lyYHg,7256
 dara/core/auth/utils.py,sha256=_aHZ98qMJ0VLE9Zfvj5biPARhe973_eyTx2qxnufzRE,7290
@@ -134,8 +134,8 @@ dara/core/visual/themes/__init__.py,sha256=aM4mgoIYo2neBSw5FRzswsht7PUKjLthiHLmF
 dara/core/visual/themes/dark.py,sha256=QazCRDqh_SCOyQhdwMkH1wbHf301oL7gCFj91plbLww,2020
 dara/core/visual/themes/definitions.py,sha256=dtET2YUlwXkO6gJ23MqSb8gIq-LxJ343CWsgueWSifM,2787
 dara/core/visual/themes/light.py,sha256=dtHb6Q1HOb5r_AvJfe0vZajikVc-GnBEUrGsTcI5MHA,2022
-dara_core-1.23.0a1.dist-info/LICENSE,sha256=r9u1w2RvpLMV6YjuXHIKXRBKzia3fx_roPwboGcLqCc,10944
-dara_core-1.23.0a1.dist-info/METADATA,sha256=WH9TER9_ycRXWaU40zxhvD5teCWhUbExsBay21YHW_w,7598
-dara_core-1.23.0a1.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
-dara_core-1.23.0a1.dist-info/entry_points.txt,sha256=nAT9o1kJCmTK1saDh29PFGFD6cbxDDDjTj31HDEDwfU,197
-dara_core-1.23.0a1.dist-info/RECORD,,
+dara_core-1.23.1.dist-info/LICENSE,sha256=r9u1w2RvpLMV6YjuXHIKXRBKzia3fx_roPwboGcLqCc,10944
+dara_core-1.23.1.dist-info/METADATA,sha256=gVUjEVltqKHlaPr_tu3FypSAhpceR2M1-HJCwP8cT84,7524
+dara_core-1.23.1.dist-info/WHEEL,sha256=sP946D7jFCHeNz5Iq4fL4Lu-PrWrFsgfLXbbkciIZwg,88
+dara_core-1.23.1.dist-info/entry_points.txt,sha256=nAT9o1kJCmTK1saDh29PFGFD6cbxDDDjTj31HDEDwfU,197
+dara_core-1.23.1.dist-info/RECORD,,