streamlit-nightly 1.41.2.dev20250107__py2.py3-none-any.whl → 1.41.2.dev20250109__py2.py3-none-any.whl

streamlit/user_info.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,62 +14,129 @@
 
 from __future__ import annotations
 
-from typing import TYPE_CHECKING, Iterator, Mapping, NoReturn, Union
+from typing import (
+    TYPE_CHECKING,
+    Final,
+    Iterator,
+    Mapping,
+    NoReturn,
+    Union,
+)
 
-from streamlit.errors import StreamlitAPIException
+from streamlit import config, runtime
+from streamlit.auth_util import (
+    encode_provider_token,
+    get_secrets_auth_section,
+    is_authlib_installed,
+    validate_auth_credentials,
+)
+from streamlit.errors import StreamlitAPIException, StreamlitAuthError
+from streamlit.proto.ForwardMsg_pb2 import ForwardMsg
+from streamlit.runtime.metrics_util import gather_metrics
 from streamlit.runtime.scriptrunner_utils.script_run_context import (
     get_script_run_ctx as _get_script_run_ctx,
 )
+from streamlit.url_util import make_url_path
 
 if TYPE_CHECKING:
     from streamlit.runtime.scriptrunner_utils.script_run_context import UserInfo
 
 
+AUTH_LOGIN_ENDPOINT: Final = "/auth/login"
+AUTH_LOGOUT_ENDPOINT: Final = "/auth/logout"
+
+
+@gather_metrics("login")
+def login(provider: str | None = None) -> None:
+    """Initiate the login for the given provider.
+
+    Parameters
+    ----------
+    provider : str or None
+        The provider to use for login. This value must match the name of a
+        provider configured in the app's auth section of ``secrets.toml`` file.
+        If None, the default provider in the auth section will be used.
+    """
+    if provider is None:
+        provider = "default"
+
+    context = _get_script_run_ctx()
+    if context is not None:
+        if not is_authlib_installed():
+            raise StreamlitAuthError(
+                """To use authentication features, you need to install """
+                """Authlib>=1.3.2, e.g. via `pip install Authlib`."""
+            )
+        validate_auth_credentials(provider)
+        fwd_msg = ForwardMsg()
+        fwd_msg.auth_redirect.url = generate_login_redirect_url(provider)
+        context.enqueue(fwd_msg)
+
+
+@gather_metrics("logout")
+def logout() -> None:
+    """Logout the current user."""
+    context = _get_script_run_ctx()
+    if context is not None:
+        context.user_info.clear()
+        session_id = context.session_id
+
+        if runtime.exists():
+            instance = runtime.get_instance()
+            instance.clear_user_info_for_session(session_id)
+
+        base_path = config.get_option("server.baseUrlPath")
+
+        fwd_msg = ForwardMsg()
+        fwd_msg.auth_redirect.url = make_url_path(base_path, AUTH_LOGOUT_ENDPOINT)
+        context.enqueue(fwd_msg)
+
+
+def generate_login_redirect_url(provider: str) -> str:
+    """Generate the login redirect URL for the given provider."""
+    provider_token = encode_provider_token(provider)
+    base_path = config.get_option("server.baseUrlPath")
+    login_path = make_url_path(base_path, AUTH_LOGIN_ENDPOINT)
+    return f"{login_path}?provider={provider_token}"
+
+
 def _get_user_info() -> UserInfo:
     ctx = _get_script_run_ctx()
     if ctx is None:
         # TODO: Add appropriate warnings when ctx is missing
         return {}
-    return ctx.user_info
+    context_user_info = ctx.user_info.copy()
+
+    auth_section_exists = get_secrets_auth_section()
+    if "is_logged_in" not in context_user_info and auth_section_exists:
+        context_user_info["is_logged_in"] = False
+    return context_user_info
 
 
-class UserInfoProxy(Mapping[str, Union[str, None]]):
+class UserInfoProxy(Mapping[str, Union[str, bool, None]]):
     """
     A read-only, dict-like object for accessing information about current user.
 
-    ``st.experimental_user`` is dependant on the host platform running the
+    ``st.experimental_user`` is dependent on the host platform running the
     Streamlit app. If the host platform has not configured the function, it
     will behave as it does in a locally running app.
 
-    Properties can by accessed via key or attribute notation. For example,
+    Properties can be accessed via key or attribute notation. For example,
     ``st.experimental_user["email"]`` or ``st.experimental_user.email``.
 
-    Attributes
-    ----------
-    email : str
-        If running locally, this property returns the string literal
-        ``"test@example.com"``.
-
-        If running on Streamlit Community Cloud, this
-        property returns one of two values:
-
-        - ``None`` if the user is not logged in or not a member of the app's\
-        workspace. Such users appear under anonymous pseudonyms in the app's\
-        analytics.
-        - The user's email if the the user is logged in and a member of the\
-        app's workspace. Such users are identified by their email in the app's\
-        analytics.
-
     """
 
-    def __getitem__(self, key: str) -> str | None:
-        return _get_user_info()[key]
+    def __getitem__(self, key: str) -> str | bool | None:
+        try:
+            return _get_user_info()[key]
+        except KeyError:
+            raise KeyError(f'st.experimental_user has no key "{key}".')
 
-    def __getattr__(self, key: str) -> str | None:
+    def __getattr__(self, key: str) -> str | bool | None:
         try:
             return _get_user_info()[key]
         except KeyError:
-            raise AttributeError
+            raise AttributeError(f'st.experimental_user has no attribute "{key}".')
 
     def __setattr__(self, name: str, value: str | None) -> NoReturn:
         raise StreamlitAPIException("st.experimental_user cannot be modified")

streamlit/util.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/version.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/watcher/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/watcher/event_based_path_watcher.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/watcher/folder_black_list.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/watcher/local_sources_watcher.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/watcher/path_watcher.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/watcher/polling_path_watcher.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/watcher/util.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/bootstrap.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/cache_storage_manager_config.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/cli.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/server/__init__.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/server/app_static_file_handler.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/server/authlib_tornado_integration.py

@@ -0,0 +1,58 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from __future__ import annotations
+
+from typing import TYPE_CHECKING, Any, Sequence
+
+from authlib.integrations.base_client import (  # type: ignore[import-untyped]
+    FrameworkIntegration,
+)
+
+from streamlit.runtime.secrets import AttrDict
+
+if TYPE_CHECKING:
+    from streamlit.web.server.oidc_mixin import TornadoOAuth
+
+
+class TornadoIntegration(FrameworkIntegration):  # type: ignore[misc]
+    def update_token(self, token, refresh_token=None, access_token=None):
+        """We do not support access token refresh, since we obtain and operate only on
+        identity tokens. We override this method explicitly to implement all abstract
+        methods of base class.
+        """
+
+    @staticmethod
+    def load_config(
+        oauth: TornadoOAuth, name: str, params: Sequence[str]
+    ) -> dict[str, Any]:
+        """Configure Authlib integration with provider parameters
+        specified in secrets.toml
+        """
+
+        # oauth.config here is an auth section from secrets.toml
+        # We parse it here to transform nested AttrDict (for client_kwargs value)
+        # to dict so Authlib can work with it under the hood.
+        if not oauth.config:
+            return {}
+
+        prepared_config = {}
+        for key in params:
+            value = oauth.config.get(name, {}).get(key, None)
+            if isinstance(value, AttrDict):
+                # We want to modify client_kwargs further after loading server metadata
+                value = value.to_dict()
+            if value is not None:
+                prepared_config[key] = value
+        return prepared_config

streamlit/web/server/browser_websocket_handler.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -16,14 +16,17 @@ from __future__ import annotations
 
 import base64
 import binascii
+import hmac
 import json
 from typing import TYPE_CHECKING, Any, Awaitable, Final
+from urllib.parse import urlparse
 
 import tornado.concurrent
 import tornado.locks
 import tornado.netutil
 import tornado.web
 import tornado.websocket
+from tornado.escape import utf8
 from tornado.websocket import WebSocketHandler
 
 from streamlit import config
@@ -31,7 +34,11 @@ from streamlit.logger import get_logger
 from streamlit.proto.BackMsg_pb2 import BackMsg
 from streamlit.runtime import Runtime, SessionClient, SessionClientDisconnectedError
 from streamlit.runtime.runtime_util import serialize_forward_msg
-from streamlit.web.server.server_util import is_url_from_allowed_origins
+from streamlit.web.server.server_util import (
+    AUTH_COOKIE_NAME,
+    is_url_from_allowed_origins,
+    is_xsrf_enabled,
+)
 
 if TYPE_CHECKING:
     from streamlit.proto.ForwardMsg_pb2 import ForwardMsg
@@ -50,13 +57,63 @@ class BrowserWebSocketHandler(WebSocketHandler, SessionClient):
         # need to read the self.xsrf_token manually to set the cookie as a side
         # effect. See https://www.tornadoweb.org/en/stable/guide/security.html#cross-site-request-forgery-protection
         # for more details.
-        if config.get_option("server.enableXsrfProtection"):
+        if is_xsrf_enabled():
             _ = self.xsrf_token
 
+    def get_signed_cookie(
+        self,
+        name: str,
+        value: str | None = None,
+        max_age_days: float = 31,
+        min_version: int | None = None,
+    ) -> bytes | None:
+        """Get a signed cookie from the request. Added for compatibility with
+        Tornado < 6.3.0.
+        See release notes: https://www.tornadoweb.org/en/stable/releases/v6.3.0.html#deprecation-notices
+        """
+        try:
+            return super().get_signed_cookie(name, value, max_age_days, min_version)
+        except AttributeError:
+            return super().get_secure_cookie(name, value, max_age_days, min_version)
+
     def check_origin(self, origin: str) -> bool:
         """Set up CORS."""
         return super().check_origin(origin) or is_url_from_allowed_origins(origin)
 
+    def _validate_xsrf_token(self, supplied_token: str) -> bool:
+        """Inspired by tornado.web.RequestHandler.check_xsrf_cookie method,
+        to check the XSRF token passed in Websocket connection header.
+        """
+        _, token, _ = self._decode_xsrf_token(supplied_token)
+        _, expected_token, _ = self._get_raw_xsrf_token()
+
+        decoded_token = utf8(token)
+        decoded_expected_token = utf8(expected_token)
+
+        if not decoded_token or not decoded_expected_token:
+            return False
+        return hmac.compare_digest(decoded_token, decoded_expected_token)
+
+    def _parse_user_cookie(self, raw_cookie_value: bytes, email: str) -> dict[str, Any]:
+        """Process the user cookie and extract the user info after
+        validating the origin. Origin is validated for security reasons.
+        """
+        cookie_value = json.loads(raw_cookie_value)
+        user_info = {}
+
+        cookie_value_origin = cookie_value.get("origin", None)
+        parsed_origin_from_header = urlparse(self.request.headers["Origin"])
+        expected_origin_value = (
+            parsed_origin_from_header.scheme + "://" + parsed_origin_from_header.netloc
+        )
+        if cookie_value_origin == expected_origin_value:
+            user_info["is_logged_in"] = cookie_value.get("is_logged_in", False)
+            del cookie_value["origin"]
+            del cookie_value["is_logged_in"]
+            user_info.update(cookie_value)
+
+        return user_info
+
     def write_forward_msg(self, msg: ForwardMsg) -> None:
         """Send a ForwardMsg to the browser."""
         try:
@@ -102,11 +159,13 @@ class BrowserWebSocketHandler(WebSocketHandler, SessionClient):
             is_public_cloud_app = user_obj["isPublicCloudApp"]
         except (KeyError, binascii.Error, json.decoder.JSONDecodeError):
             email = "test@example.com"
-
-        user_info: dict[str, str | None] = {
-            "email": None if is_public_cloud_app else email
+        user_info: dict[str, str | bool | None] = {
+            "email": None if is_public_cloud_app else email,
         }
 
+        if is_public_cloud_app or email == "test@example.com":
+            user_info.pop("email", None)
+
         existing_session_id = None
         try:
             ws_protocols = [
@@ -114,6 +173,13 @@ class BrowserWebSocketHandler(WebSocketHandler, SessionClient):
                 for p in self.request.headers["Sec-Websocket-Protocol"].split(",")
             ]
 
+            raw_cookie_value = self.get_signed_cookie(AUTH_COOKIE_NAME)
+            if is_xsrf_enabled() and raw_cookie_value:
+                csrf_protocol_value = ws_protocols[1]
+
+                if self._validate_xsrf_token(csrf_protocol_value):
+                    user_info.update(self._parse_user_cookie(raw_cookie_value, email))
+
             if len(ws_protocols) >= 3:
                 # See the NOTE in the docstring of the `select_subprotocol` method above
                 # for a detailed explanation of why this is done.

streamlit/web/server/component_request_handler.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/server/media_file_handler.py

@@ -1,4 +1,4 @@
-# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2024)
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.

streamlit/web/server/oauth_authlib_routes.py

@@ -0,0 +1,176 @@
+# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025)
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+from __future__ import annotations
+
+import json
+from typing import Any
+from urllib.parse import urlparse
+
+import tornado.web
+
+from streamlit.auth_util import (
+    AuthCache,
+    decode_provider_token,
+    generate_default_provider_section,
+    get_secrets_auth_section,
+)
+from streamlit.errors import StreamlitAuthError
+from streamlit.url_util import make_url_path
+from streamlit.web.server.oidc_mixin import TornadoOAuth, TornadoOAuth2App
+from streamlit.web.server.server_util import AUTH_COOKIE_NAME
+
+auth_cache = AuthCache()
+
+
+def create_oauth_client(provider: str) -> tuple[TornadoOAuth2App, str]:
+    """Create an OAuth client for the given provider based on secrets.toml configuration."""
+    auth_section = get_secrets_auth_section()
+    if auth_section:
+        redirect_uri = auth_section.get("redirect_uri", None)
+        config = auth_section.to_dict()
+    else:
+        config = {}
+        redirect_uri = "/"
+
+    provider_section = config.setdefault(provider, {})
+
+    if not provider_section and provider == "default":
+        provider_section = generate_default_provider_section(auth_section)
+        config["default"] = provider_section
+
+    provider_client_kwargs = provider_section.setdefault("client_kwargs", {})
+    if "scope" not in provider_client_kwargs:
+        provider_client_kwargs["scope"] = "openid email profile"
+    if "prompt" not in provider_client_kwargs:
+        provider_client_kwargs["prompt"] = "select_account"
+
+    oauth = TornadoOAuth(config, cache=auth_cache)
+    oauth.register(provider)
+    return oauth.create_client(provider), redirect_uri
+
+
+class AuthHandlerMixin(tornado.web.RequestHandler):
+    """Mixin for handling auth cookies. Added for compatibility with Tornado < 6.3.0."""
+
+    def initialize(self, base_url: str) -> None:
+        self.base_url = base_url
+
+    def redirect_to_base(self) -> None:
+        self.redirect(make_url_path(self.base_url, "/"))
+
+    def set_auth_cookie(self, user_info: dict[str, Any]) -> None:
+        serialized_cookie_value = json.dumps(user_info)
+        try:
+            # We don't specify Tornado secure flag here because it leads to missing cookie on Safari.
+            # The OIDC flow should work only on secure context anyway (localhost or HTTPS),
+            # so specifying the secure flag here will not add anything in terms of security.
+            self.set_signed_cookie(
+                AUTH_COOKIE_NAME,
+                serialized_cookie_value,
+                httpOnly=True,
+            )
+        except AttributeError:
+            self.set_secure_cookie(
+                AUTH_COOKIE_NAME,
+                serialized_cookie_value,
+                httponly=True,
+            )
+
+    def clear_auth_cookie(self) -> None:
+        self.clear_cookie(AUTH_COOKIE_NAME)
+
+
+class AuthLoginHandler(AuthHandlerMixin, tornado.web.RequestHandler):
+    async def get(self):
+        """Redirect to the OAuth provider login page."""
+        provider = self._parse_provider_token()
+        if provider is None:
+            self.redirect_to_base()
+            return
+
+        client, redirect_uri = create_oauth_client(provider)
+        try:
+            client.authorize_redirect(self, redirect_uri)
+        except Exception as e:
+            self.send_error(400, reason=str(e))
+
+    def _parse_provider_token(self) -> str | None:
+        provider_token = self.get_argument("provider", None)
+        try:
+            if provider_token is None:
+                raise StreamlitAuthError("Missing provider token")
+            payload = decode_provider_token(provider_token)
+        except StreamlitAuthError:
+            return None
+
+        return payload["provider"]
+
+
+class AuthLogoutHandler(AuthHandlerMixin, tornado.web.RequestHandler):
+    def get(self):
+        self.clear_auth_cookie()
+        self.redirect_to_base()
+
+
+class AuthCallbackHandler(AuthHandlerMixin, tornado.web.RequestHandler):
+    async def get(self):
+        provider = self._get_provider_by_state()
+        origin = self._get_origin_from_secrets()
+        if origin is None:
+            self.redirect_to_base()
+            return
+
+        error = self.get_argument("error", None)
+        if error:
+            self.redirect_to_base()
+            return
+
+        if provider is None:
+            self.redirect_to_base()
+            return
+
+        client, _ = create_oauth_client(provider)
+        token = client.authorize_access_token(self)
+        user = token.get("userinfo")
+
+        cookie_value = dict(user, origin=origin, is_logged_in=True)
+        if user:
+            self.set_auth_cookie(cookie_value)
+        self.redirect_to_base()
+
+    def _get_provider_by_state(self) -> str | None:
+        state_code_from_url = self.get_argument("state")
+        current_cache_keys = list(auth_cache.get_dict().keys())
+        state_provider_mapping = {}
+        for key in current_cache_keys:
+            _, _, recorded_provider, code = key.split("_")
+            state_provider_mapping[code] = recorded_provider
+
+        provider: str | None = state_provider_mapping.get(state_code_from_url, None)
+        return provider
+
+    def _get_origin_from_secrets(self) -> str | None:
+        redirect_uri = None
+        auth_section = get_secrets_auth_section()
+        if auth_section:
+            redirect_uri = auth_section.get("redirect_uri", None)
+
+        if not redirect_uri:
+            return None
+
+        redirect_uri_parsed = urlparse(redirect_uri)
+        origin_from_redirect_uri: str = (
+            redirect_uri_parsed.scheme + "://" + redirect_uri_parsed.netloc
+        )
+        return origin_from_redirect_uri