Spaces:

holistic-ai
/

AgentGraph

Running

wu981526092 commited on Sep 17, 2025

Commit

5d5103b

1 Parent(s): 94b62b3

Fix: Add backend OAuth config API for client_id

🐛 Problem:
- HF OAuth requires client_id parameter in authorization URL
- Frontend can't directly access server environment variables
- Getting 400 'client_id is required' error

✅ Solution:
- Created /api/auth/oauth-config endpoint in backend
- Returns public OAuth config (client_id, scopes, provider_url)
- Frontend fetches config before OAuth redirect
- Secure: Only returns public info, never client_secret

🔧 Technical Changes:
Backend:
- Added get_oauth_config_for_frontend() route
- Returns OAuth config from environment variables
- Includes safety checks for auth_enabled status

Frontend:
- Fetch OAuth config from backend API before login
- Use backend-provided client_id in OAuth URL
- Enhanced error handling for config fetch failures
- Debug logging for OAuth config validation

🎯 Expected Result:
- OAuth URL now includes proper client_id parameter
- Should successfully redirect to HF OAuth page
- No more '400 client_id required' errors

Files changed (2) hide show

backend/routers/auth.py +20 -0
frontend/src/context/AuthContext.tsx +42 -24

backend/routers/auth.py CHANGED Viewed

@@ -49,6 +49,26 @@ async def auth_status(request: Request):
     }
 @router.get("/login")
 async def login(request: Request):
     """

     }
+@router.get("/oauth-config")
+async def get_oauth_config_for_frontend():
+    """Get OAuth configuration for frontend use (public information only)."""
+    if not should_enable_auth():
+        return {"oauth_enabled": False}
+    config = get_oauth_config()
+    if not config:
+        return {"oauth_enabled": False, "error": "OAuth not configured"}
+    # Only return public information (never return client_secret)
+    return {
+        "oauth_enabled": True,
+        "client_id": config["client_id"],
+        "scopes": config["scopes"],
+        "provider_url": config["provider_url"],
+        "is_hf_spaces": is_huggingface_space()
+    }
 @router.get("/login")
 async def login(request: Request):
     """

frontend/src/context/AuthContext.tsx CHANGED Viewed

@@ -217,30 +217,48 @@ export function AuthProvider({ children }: { children: ReactNode }) {
         document.querySelector('meta[name="hf:space"]') !== null;
       if (isHFSpaces) {
-        // In HF Spaces, use direct OAuth URL redirect
-        // HF Spaces provides OAuth automatically when hf_oauth: true is set in README.md
-        console.log("🔐 Using HF Spaces direct OAuth redirect");
-        // Direct OAuth URL construction for HF Spaces
-        const baseUrl = window.location.origin;
-        const redirectUri = `${baseUrl}/oauth-callback`; // Use HF standard callback
-        // Create state for CSRF protection
-        const state = Math.random().toString(36).substring(2, 15);
-        localStorage.setItem("oauth_state", state);
-        // Use HF OAuth endpoint directly - HF Spaces handles client_id automatically
-        const oauthUrl =
-          `https://huggingface.co/oauth/authorize?` +
-          `response_type=code&` +
-          `redirect_uri=${encodeURIComponent(redirectUri)}&` +
-          `scope=openid%20profile%20read-repos&` +
-          `state=${state}&` +
-          `prompt=consent`;
-        console.log("🔄 Redirecting to HF OAuth:", oauthUrl);
-        window.location.href = oauthUrl;
       } else {
         // For local development, show a message or redirect to HF
         dispatch({

         document.querySelector('meta[name="hf:space"]') !== null;
       if (isHFSpaces) {
+        // In HF Spaces, get OAuth config from backend API
+        console.log("🔐 Getting OAuth config from backend");
+        try {
+          const response = await fetch('/api/auth/oauth-config');
+          const oauthConfig = await response.json();
+          if (!oauthConfig.oauth_enabled) {
+            throw new Error("OAuth not enabled or configured on backend");
+          }
+          console.log("✅ OAuth config received:", {
+            client_id: oauthConfig.client_id?.substring(0, 8) + "...",
+            scopes: oauthConfig.scopes,
+            provider_url: oauthConfig.provider_url
+          });
+          // Direct OAuth URL construction with backend-provided client_id
+          const baseUrl = window.location.origin;
+          const redirectUri = `${baseUrl}/oauth-callback`;
+          // Create state for CSRF protection
+          const state = Math.random().toString(36).substring(2, 15);
+          localStorage.setItem("oauth_state", state);
+          // Use HF OAuth endpoint with proper client_id from backend
+          const oauthUrl =
+            `${oauthConfig.provider_url}/oauth/authorize?` +
+            `response_type=code&` +
+            `client_id=${encodeURIComponent(oauthConfig.client_id)}&` +
+            `redirect_uri=${encodeURIComponent(redirectUri)}&` +
+            `scope=${encodeURIComponent(oauthConfig.scopes)}&` +
+            `state=${state}&` +
+            `prompt=consent`;
+          console.log("🔄 Redirecting to HF OAuth with client_id");
+          window.location.href = oauthUrl;
+        } catch (configError) {
+          console.error("Failed to get OAuth config from backend:", configError);
+          throw new Error("OAuth configuration not available from backend");
+        }
       } else {
         // For local development, show a message or redirect to HF
         dispatch({