Documentation for FastAPI/Starlette for Oauth2 is incorrect/misleading/confusing?

[ldorigo]

Describe the bug

The documentation for the FastAPI/starlette clients for Oauth2 are unclear. In Starlette, it says that it's not necessary to use SessionMiddleware for OAuth2, yet in FastAPI (Which uses the exact same client), it seems to say that it is necessary? indeed, if I don't include the middleware, I get an error saying that "SessionMiddleware must be installed to access request.session"?

This was supposedly fixed in #425 (commit 1089d54 ), but that doesn't work: framework.cache is None in my case, and the docs don't say anywhere where/how to initialize it?

Note that adding the SessionMiddleware doesn't work either, although that seems to be a separate bug. Happy to expand if necessary.

** Code **

from authlib.integrations.starlette_client import OAuth
from starlette.middleware.sessions import SessionMiddleware
from fastapi.responses import RedirectResponse

CANVAS_CLIENT_ID = "xxx"
CANVAS_CLIENT_SECRET = "xxx"

oauth = OAuth()

oauth.register(
    name="canvas",
    client_id=CANVAS_CLIENT_ID,
    client_secret=CANVAS_CLIENT_SECRET,
    access_token_url="xxx",
    access_token_params=None,
    authorize_url="xxx",
    authorize_params=None,
    api_base_url="xxx",
    client_kwargs={
        "force_login": 1, # Custom parameter
    }
)

# app.add_middleware(SessionMiddleware, secret_key="some-random-string") # Shouldnt be necessary, also fails if uncommented

@app.get('/login/canvas')
async def login_via_canvas(request:Request) -> RedirectResponse:
    canvas = oauth.create_client('canvas')
    redirect_uri = "http://localhost:xxx/auth/canvas"
    return await canvas.authorize_redirect(request, redirect_uri)

@app.get('/auth/canvas')
async def authorize_canvas(request:Request) -> RedirectResponse:
    canvas = oauth.create_client('canvas')
    # do something with the token and userinfo
    # Just go back to the homepage for now
    token = await canvas.authorize_access_token(request)
    user = token['userinfo']
    print(token)
    return RedirectResponse(url="http://localhost:3018")

Environment:

• OS: Linux
• Python Version: 3.11
• Authlib Version: 1.3.0

[ftapajos]

I'm a bit confused... The error is shown even when you add the middleware? By what you've shown, your code is not setting the framework cache, as it should have been done in oauth creation. Do you intend to use the cache or the session approach?

[ldorigo]

I'm confused too, that's the point :-) The docs aren't clear.

That error is not shown when I add the middleware - I used to have an entirely different error, however it disappeared now and I'm not sure why, I don't think I changed anything - maybe it was related to the browser's cache.

But according to the docs, it's not necessary to use session middleware with Starlette for OAuth2, which doesn't appear to be true?

[ftapajos]

Yeah, I guess the docs are misleading or incomplete. You must either use the starlette session middleware or setup the cache service (which is only described in flask configuration for some reason)