refactor!: remove dangerous *args and idtoken_model argument

idtoken_model was removed as an argument as it is enforced by
pydantic with type hinting in the depends statement

BREAKING CHANGE

Author: samedii

README.md

@@ -48,16 +48,15 @@ from fastapi import FastAPI
 from fastapi_oidc import IDToken
 from fastapi_oidc import get_auth
 
-OIDC_config = {
-    "client_id": "0oa1e3pv9opbyq2Gm4x7",
-    # Audience can be omitted in which case the aud value defaults to client_id
-    "audience": "https://yourapi.url.com/api",
+
+authenticate_user = get_auth(
+    client_id": "0oa1e3pv9opbyq2Gm4x7",
     "base_authorization_server_uri": "https://dev-126594.okta.com",
     "issuer": "dev-126594.okta.com",
-    "signature_cache_ttl": 3600,
-}
-
-authenticate_user: Callable = get_auth(**OIDC_config)
+    # Audience can be omitted in which case it defaults to client_id
+    "audience": "https://yourapi.url.com/api",  # optional, verification only
+    "signature_cache_ttl": 3600,  # optional
+)
 
 app = FastAPI()
 
@@ -77,7 +76,7 @@ class CustomIDToken(fastapi_oidc.IDToken):
     custom_default: float = 3.14
 
 
-authenticate_user: Callable = get_auth(**OIDC_config, token_type=CustomIDToken)
+authenticate_user = get_auth(**OIDC_config)
 
 app = FastAPI()
 

fastapi_oidc/auth.py

@@ -17,8 +17,8 @@ def test_auth(authenticated_user: AuthenticatedUser = Depends(authenticate_user)
 """
 
 from typing import Callable
+from typing import Dict
 from typing import Optional
-from typing import Type
 
 from fastapi import Depends
 from fastapi import HTTPException
@@ -29,19 +29,15 @@ def test_auth(authenticated_user: AuthenticatedUser = Depends(authenticate_user)
 from jose.exceptions import JWTClaimsError
 
 from fastapi_oidc import discovery
-from fastapi_oidc.exceptions import TokenSpecificationError
-from fastapi_oidc.types import IDToken
 
 
 def get_auth(
-    *_,
     client_id: str,
-    audience: Optional[str] = None,
     base_authorization_server_uri: str,
     issuer: str,
-    signature_cache_ttl: int,
-    token_type: Type[IDToken] = IDToken,
-) -> Callable[[str], IDToken]:
+    audience: Optional[str] = None,
+    signature_cache_ttl: int = 3600,
+) -> Callable[[str], Dict]:
     """Take configurations and return the authenticate_user function.
 
     This function should only be invoked once at the beggining of your
@@ -63,26 +59,19 @@ def get_auth(
 
 
     Returns:
-        func: authenticate_user(auth_header: str) -> IDToken (or token_type)
+        func: authenticate_user(auth_header: str) -> Dict
 
     Raises:
         Nothing intentional
     """
 
-    if not issubclass(token_type, IDToken):
-        raise TokenSpecificationError(
-            "Invalid argument for token_type. "
-            "Token type must be a subclass of fastapi_oidc.type.IDToken. "
-            f"Received {token_type=}"
-        )
-
     oauth2_scheme = OpenIdConnect(
         openIdConnectUrl=f"{base_authorization_server_uri}/.well-known/openid-configuration"
     )
 
     discover = discovery.configure(cache_ttl=signature_cache_ttl)
 
-    def authenticate_user(auth_header: str = Depends(oauth2_scheme)) -> IDToken:
+    def authenticate_user(auth_header: str = Depends(oauth2_scheme)) -> Dict:
         """Validate and parse OIDC ID token against issuer in config.
         Note this function caches the signatures and algorithms of the issuing server
         for signature_cache_ttl seconds.
@@ -92,7 +81,7 @@ def authenticate_user(auth_header: str = Depends(oauth2_scheme)) -> IDToken:
                 scenes by Depends.
 
         Return:
-            IDToken (types.IDToken):
+            Dict: Dictionary with IDToken information
 
         raises:
             HTTPException(status_code=401, detail=f"Unauthorized: {err}")
@@ -103,7 +92,7 @@ def authenticate_user(auth_header: str = Depends(oauth2_scheme)) -> IDToken:
         algorithms = discover.signing_algos(OIDC_discoveries)
 
         try:
-            token = jwt.decode(
+            return jwt.decode(
                 id_token,
                 key,
                 algorithms,
@@ -112,7 +101,6 @@ def authenticate_user(auth_header: str = Depends(oauth2_scheme)) -> IDToken:
                 # Disabled at_hash check since we aren't using the access token
                 options={"verify_at_hash": False},
             )
-            return token_type.parse_obj(token)
 
         except (ExpiredSignatureError, JWTError, JWTClaimsError) as err:
             raise HTTPException(status_code=401, detail=f"Unauthorized: {err}")

fastapi_oidc/exceptions.py

@@ -1,7 +1,4 @@
-import pytest
-
 from fastapi_oidc import auth
-from fastapi_oidc.exceptions import TokenSpecificationError
 from fastapi_oidc.types import IDToken
 
 
@@ -18,7 +15,7 @@ def test__authenticate_user(
     token = token_with_audience
 
     authenticate_user = auth.get_auth(**config_w_aud)
-    id_token: IDToken = authenticate_user(auth_header=f"Bearer {token}")
+    id_token = IDToken(**authenticate_user(auth_header=f"Bearer {token}"))
 
     assert id_token.email == test_email  # nosec
     assert id_token.aud == config_w_aud["audience"]
@@ -39,20 +36,12 @@ def test__authenticate_user_no_aud(
 
     authenticate_user = auth.get_auth(**no_audience_config)
 
-    id_token: IDToken = authenticate_user(auth_header=f"Bearer {token}")
+    id_token = IDToken(**authenticate_user(auth_header=f"Bearer {token}"))
 
     assert id_token.email == test_email  # nosec
     assert id_token.aud == no_audience_config["client_id"]
 
 
-def test__get_auth_raises_if_token_type_is_not_subclass_of_IDToken(no_audience_config):
-    class BadToken:
-        pass
-
-    with pytest.raises(TokenSpecificationError):
-        auth.get_auth(**no_audience_config, token_type=BadToken)
-
-
 def test__authenticate_user_returns_custom_tokens(
     monkeypatch, mock_discovery, token_without_audience, no_audience_config
 ):
@@ -63,8 +52,8 @@ class CustomToken(IDToken):
 
     token = token_without_audience
 
-    authenticate_user = auth.get_auth(**no_audience_config, token_type=CustomToken)
+    authenticate_user = auth.get_auth(**no_audience_config)
 
-    custom_token: CustomToken = authenticate_user(auth_header=f"Bearer {token}")
+    custom_token = CustomToken(**authenticate_user(auth_header=f"Bearer {token}"))
 
     assert custom_token.custom_field == "OnlySlightlyBent"