OAuth between 2 Frappe Apps

Trying to setup OAuth for SSO between 2 Frappe Apps (Version-14)
Followed this guide - OpenID Connect and Frappe social login

  1. Getting below error after entering user/password after redirecting to Frappe IDP Server
Traceback (most recent call last):
  File "/home/frappe/frappe-bench/apps/frappe/frappe/app.py", line 68, in application
    response = frappe.api.handle()
  File "/home/frappe/frappe-bench/apps/frappe/frappe/api.py", line 55, in handle
    return frappe.handler.handle()
  File "/home/frappe/frappe-bench/apps/frappe/frappe/handler.py", line 31, in handle
    data = execute_cmd(cmd)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/handler.py", line 67, in execute_cmd
    return frappe.call(method, **frappe.form_dict)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/__init__.py", line 1198, in call
    return fn(*args, **newargs)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/www/login.py", line 92, in login_via_frappe
    login_via_oauth2("frappe", code, state, decoder=decoder_compat)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/utils/oauth.py", line 110, in login_via_oauth2
    info = get_info_via_oauth(provider, code, decoder)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/utils/oauth.py", line 146, in get_info_via_oauth
    frappe.throw(_("Email not verified with {0}").format(provider.title()))
  File "/home/frappe/frappe-bench/apps/frappe/frappe/__init__.py", line 437, in throw
    msgprint(msg, raise_exception=exc, title=title, indicator='red', is_minimizable=is_minimizable, wide=wide, as_list=as_list)
  File "/home/frappe/frappe-bench/apps/frappe/frappe/__init__.py", line 416, in msgprint
  File "/home/frappe/frappe-bench/apps/frappe/frappe/__init__.py", line 370, in _raise_exception
    raise raise_exception(msg)
frappe.exceptions.ValidationError: Email not verified with Frappe
  1. The OAuth Authorization Code has scope ‘openid’ only (Default setting when selecting Frappe as Social Login Provider which we are not able to edit in Frappe App Server)

  2. How to map roles from IDP Server to the App Server ?

Thank you

@revant_one - do you have any idea on this ?

these params are missing on your response

Isn’t it handled by frappe internally ? Since its frappe to frappe.

frappe which has all identities is not sending verified email or email. Try printing out what info is may give some clue

Thank you for the pointer. Got the issue.

This was due to openid_profile getting overridden for Oauth with superset.
So this is fixed as of now.
however, my second question still remains:

  • It seems there is no way as of now, to map roles from IDP to App Server ? Is this correct ? Possibly need to override in the App Server ?

Thank you

you can add auth hook in your app that does additional logic. it extends Frappe auth.

check this app GitHub - castlecraft/cfe: Castlecraft Extensions for Frappe Framework based Resource Servers

it makes Frappe framework apps accept token from any oauth oidc compatible provider and create/map user. Microsoft and Google working.

you can further extend it for role mapping. I didn’t do role mapping because every provider maps and names roles differently, some don’t even have roles, they have groups.

I’d recommend to create users and map roles with a system user api key or some whitelisted endpoint with secure communication with user creator. For passwords you can keep very long random strings and forget them.

user creation is separate async process not triggered by social login key or token usage.

when user logs in through social login key they see ui as per their role, no password needed.

in case of auth hook, user in token will pick up appropriate roles and no need for password their either.