New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Feedback requested!] Proposal - Native authentication support for Streamlit #8518
Comments
I'm really excited about these features. Currently, I'm using Azure AD for login authentication and I'm managing user login by third party cookies manager and session state. With these feature, all of this can be done natively. st.user and st.cookie is much awaited feature for me. As you are also developing st.redirect, please add a parameter target='_self' or target='_blank' to redirect in the same page or in new tab. The current redirect APIs such as st.link_button and st.page_link don't have this parameter and they by default open the link in new tab. Also, they open the link only after clicking them. The st.redirct should redirect at the link without clicking it, same as st.page_switch. I hope to see these features very soon 😀😀 |
Would love support for ADFS/SSO auth so you don't have to stand up a whole separate endpoint in nginx just to get that one little thing. |
👍 |
Big +1. Bonus points if it's an extendable model, so the community can contribute standard auth providers, e.g. Google IAP, Microsoft Entra ID, etc. |
I have created exactly this my own with azure ad and azure ad to control parts based on azure groups RBAC model for pages and components (functions) . It's working as expected once ready will release it GitHub. I m new to python but community can make it beetter. How do I get to talk to streamlit to see how they can enhance it and release ? |
at a high-level sounds good. not supporting federated enterprise SSO is fine but please make sure you don't block using something like WorkOS, BoxyHQ etc. |
It would be better to break up this feature into 2 phases to implement phase 1: cookie or token based sessionstreamlit should support cookie/token based session, which would allow user to keep state when refresh or reopen url. phase 2: add auth supportimplement authentication based on the APIs implemented in phase 1. The phase 1 can be implemented very soon so that app developers can start to make use of it to solve their issues. |
Summary
We are investigating approaches to add native authentication support for Streamlit, as it is one of the top most requested community features. This is a rough proposal for how it might work, which is shared for your feedback.
Goals
Goal 1: Provide the building blocks for integrating more robust auth solutions including:
_get_websocket_headers()
st.cookie
, or other browser-persistent storage #861 )st.user
Goal 2: Provide an out-of-the-box native integration which covers the most common use cases, especially for developers getting started. To that end, we propose standardizing on OAuth2 & OpenID Connect as the natively supported protocols in Streamlit.
login()
/logout()
methods and the users verified email, OAuth2 token, and potentially other claims from a JWT readily available through a standard API (likely attributes onst.user
).Why OpenID Connect (OIDC)?
Non-goal: Replace the use of reverse proxy in higher security environments
We know this practice of running Streamlit behind an auth proxy and forwarding authenticated requests to the app is fairly common among Streamlit usage in bigger companies or those with higher security requirements. We want to build library features that make that easier to run (such as documented headers support) but not replace it or build extremely hardened security into Streamlit, since it isn't our expertise.
But, we think this proposal can still unblock many developers operating in somewhat lower stakes environments who experience a lot of friction today.
VERY ROUGH API sketch
Here's a very rough first idea of how the API might work for the built-in OIDC.
Once this is configured, you can call some standard methods in the app which will redirect to the appropriate OIDC flow. Streamlit will automatically expose an OAuth2 callback endpoint which handles the response from the identity provider.
In the case below, calling
login()
will simply redirect to the OAuth2 flow. When the user returns from the flow, their identity values will be available inst.user
. Callinglogout()
will clear the values fromst.user
in that session along with any browser cookies.Other authentication protocols
We know other protocols are used today, such as looking up a username / password in a database (e.g. Streamlit-Authenticator), or more complex delegated authentication schemes like SAML / LDAP. In some cases, the existing plugins / components for these can work pretty well. We'd like to provide some hooks to make them more consistent with the native support (maybe similar to
st.connection
), but it may not be in the initial launch.What do you think?
If this proposal and approach sounds good and meets your use case, please give a 👍 . Also, we'd love to hear any comments about what you like, don't like, or would change, or any use case you have which would not be supported. Thanks!!
The text was updated successfully, but these errors were encountered: