Access OAuth provider specific information

[davidbrochart]

I'd like to specify GitHub scopes to retrieve more information about a user, and in particular read:user in order to read a user's profile data, so I added read:user to the list of scopes for my GitHub OAuth provider in Fief.
But I guess I should allow that in GitHub's "account permissions" for the OAuth app? Unfortunately the only thing I found was "Profile", and I can only grant "Read and write", while I'd only want "Read".
Then I don't know how to access this user information from my server. Is it accessible from Fief's API or should I use the GitHub API?

[davidbrochart]

This looks useful: https://docs.github.com/en/rest/users/users?apiVersion=2022-11-28#get-the-authenticated-user

[davidbrochart]

Unfortunately I get a 401 with this:

async def foo(
    access_token_info: FiefAccessTokenInfo = Depends(auth.authenticated()),
):
    token = access_token_info["access_token"]
    async with httpx.AsyncClient() as client:
        headers = {
            "Authorization": f"Bearer {token}",
            "Accept": "application/vnd.github+json",
            "X-GitHub-Api-Version": "2022-11-28",
        }
        r = await client.get("https://api.github.com/user", headers=headers)

[frankie567]

Regarding the scopes, Fief will always by default ask for the scope user and user:email with GitHub. So you should already be covered to call https://api.github.com/user. Apparently, there is no specific permission to enable on the GitHub app settings, apart from "Email addresses" -> "Read-only".

---

Now, as to how to call the GitHub API. What you show here won't work because you try to use the Fief access token on GitHub, which doesn't recognize it.

However, Fief provides an Admin API so you can generate fresh access tokens from the connected OAuth Provider. You can read more about it here: https://docs.fief.dev/going-further/oauth-provider-token/

So basically:

1. Using the Admin API, you ask Fief to give you a valid GitHub access token
2. You call the GitHub API with this token

[davidbrochart]

1. Although it doesn't tell me which account was used to authenticate the user, right? So how would I go to populate my Fief user account with information from the OAuth provider?

[frankie567]

Well, as for now, a user can only have one associated OAuth Account, so the list is either empty or has one account.

In the general case, you can loop through all the accounts and look for the provider you're interested in. You have access to oauth_provider_id and a representation of the provider through oauth_provider, so you should be able to identify it quite easily.

[davidbrochart]

Well, as for now, a user can only have one associated OAuth Account, so the list is either empty or has one account.

OK, so it's currently easy.
But in the general case, I still don't see how I can for example query GitHub if the user used GitHub to authenticate, or query Google if they used Google. It seems I'm missing this information at runtime.

[frankie567]

Indeed, the callback doesn't give hints about the method used to authenticate. I'm not sure if it's something possible to add in an OpenID Connect flow.

That said, imagine we have a user who can use two OAuth Providers (say, GitHub and Google) to sign in (again, that's not possible currently with Fief). When you are in the callback, you look for their OAuth Account. It returns you two objects: one for GitHub, one for Google. Both are valid and can be used to retrieve data both from GitHub and Google. So, I would say that you can just loop through all the accounts and retrieve the information you need.

Another thing: when the user successfully signs in using an OAuth Provider, we update it with the latest access and refresh tokens in Fief's database. So, you can look for the most recent one based on updated_at: /admin/api/users/{USER_ID}/oauth-accounts?ordering=-updated_at ➡️ the first one in results list is the most recently updated

[davidbrochart]

the first one in results list is the most recently updated

I'll keep that in mind when Fief supports multiple OAuth providers per user, thanks!