Add support for extracting authentication params from www-authenticate header

Author: romaindup

fastapi_azure_auth/auth.py

@@ -165,7 +165,12 @@ async def __call__(self, request: HTTPConnection, security_scopes: SecurityScope
                 claims: dict[str, Any] = get_unverified_claims(access_token)
             except Exception as error:
                 log.warning('Malformed token received. %s. Error: %s', access_token, error, exc_info=True)
-                raise Unauthorized(detail='Invalid token format', request=request) from error
+                raise Unauthorized(
+                    detail='Invalid token format',
+                    client_id=self.app_client_id,
+                    authorization_url=self.authorization_url,
+                    request=request,
+                ) from error
 
             user_is_guest: bool = is_guest(claims=claims)
             if not self.allow_guest_users and user_is_guest:

fastapi_azure_auth/exceptions.py

@@ -25,11 +25,16 @@ def __init__(self, detail: str) -> None:
 class UnauthorizedHttp(HTTPException):
     """HTTP exception for authentication failures"""
 
-    def __init__(self, detail: str) -> None:
+    def __init__(self, detail: str, authorization_url: str | None = None, client_id: str | None = None) -> None:
+        header_value = 'Bearer'
+        if authorization_url:
+            header_value += f', authorization_uri="{authorization_url}"'
+        if client_id:
+            header_value += f', client_id="{client_id}"'
         super().__init__(
             status_code=status.HTTP_401_UNAUTHORIZED,
             detail={"error": "invalid_token", "message": detail},
-            headers={"WWW-Authenticate": "Bearer"},
+            headers={"WWW-Authenticate": header_value},
         )
 
 
@@ -103,10 +108,12 @@ def InvalidRequest(detail: str, request: HTTPConnection) -> InvalidRequestHttp |
     return InvalidRequestWebSocket(detail)
 
 
-def Unauthorized(detail: str, request: HTTPConnection) -> UnauthorizedHttp | UnauthorizedWebSocket:
+def Unauthorized(
+    detail: str, request: HTTPConnection, authorization_url: str | None = None, client_id: str | None = None
+) -> UnauthorizedHttp | UnauthorizedWebSocket:
     """Factory function for unauthorized exceptions"""
     if request.scope["type"] == "http":
-        return UnauthorizedHttp(detail)
+        return UnauthorizedHttp(detail, authorization_url, client_id)
     return UnauthorizedWebSocket(detail)
 
 

tests/single_tenant/test_single_tenant.py

@@ -316,3 +316,18 @@ async def test_change_of_keys_works(single_tenant_app, mock_openid_ok_then_empty
         'detail': {'error': 'invalid_token', 'message': 'Unable to verify token, no signing keys found'}
     }
     assert second_resonse.status_code == 401
+
+
+@pytest.mark.anyio
+async def test_authentication_params_from_header(single_tenant_app):
+    """
+    * Send request with "Authorization: Bearer"
+    * Validate response provides authorization uri and client id in header
+    """
+    async with AsyncClient(app=app, base_url='http://test', headers={'Authorization': 'Bearer'}) as ac:
+        response = await ac.get('api/v1/hello')
+    assert response.status_code == 401
+    assert (
+        response.headers['www-authenticate']
+        == 'Bearer, authorization_uri="https://login.microsoftonline.com/intility_tenant_id/oauth2/v2.0/authorize", client_id="oauth299-9999-9999-abcd-efghijkl1234567890"'
+    )