OAuth tabs access

arelo · September 14, 2021, 11:51am

I am hosting a dashboard with several tabs where users are authenticated with Azure Active Directory.

It works well in the sense that pn.state.user holds the identity of the user. Now, I want to give access to different users for each tab. As a first step I placed a check in the code that renders output based on parameters in each tab, like this:

class MyDashboard(param.Parameterized):
    ...

    def view(self):
        assert pn.state.user in users_with_access
        ...

The problem is, when a person is authenticated and opens a tab that he shouldn’t have access to, he can see the output that was generated by the previous user, with the parameter settings chosen by that previous user. The “assert pn.state.user in users_with_access” only runs when he changes the parameters, which is not how I intended it to work.

Is there any way to do an access check when a user enters a tab?

Marc · September 14, 2021, 12:15pm

It sound like you are running panel in some wrong way. How do you run the application. Is it with panel serve or pn.serve?

arelo · September 14, 2021, 12:19pm

I am using panel serve like this:

panel serve <path to dashboard.py> --port <port number> --allow-websocket-origin="*" --oauth- 
provider=azure --cookie-secret=<my cookie secret> --oauth-redirect-uri=<the redirect uri>

Marc · September 16, 2021, 5:18am

Could you share a minimum, reproducible code example? Its almost impossible to reproduce and help fix without it.

arelo · October 13, 2021, 9:04am

I was not able to share a minimum reproducible example with OAuth involved, but I figured out what the issue was. I was serving the same dashboard instances to different users. That is, my previous code was like this:

from dashboards import dashboard_1, dashboard_2
tabs = pn.Tabs(
    ("dashboard_1", dashboard_1),
    ("dashboard_2", dashboard_2)
)
tabs.servable()

The problem was that dashboard_1 and dashboard_2 were dashboard instances imported from a different module/.py file (it was no problem when they were created in the same module/.py file).

My solution was to import functions returning dashboard instances instead, like this:

from dashboards import make_dashboard_1, make_dashboard_2
tabs = pn.Tabs(
    ("dashboard_1", make_dashboard_1),
    ("dashboard_2", make_dashboard_2)
)
tabs.servable()