Being able to use oauth2 to authenticate running code?

[andaag]

I'm not sure if this is a documentation/feature request, I'm trying to figure out oauth2 to google cloud platform to fetch a secret inside of marimo wasm notebook. Is this currently possible?

As far as I can tell I'm required to add a redirect uri, I figured maybe I could get this working by redirecting back to my notebook with a variable to set an argument or something like that, but I can't figure that out and I'm not entirely clear on what's required! I could also probably do the oauth workflow in pyodide+javascript?

[mscolnick]

hey @andaag, we have a few internal examples of using oauth2 with notebooks.

For the most flexibility, you can follow this guide: https://docs.marimo.io/guides/deploying/programmatically/
This would put the marimo notebook behind a FastAPI application and you can use their OAuth2 middleware for authentication. Here is an article i found how to set that up: https://medium.com/@vivekpemawat/enabling-googleauth-for-fast-api-1c39415075ea.

It is also possible to set up OAuth2 creds as a Desktop App (instead of Web App), if your use-case fits that, which I don't think will require a redirect.

And doing something like:

from google_auth_oauthlib.flow import InstalledAppFlow
flow = InstalledAppFlow.from_client_secrets_file(
    "credentials.json", SCOPES
)
creds = flow.run_local_server(port=0)

[andaag]

we have a few internal examples of using oauth2 with notebooks.

The problem I had with most of these is that it isn't possible in wasm. Putting oauth2 before the notebook and managing auth from there is possible, but I was hoping to be able to get this working within a github hosted link that people can just run, and authenticate. Similar to how this works in jupyter with google auth for example. Where you can run a few lines and you get an "approve" button to continue.

It is also possible to set up OAuth2 creds as a Desktop App (instead of Web App), if your use-case fits that, which I don't think will require a redirect.

This is the path I was trying to go down, for desktop apps as well this says that redirect_uri is required (docs here ). Which is why I think a lot of these scripts set up a server on a random port locally in order to capture the redirect - but I can't imagine how that'd work inside of a wasm runner? 🤔 .

The main google auth library requires grpc, so I got stuck trying that, however google_auth_oauthlib does seem to be working without that, so I'll give that a try!

Thank you! Might take me until next week to be able to experiment here! (On a side note, extremely cool product 👍 )

[andaag]

My plan of delaying this until next week failed, I was too curious on whether or not I could get this to work. Unsurprisingly the run local server step does fail:

Traceback (most recent call last):
  File "/lib/python3.12/site-packages/marimo/_runtime/executor.py", line 141, in execute_cell
    exec(cell.body, glbls)
  Cell marimo://notebook.py#cell=cell-4, line 1, in <module>
    creds = flow.run_local_server(port=0)
            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python3.12/site-packages/google_auth_oauthlib/flow.py", line 432, in run_local_server
    local_server = wsgiref.simple_server.make_server(
                   ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python312.zip/wsgiref/simple_server.py", line 154, in make_server
    server = server_class((host, port), handler_class)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/lib/python312.zip/socketserver.py", line 458, in __init__
    self.server_activate()
  File "/lib/python312.zip/socketserver.py", line 482, in server_activate
    self.socket.listen(self.request_queue_size)
OSError: [Errno 138] Not supported

They had support for this with run_console before but that was removed

[mscolnick]

Oh sorry, i missed the wasm requirement from the beginning. Yea those libraries and snippets won't work - they do spin up a server.

I would probably put up a small proxy server in front of the wasm notebook instead of doing it inside the wasm notebook itself. It's more work, but it shareable and re-usable.