holoviz
diff --git a/‎doc/_static/images/logout_template.png‎
44.8 KB b/‎doc/_static/images/logout_template.png‎
44.8 KB
diff --git a/‎doc/how_to/authentication/index.md‎
Lines changed: 7 additions & 0 deletions b/‎doc/how_to/authentication/index.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎doc/how_to/authentication/templates.md‎
Lines changed: 66 additions & 0 deletions b/‎doc/how_to/authentication/templates.md‎
Lines changed: 66 additions & 0 deletions
diff --git a/‎panel/_templates/logout.html‎ b/‎panel/_templates/logout.html‎
@@ -36,6 +36,13 @@ Discover how to configure OAuth from the commandline.
 A list of OAuth providers and how to configure them.
 :::
 
+:::{grid-item-card} {octicon}`file;2.5em;sd-mr-1 sd-animate-grow50` Templates
+:link: templates
+:link-type: doc
+
+Discover how to configure error and logout templates to match the design of your application.
+:::
+
 :::{grid-item-card} {octicon}`person;2.5em;sd-mr-1 sd-animate-grow50` User Information
 :link: user_info
 :link-type: doc
 
@@ -0,0 +1,66 @@
+# Authentication Templates
+
+Authentication flows have multiple stages and in certain scenarios Panel has to serve pages that provide you with information when authentication has not succeeded or allow you the option of logging back into the application. Panel includes default templates for these cases, specifically it has:
+
+- Error Template: The template that is displayed if the authentication errored for any reason, e.g. the user was not authorized to access the application.
+- Logout Template: The template served when a user hits the `/logout` endpoint.
+
+Both templates use Jinja2 syntax to render certain variables.
+
+## Error Template
+
+The error template is used to display errors when authentication errored out. This can occur for any number of reasons, e.g. authentication is misconfigured or the user is not authorized to access the application.
+
+The template can be configured on the commandline using the `--oauth-error-template` option. The provided value must be a valid HTML file relative to the current working directory or an absolute path:
+
+```bash
+panel serve app.py ... --oauth-error-template error.html
+```
+
+When using `panel.serve` to dynamically serve the application you can configure the template with the `oauth_error_template` argument:
+
+```python
+pn.serve(..., oauth_error_template='error.html')
+```
+
+The error template may be a completely static file or use Jinja2 templating syntax with the following variables:
+
+`npm_cdn`
+: The CDN to load NPM resources from.
+
+`title`
+: The HTML page title.
+
+`error_type`
+: The type of error being raised.
+
+`error`
+: A short description of the error.
+
+`error_msg`
+: The full error message providing additional context.
+
+## Logout Template
+
+The logout template is rendered when a user hits the `/logout` endpoint with authentication enabled. It is meant to be a simple static page that confirms that the logout process was completed and optionally allows the user to log back in.
+
+The default template looks like this:
+
+![Basic Auth Login Form](../../_static/images/logout_template.png)
+
+The template can be configured on the commandline using the `--logout-template` option. The provided value must be a valid HTML file relative to the current working directory or an absolute path:
+
+```bash
+panel serve app.py ... --logout-template logout.html
+```
+
+When using `panel.serve` to dynamically serve the application you can configure the template with the `logout_template` argument:
+
+```python
+pn.serve(..., logout_template=logout.html')
+```
+
+The template may be a completely static HTML file or use Jinja2 templating syntax with the following variables being provided:
+
+`PANEL_CDN`
+: The URL of the CDN (or local path) that Panel resources will be loaded from.
@@ -0,0 +1,93 @@
+<!-- Uses the template from https://github.com/bokeh/bokeh/tree/branch-3.2/examples/server/app/server_auth -->
+<!DOCTYPE html>
+<html>
+<head>
+    <meta charset="utf-8">
+    <meta content="width=device-width, initial-scale=1.0" name="viewport">
+    <meta content="en" name="docsearch:language">
+    <title>Panel App | Logout</title>
+    <link rel="icon" type="image/x-icon" href="{{ PANEL_CDN }}images/favicon.ico">
+    <style>
+    * {
+      box-sizing: border-box;
+      margin:0;
+      padding: 0;
+    }
+    html {
+      height: 100%;
+    }
+    body {
+      font-family: 'Segoe UI', sans-serif;;
+      font-size: 1em;
+      height: 100%;
+      line-height: 1.6;
+    }
+    p {
+      padding-bottom: 5px;
+    }
+    .wrap {
+      align-items: center;
+      background: #fafafa;
+      display: flex;
+      height: 100%;
+      justify-content: center;
+      width: 100%;
+    }
+    .login-form {
+      background: #ffffff;
+      border: 1px solid #ddd;
+      margin: 0 auto;
+      padding: 2em;
+      width: 350px;
+    }
+    .form-input {
+      background: #fafafa;
+      border: 1px solid #eeeeee;
+      padding: 12px;
+      width: 100%;
+    }
+    .form-group {
+      margin: 1em 0;
+    }
+    .form-button {
+      background: #107bba;
+      border: 1px solid #ddd;
+      color: #ffffff;
+      padding: 10px;
+      text-transform: uppercase;
+      width: 100%;
+    }
+    .form-button:hover {
+      background: #0072b5;
+    }
+    .form-header {
+      text-align: center;
+    }
+    .form-footer {
+      text-align: center;
+    }
+    #logo {
+      margin-top: 2em;
+    }
+    #error-message {
+      text-align: center;
+      margin-bottom: 0em;
+    }
+    </style>
+</head>
+<body>
+  <div class="wrap">
+    <form class="login-form" action="./login" method="get">
+      <div class="form-header">
+        <h3><img id="logo" src="{{ PANEL_CDN }}images/logo_stacked.png" width="150" height="120"></h3>
+        <br>
+        <p> Successfully logged out.</p>
+      </div>
+      <div class="form-group">
+        <button class="form-button" type="submit">Login</button>
+      </div>
+      <div><small></small></div>
+    </form>
+  </div>
+</body>
+</html>
@@ -19,7 +19,7 @@
 from .entry_points import entry_points_for
 from .io import state
 from .io.resources import (
-    BASIC_LOGIN_TEMPLATE, CDN_DIST, ERROR_TEMPLATE, _env,
+    BASIC_LOGIN_TEMPLATE, CDN_DIST, ERROR_TEMPLATE, LOGOUT_TEMPLATE, _env,
 )
 from .util import base64url_decode, base64url_encode
 
@@ -236,7 +236,7 @@ def set_state_cookie(self, state):
         )
 
     def get_state(self):
-        next_url = original_next_url = self.get_argument('next', None)
+        next_url = original_next_url = self.get_argument('next', self.request.uri.replace('/login', ''))
         if next_url:
             # avoid browsers treating \ as /
             next_url = next_url.replace('\\', urlparse.quote('\\'))
@@ -251,7 +251,7 @@ def get_state(self):
                     "Ignoring next_url %r, using %r", original_next_url, next_url
                 )
         return _serialize_state(
-            {'state_id': uuid.uuid4().hex, 'next_url': next_url}
+            {'state_id': uuid.uuid4().hex, 'next_url': next_url or '/'}
         )
 
     async def get(self):
@@ -267,6 +267,7 @@ async def get(self):
             'redirect_uri': redirect_uri,
             'client_id':    config.oauth_key,
         }
+
         # Some OAuth2 backends do not correctly return code
         next_arg = self.get_argument('next', {})
         if next_arg:
@@ -780,22 +781,30 @@ class GoogleLoginHandler(OAuthIDTokenLoginHandler, OAuth2Mixin):
 
 class LogoutHandler(tornado.web.RequestHandler):
 
+    _logout_handler = LOGOUT_TEMPLATE
+
     def get(self):
         self.clear_cookie("user")
         self.clear_cookie("id_token")
         self.clear_cookie("access_token")
         self.clear_cookie(STATE_COOKIE_NAME)
-        self.redirect(self.request.uri.replace('/logout', '/login'))
+        html = self._logout_template.render(PANEL_CDN=CDN_DIST)
+        self.write(html)
 
 
 class OAuthProvider(AuthProvider):
 
-    def __init__(self, error_template=None):
+    def __init__(self, error_template=None, logout_template=None):
         if error_template is None:
             self._error_template = ERROR_TEMPLATE
         else:
             with open(error_template) as f:
                 self._error_template = _env.from_string(f.read())
+        if logout_template is None:
+            self._logout_template = LOGOUT_TEMPLATE
+        else:
+            with open(logout_template) as f:
+                self._logout_template = _env.from_string(f.read())
         super().__init__()
 
     @property
@@ -806,10 +815,7 @@ def get_user(request_handler):
 
     @property
     def login_url(self):
-        if config.oauth_redirect_uri is None:
-            return '/login'
-        else:
-            return urlparse.urlparse(config.oauth_redirect_uri).path + '/login'
+        return '/login'
 
     @property
     def login_handler(self):
@@ -824,6 +830,8 @@ def logout_url(self):
 
     @property
     def logout_handler(self):
+        if self._logout_template:
+            LogoutHandler._logout_template = self._logout_template
         return LogoutHandler
 
 
@@ -886,13 +894,13 @@ def set_current_user(self, user):
 
 class BasicProvider(OAuthProvider):
 
-    def __init__(self, basic_login_template=None):
+    def __init__(self, basic_login_template=None, logout_template=None):
         if basic_login_template is None:
             self._basic_login_template = BASIC_LOGIN_TEMPLATE
         else:
             with open(basic_login_template) as f:
                 self._basic_login_template = _env.from_string(f.read())
-        super().__init__()
+        super().__init__(logout_template=logout_template)
 
     @property
     def login_url(self):
 
@@ -148,6 +148,11 @@ class Serve(_BkServe):
             type    = str,
             help    = "Template to serve when user is unauthenticated."
         )),
+        ('--logout-template', dict(
+            action  = 'store',
+            type    = str,
+            help    = "Template to serve logout page."
+        )),
         ('--basic-login-template', dict(
             action  = 'store',
             type    = str,
@@ -425,6 +430,12 @@ def customize_kwargs(self, args, server_kwargs):
                 )
             config.auth_template = str(authpath.absolute())
 
+
+        if args.logout_template:
+            logout_template = str(pathlib.Path(args.logout_template).absolute())
+        else:
+            logout_template = None
+
         if args.basic_auth and config.basic_auth:
             raise ValueError(
                 "Turn on Basic authentication using environment variable "
@@ -443,8 +454,10 @@ def customize_kwargs(self, args, server_kwargs):
                     )
             else:
                 basic_login_template = None
+
             kwargs['auth_provider'] = BasicProvider(
-                basic_login_template=basic_login_template
+                basic_login_template=basic_login_template,
+                logout_template=logout_template
             )
 
         if args.cookie_secret and config.cookie_secret:
@@ -554,7 +567,10 @@ def customize_kwargs(self, args, server_kwargs):
                 error_template = config.auth_template
             else:
                 error_template = None
-            kwargs['auth_provider'] = OAuthProvider(error_template=error_template)
+
+            kwargs['auth_provider'] = OAuthProvider(
+                error_template=error_template, logout_template=logout_template
+            )
 
             if args.oauth_redirect_uri and config.oauth_redirect_uri:
                 raise ValueError(
 
@@ -83,6 +83,7 @@ def conffilter(value):
 INDEX_TEMPLATE = _env.get_template('convert_index.html')
 BASE_TEMPLATE = _env.get_template('base.html')
 ERROR_TEMPLATE = _env.get_template('error.html')
+LOGOUT_TEMPLATE = _env.get_template('logout.html')
 BASIC_LOGIN_TEMPLATE = _env.get_template('basic_login.html')
 DEFAULT_TITLE = "Panel Application"
 JS_RESOURCES = _env.get_template('js_resources.html')
 
@@ -982,8 +982,10 @@ def get_server(
     oauth_secret: Optional[str] = None,
     oauth_redirect_uri: Optional[str] = None,
     oauth_extra_params: Mapping[str, str] = {},
+    oauth_error_template: Optional[str] = None,
     cookie_secret: Optional[str] = None,
     oauth_encryption_key: Optional[str] = None,
+    logout_template: Optional[str] = None,
     session_history: Optional[int] = None,
     **kwargs
 ) -> Server:
@@ -1038,11 +1040,16 @@ def get_server(
       Overrides the default OAuth redirect URI
     oauth_extra_params: dict (optional, default={})
       Additional information for the OAuth provider
+    oauth_error_template: str (optional, default=None)
+      Jinja2 template used when displaying authentication errors.
     cookie_secret: str (optional, default=None)
       A random secret string to sign cookies (required for OAuth)
     oauth_encryption_key: str (optional, default=False)
       A random encryption key used for encrypting OAuth user
       information and access tokens.
+    logout_template: str (optional, default=None)
+      Jinja2 template served when viewing the logout endpoint when
+      authentication is enabled.
     session_history: int (optional, default=None)
       The amount of session history to accumulate. If set to non-zero
       and non-None value will launch a REST endpoint at
@@ -1151,11 +1158,17 @@ def get_server(
         from ..auth import BasicProvider
         server_config['basic_auth'] = basic_auth
         basic_login_template = kwargs.pop('basic_login_template', None)
-        opts['auth_provider'] = BasicProvider(basic_login_template)
+        opts['auth_provider'] = BasicProvider(
+            basic_login_template,
+            logout_template=logout_template
+        )
     elif oauth_provider:
         from ..auth import OAuthProvider
         config.oauth_provider = oauth_provider # type: ignore
-        opts['auth_provider'] = OAuthProvider()
+        opts['auth_provider'] = OAuthProvider(
+            error_template=oauth_error_template,
+            logout_template=logout_template
+        )
     if oauth_key:
         config.oauth_key = oauth_key # type: ignore
     if oauth_secret: