Streamlit's auth `redirect_uri` in dev vs prod on platforms without dynamic secret files support?

I’m deploying a Streamlit app on Railway and using the new st.login() auth (OIDC) feature.

  • I need different redirect_uri values in dev vs. production.
  • Streamlit currently requires redirect_uri in [auth] of secrets.toml, which always overrides environment variables.
  • Railway doesn’t support secrets files (.toml); it only supports environment variables.

Is the only option to script the generation of .streamlit/secrets.toml at deploy time? (Or handling two separate secret files?)

Feature request: Could Streamlit at least allow redirect_uri to come from an environment variable if it’s set, so we don’t have to maintain multiple secrets files or generate them on the fly? Allow st.login() to work with environment variables.

4 Likes

Definitely agree from kubernetes standpoint. Sticking with msal-streamlit-authentication library until this is implemented. Alternative would be a wrapper script that builds this secrets.toml file on pod start but that seems unnecessary.

I’d suggest taking this a step further and just allowing st.login() to work with environment variables instead of secrets.toml.

4 Likes

+1
This is also relevant for us we are developing several streamlit apps on our development server at the same time. Sometime the port where the app runs changes because of this depending on how many other app are running parallel.
(e.g. localhost:8501; localhost:8502; localhost:8503)

1 Like

+1
Facing the same issue. In my case I need to be able to use 2 different redirects, so I can log in locally on the server and still allow login when accessing the page from outside.
Back to msal-streamlit-authentication until this is addressed.

1 Like

I agree it would make things much easier if we could have the redirect_uri specified in separate sections, however, I have a decent workaround.

I’m using Docker. I changed my docker entry point from executing Streamlit Python directly as a module, to running a script that checks the platform with uname and copies a file (I already added to the docker image) to .streamlit/secrets.toml before I start Streamlit. I’m developing on my MacBook Air and deploying to a Windows desktop on the local network, hence the names of the toml files.

if [[ $(uname -a) =~ "arm64" ]];
then
  cp /app/.streamlit/mac.toml /app/.streamlit/secrets.toml;
else
  cp /app/.streamlit/windows.toml /app/.streamlit/secrets.toml;
fi

/app/venv/bin/python3 -m streamlit run dashboard.py

and here is the updated Docker entry point:

ENTRYPOINT ["/usr/bin/bash", "start.sh"]
#ENTRYPOINT ["venv/bin/python3", "-m", "streamlit", "run", "dashboard.py"]

I expect this could be applied to most ways of running Streamlit with modifications to the start.sh script if statement. Hope somebody finds this useful.

Hi, it would be great to generate redirect_uri dynamically depending on currently open page:

st.secrets.redirect_uri = get_current_page_url() + "/oauth2callback"