client-oidc/app.py

import requests

from authlib.integrations.flask_client import OAuth
from flask import Flask, request, redirect, session, render_template, url_for

app = Flask(__name__)
app.config['SECRET_KEY'] = 'onelogindemopytoolkit'

issuer="https://id.vilanet.fr/realms/vilanet"
clientId="client-oidc"
clientSecret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"

oauth = OAuth(app=app)
oauth.register(
    name="keycloak",
    client_id=clientId,
    client_secret=clientSecret,
    server_metadata_url=f'{issuer}/.well-known/openid-configuration',
    client_kwargs={
        'scope': 'openid email profile',
        'code_challenge_method': 'S256',
    }
)


@app.route("/userinfo")
def userinfo():
    if not 'tokenResponse' in session:
        return "Unauthorized", 401
    tokenResponse = session['tokenResponse']
    access_token = tokenResponse['access_token']
    userInfoEndpoint = f'{issuer}/protocol/openid-connect/userinfo'
    userInfoResponse = requests.post(userInfoEndpoint,
                                     headers={'Authorization': f'Bearer {access_token}', 'Accept': 'application/json'})
    return userInfoResponse.text, 200


@app.route("/auth")
def auth():
    tokenResponse = oauth.keycloak.authorize_access_token()
    idToken = oauth.keycloak.parse_id_token(tokenResponse, None)
    if idToken:
        #session['tokenResponse'] = tokenResponse
        session['user'] = idToken
    return redirect('/')


@app.route("/", methods=['GET', 'POST'])
def index():
    attributes = False
    paint_logout = False
    if 'sso' in request.args:
        redirect_uri = url_for('auth', _external=True)
        return oauth.keycloak.authorize_redirect(redirect_uri)
    elif 'slo' in request.args:
        tokenResponse = session.get('tokenResponse')
        if tokenResponse is not None:
            # propagate logout to Keycloak
            refreshToken = tokenResponse['refresh_token']
            endSessionEndpoint = f'{issuer}/protocol/openid-connect/logout'
            requests.post(endSessionEndpoint, data={
                "client_id": clientId,
                "client_secret": clientSecret,
                "refresh_token": refreshToken,
            })
        session.pop('user', None)
        #session.pop('tokenResponse', None)
        return redirect('/')

    if 'user' in session:
        paint_logout = True
        strDict = {}
        for k in session['user']:
            strDict[k] = [ str(session['user'][k]) ]
        attributes = strDict.items()

    return render_template(
        'index.html',
        attributes=attributes,
        paint_logout=paint_logout
    )


if __name__ == "__main__":
    app.run(host='127.0.0.1', port=5001, debug=True)
first working version (only id token) 2024-06-20 10:12:05 +00:00			`import requests`

			`from authlib.integrations.flask_client import OAuth`
			`from flask import Flask, request, redirect, session, render_template, url_for`
empty server 2024-06-18 21:37:30 +00:00
			`app = Flask(__name__)`
			`app.config['SECRET_KEY'] = 'onelogindemopytoolkit'`

first working version (only id token) 2024-06-20 10:12:05 +00:00			`issuer="https://id.vilanet.fr/realms/vilanet"`
			`clientId="client-oidc"`
			`clientSecret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"`

			`oauth = OAuth(app=app)`
			`oauth.register(`
			`name="keycloak",`
			`client_id=clientId,`
			`client_secret=clientSecret,`
			`server_metadata_url=f'{issuer}/.well-known/openid-configuration',`
			`client_kwargs={`
			`'scope': 'openid email profile',`
			`'code_challenge_method': 'S256',`
			`}`
			`)`


			`@app.route("/userinfo")`
			`def userinfo():`
			`if not 'tokenResponse' in session:`
			`return "Unauthorized", 401`
			`tokenResponse = session['tokenResponse']`
			`access_token = tokenResponse['access_token']`
			`userInfoEndpoint = f'{issuer}/protocol/openid-connect/userinfo'`
			`userInfoResponse = requests.post(userInfoEndpoint,`
			`headers={'Authorization': f'Bearer {access_token}', 'Accept': 'application/json'})`
			`return userInfoResponse.text, 200`


			`@app.route("/auth")`
			`def auth():`
			`tokenResponse = oauth.keycloak.authorize_access_token()`
			`idToken = oauth.keycloak.parse_id_token(tokenResponse, None)`
			`if idToken:`
			`#session['tokenResponse'] = tokenResponse`
			`session['user'] = idToken`
			`return redirect('/')`


empty server 2024-06-18 21:37:30 +00:00			`@app.route("/", methods=['GET', 'POST'])`
			`def index():`
			`attributes = False`
			`paint_logout = False`
first working version (only id token) 2024-06-20 10:12:05 +00:00			`if 'sso' in request.args:`
			`redirect_uri = url_for('auth', _external=True)`
			`return oauth.keycloak.authorize_redirect(redirect_uri)`
			`elif 'slo' in request.args:`
			`tokenResponse = session.get('tokenResponse')`
			`if tokenResponse is not None:`
			`# propagate logout to Keycloak`
			`refreshToken = tokenResponse['refresh_token']`
			`endSessionEndpoint = f'{issuer}/protocol/openid-connect/logout'`
			`requests.post(endSessionEndpoint, data={`
			`"client_id": clientId,`
			`"client_secret": clientSecret,`
			`"refresh_token": refreshToken,`
			`})`
			`session.pop('user', None)`
			`#session.pop('tokenResponse', None)`
			`return redirect('/')`

			`if 'user' in session:`
			`paint_logout = True`
			`strDict = {}`
			`for k in session['user']:`
			`strDict[k] = [ str(session['user'][k]) ]`
			`attributes = strDict.items()`

empty server 2024-06-18 21:37:30 +00:00			`return render_template(`
			`'index.html',`
			`attributes=attributes,`
			`paint_logout=paint_logout`
			`)`


			`if __name__ == "__main__":`
			`app.run(host='127.0.0.1', port=5001, debug=True)`