client-oidc/app.py

import requests

from authlib.integrations.base_client import OAuthError
from authlib.integrations.flask_client import OAuth

from flask import Flask, request, redirect, Response, session, render_template, url_for, make_response

# TODO add client export json in project & git


app = Flask(__name__)
# TODO still useful ?
app.config['SECRET_KEY'] = 'onelogindemopytoolkit'

issuer="https://id.vilanet.fr/realms/vilanet"
client_id="client-oidc"
client_secret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"

# To manage OIDC flow for UI client
oauth = OAuth(app=app)
oauth.register(
    name="keycloak",
    client_id=client_id,
    client_secret=client_secret,
    server_metadata_url=f'{issuer}/.well-known/openid-configuration',
    client_kwargs={
        'scope': 'openid',
        'code_challenge_method': 'S256',
    }
)


@app.route("/api")
def api():
    response = ''
    if 'access_token' in request.cookies:
        access_token = request.cookies['access_token']
        response = requests.get('http://localhost:5002/api?callbackUrl=http%3A%2F%2Flocalhost%3A5001', headers={'Authorization': f'Bearer {access_token}'})
    else:
        response = requests.get('http://localhost:5002/api?callbackUrl=http%3A%2F%2Flocalhost%3A5001')
    return Response(response=response.text, status=response.status_code, headers=dict(response.headers))


@app.route("/auth")
def auth():
    try:
        token_response = oauth.keycloak.authorize_access_token()
    except OAuthError as e:
        return redirect('/?error=access_denied')
    response = make_response(redirect('/'))
    access_token = token_response['access_token']
    if access_token:
        response.set_cookie('access_token', access_token, httponly=True)
    refresh_token = token_response['refresh_token']
    if refresh_token:
        response.set_cookie('refresh_token', refresh_token, httponly=True)
    id_token = token_response['id_token']
    if id_token:
        response.set_cookie('id_token', id_token, httponly=True)
    if token_response['userinfo']:
        session['name'] = token_response['userinfo']['name']
        session['email'] = token_response['userinfo']['email']
    return response


@app.route("/", methods=['GET', 'POST'])
def index():
    attributes = False
    paint_logout = False
    not_auth_warn = False
    user_name = False
    user_email = False
    if 'sso' in request.args:
        redirect_uri = url_for('auth', _external=True)
        return oauth.keycloak.authorize_redirect(redirect_uri)
    elif 'slo' in request.args:
        if 'refresh_token' in request.cookies:
            # propagate logout to Keycloak
            refresh_token = request.cookies['refresh_token']
            requests.post(f'{issuer}/protocol/openid-connect/logout', data={
                "client_id": client_id,
                "client_secret": client_secret,
                "refresh_token": refresh_token,
            })
        response = make_response(redirect('/'))
        response.set_cookie('access_token', '', expires=0)
        response.set_cookie('refresh_token', '', expires=0)
        response.set_cookie('id_token', '', expires=0)
        if 'name' in session:
            del session['name']
        if 'email' in session:
            del session['email']
        return response
    elif 'error' in request.args:
        not_auth_warn = True

    # it is OK to use ID token to display user info on client side
    # is it not OK to use access token on client side
    if 'id_token' in request.cookies:
        paint_logout = True
        attributes = {'id_token': [request.cookies['id_token']]}.items()

    if 'name' in session:
        user_name = session['name']

    if 'email' in session:
        user_email = session['email']

    return render_template(
        'index.html',
        attributes=attributes,
        not_auth_warn=not_auth_warn,
        paint_logout=paint_logout,
        user_name=user_name,
        user_email=user_email,
    )


if __name__ == "__main__":
    app.run(host='127.0.0.1', port=5001, debug=True)
first working version (only id token) 2024-06-20 10:12:05 +00:00			`import requests`

full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`from authlib.integrations.base_client import OAuthError`
first working version (only id token) 2024-06-20 10:12:05 +00:00			`from authlib.integrations.flask_client import OAuth`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00
access token through Authorization bearer 2024-06-25 21:47:06 +00:00			`from flask import Flask, request, redirect, Response, session, render_template, url_for, make_response`
empty server 2024-06-18 21:37:30 +00:00
remove useless file + add TODO 2024-06-24 16:56:08 +00:00			`# TODO add client export json in project & git`

access token verification on API endpoint 2024-06-24 06:45:08 +00:00
empty server 2024-06-18 21:37:30 +00:00			`app = Flask(__name__)`
remove useless file + add TODO 2024-06-24 16:56:08 +00:00			`# TODO still useful ?`
empty server 2024-06-18 21:37:30 +00:00			`app.config['SECRET_KEY'] = 'onelogindemopytoolkit'`

first working version (only id token) 2024-06-20 10:12:05 +00:00			`issuer="https://id.vilanet.fr/realms/vilanet"`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`client_id="client-oidc"`
			`client_secret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"`
first working version (only id token) 2024-06-20 10:12:05 +00:00
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`# To manage OIDC flow for UI client`
first working version (only id token) 2024-06-20 10:12:05 +00:00			`oauth = OAuth(app=app)`
			`oauth.register(`
			`name="keycloak",`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`client_id=client_id,`
			`client_secret=client_secret,`
first working version (only id token) 2024-06-20 10:12:05 +00:00			`server_metadata_url=f'{issuer}/.well-known/openid-configuration',`
			`client_kwargs={`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`'scope': 'openid',`
first working version (only id token) 2024-06-20 10:12:05 +00:00			`'code_challenge_method': 'S256',`
			`}`
			`)`


full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`@app.route("/api")`
			`def api():`
access token through Authorization bearer 2024-06-25 21:47:06 +00:00			`response = ''`
			`if 'access_token' in request.cookies:`
use dummy server 2024-06-25 16:53:25 +00:00			`access_token = request.cookies['access_token']`
access token through Authorization bearer 2024-06-25 21:47:06 +00:00			`response = requests.get('http://localhost:5002/api?callbackUrl=http%3A%2F%2Flocalhost%3A5001', headers={'Authorization': f'Bearer {access_token}'})`
			`else:`
			`response = requests.get('http://localhost:5002/api?callbackUrl=http%3A%2F%2Flocalhost%3A5001')`
			`return Response(response=response.text, status=response.status_code, headers=dict(response.headers))`

first working version (only id token) 2024-06-20 10:12:05 +00:00
			`@app.route("/auth")`
			`def auth():`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`try:`
			`token_response = oauth.keycloak.authorize_access_token()`
			`except OAuthError as e:`
			`return redirect('/?error=access_denied')`
			`response = make_response(redirect('/'))`
			`access_token = token_response['access_token']`
			`if access_token:`
use dummy server 2024-06-25 16:53:25 +00:00			`response.set_cookie('access_token', access_token, httponly=True)`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`refresh_token = token_response['refresh_token']`
			`if refresh_token:`
use dummy server 2024-06-25 16:53:25 +00:00			`response.set_cookie('refresh_token', refresh_token, httponly=True)`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`id_token = token_response['id_token']`
			`if id_token:`
use dummy server 2024-06-25 16:53:25 +00:00			`response.set_cookie('id_token', id_token, httponly=True)`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`if token_response['userinfo']:`
			`session['name'] = token_response['userinfo']['name']`
			`session['email'] = token_response['userinfo']['email']`
			`return response`
first working version (only id token) 2024-06-20 10:12:05 +00:00

empty server 2024-06-18 21:37:30 +00:00			`@app.route("/", methods=['GET', 'POST'])`
			`def index():`
			`attributes = False`
			`paint_logout = False`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`not_auth_warn = False`
			`user_name = False`
			`user_email = False`
first working version (only id token) 2024-06-20 10:12:05 +00:00			`if 'sso' in request.args:`
			`redirect_uri = url_for('auth', _external=True)`
			`return oauth.keycloak.authorize_redirect(redirect_uri)`
			`elif 'slo' in request.args:`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`if 'refresh_token' in request.cookies:`
first working version (only id token) 2024-06-20 10:12:05 +00:00			`# propagate logout to Keycloak`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`refresh_token = request.cookies['refresh_token']`
			`requests.post(f'{issuer}/protocol/openid-connect/logout', data={`
			`"client_id": client_id,`
			`"client_secret": client_secret,`
			`"refresh_token": refresh_token,`
first working version (only id token) 2024-06-20 10:12:05 +00:00			`})`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`response = make_response(redirect('/'))`
use dummy server 2024-06-25 16:53:25 +00:00			`response.set_cookie('access_token', '', expires=0)`
			`response.set_cookie('refresh_token', '', expires=0)`
			`response.set_cookie('id_token', '', expires=0)`
access token verification on API endpoint 2024-06-24 06:45:08 +00:00			`if 'name' in session:`
			`del session['name']`
			`if 'email' in session:`
			`del session['email']`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`return response`
			`elif 'error' in request.args:`
			`not_auth_warn = True`
first working version (only id token) 2024-06-20 10:12:05 +00:00
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`# it is OK to use ID token to display user info on client side`
			`# is it not OK to use access token on client side`
use dummy server 2024-06-25 16:53:25 +00:00			`if 'id_token' in request.cookies:`
first working version (only id token) 2024-06-20 10:12:05 +00:00			`paint_logout = True`
use dummy server 2024-06-25 16:53:25 +00:00			`attributes = {'id_token': [request.cookies['id_token']]}.items()`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00
			`if 'name' in session:`
			`user_name = session['name']`

			`if 'email' in session:`
			`user_email = session['email']`

empty server 2024-06-18 21:37:30 +00:00			`return render_template(`
			`'index.html',`
			`attributes=attributes,`
full version (only miss access token validation on API) 2024-06-22 21:47:30 +00:00			`not_auth_warn=not_auth_warn,`
			`paint_logout=paint_logout,`
			`user_name=user_name,`
			`user_email=user_email,`
empty server 2024-06-18 21:37:30 +00:00			`)`


			`if __name__ == "__main__":`
			`app.run(host='127.0.0.1', port=5001, debug=True)`