kriss/client-oidc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

clean & improvements

Browse Source
This commit is contained in:
Kriss 2024-06-26 20:10:40 +02:00
parent ea8100a764
commit 8675240084
4 changed files with 91 additions and 96 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

108
app.py
View File

@ -1,20 +1,28 @@
import urllib.parse
import jwt
import requests
from authlib.integrations.base_client import OAuthError
from authlib.integrations.flask_client import OAuth
from flask import Flask, request, redirect, Response, session, render_template, url_for, make_response
from flask import Flask, request, redirect, session, render_template, url_for, make_response
# TODO add client export json in project & git
app = Flask(__name__)
# TODO still useful ?
app.config['SECRET_KEY'] = 'onelogindemopytoolkit'
# key used to encore session cookie
app.config['SECRET_KEY'] = 'client-oidc'
issuer="https://id.vilanet.fr/realms/vilanet"
client_id="client-oidc"
client_secret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"
idp_url = "https://id.vilanet.fr/realms/vilanet"
client_url = "http://localhost:5001"
client_id = "client-oidc"
client_secret = "BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"
resource_server_url = 'http://localhost:5002'
# To manage OIDC flow for UI client
oauth = OAuth(app=app)
@ -22,23 +30,14 @@ oauth.register(
name="keycloak",
client_id=client_id,
client_secret=client_secret,
server_metadata_url=f'{issuer}/.well-known/openid-configuration',
client_kwargs={
'scope': 'openid',
'code_challenge_method': 'S256',
}
server_metadata_url=f'{idp_url}/.well-known/openid-configuration',
client_kwargs={'scope': 'openid', 'code_challenge_method': 'S256'}
)
@app.route("/api")
def api():
response = ''
if 'access_token' in request.cookies:
access_token = request.cookies['access_token']
response = requests.get('http://localhost:5002/api?callbackUrl=http%3A%2F%2Flocalhost%3A5001', headers={'Authorization': f'Bearer {access_token}'})
else:
response = requests.get('http://localhost:5002/api?callbackUrl=http%3A%2F%2Flocalhost%3A5001')
return Response(response=response.text, status=response.status_code, headers=dict(response.headers))
return make_response(redirect(resource_server_url + "/api?" + urllib.parse.urlencode({'callbackUrl': client_url})))
@app.route("/auth")
@ -46,30 +45,31 @@ def auth():
try:
token_response = oauth.keycloak.authorize_access_token()
except OAuthError as e:
return redirect('/?error=access_denied')
return redirect('/?' + urllib.parse.urlencode({'error': e}))
response = make_response(redirect('/'))
access_token = token_response['access_token']
if access_token:
response.set_cookie('access_token', access_token, httponly=True)
response.set_cookie('access_token', access_token, httponly=True, domain='localhost')
refresh_token = token_response['refresh_token']
if refresh_token:
response.set_cookie('refresh_token', refresh_token, httponly=True)
response.set_cookie('refresh_token', refresh_token, httponly=True, domain='localhost')
id_token = token_response['id_token']
if id_token:
response.set_cookie('id_token', id_token, httponly=True)
response.set_cookie('id_token', id_token, httponly=True, domain='localhost')
if token_response['userinfo']:
session['name'] = token_response['userinfo']['name']
session['email'] = token_response['userinfo']['email']
if 'name' in token_response['userinfo']:
session['userinfo_name'] = token_response['userinfo']['name']
if 'email' in token_response['userinfo']:
session['userinfo_email'] = token_response['userinfo']['email']
return response
@app.route("/", methods=['GET', 'POST'])
def index():
attributes = False
paint_logout = False
not_auth_warn = False
user_name = False
user_email = False
auth_error = False
userinfo_name = False
userinfo_email = False
token_data = False
if 'sso' in request.args:
redirect_uri = url_for('auth', _external=True)
return oauth.keycloak.authorize_redirect(redirect_uri)
@ -77,7 +77,7 @@ def index():
if 'refresh_token' in request.cookies:
# propagate logout to Keycloak
refresh_token = request.cookies['refresh_token']
requests.post(f'{issuer}/protocol/openid-connect/logout', data={
requests.post(f'{idp_url}/protocol/openid-connect/logout', data={
"client_id": client_id,
"client_secret": client_secret,
"refresh_token": refresh_token,
@ -86,33 +86,45 @@ def index():
response.set_cookie('access_token', '', expires=0)
response.set_cookie('refresh_token', '', expires=0)
response.set_cookie('id_token', '', expires=0)
if 'name' in session:
del session['name']
if 'email' in session:
del session['email']
if 'userinfo_name' in session:
del session['userinfo_name']
if 'userinfo_email' in session:
del session['userinfo_email']
return response
elif 'error' in request.args:
not_auth_warn = True
auth_error = request.args['error']
if 'userinfo_name' in session:
userinfo_name = session['userinfo_name']
if 'userinfo_email' in session:
userinfo_email = session['userinfo_email']
# it is OK to use ID token to display user info on client side
# is it not OK to use access token on client side
if 'id_token' in request.cookies:
paint_logout = True
attributes = {'id_token': [request.cookies['id_token']]}.items()
if 'name' in session:
user_name = session['name']
if 'email' in session:
user_email = session['email']
id_token = request.cookies['id_token']
jwks_uri = f"{idp_url}/protocol/openid-connect/certs"
jwks_client = jwt.PyJWKClient(jwks_uri)
key = jwks_client.get_signing_key_from_jwt(id_token)
try:
token_data = jwt.decode(
id_token,
key.key,
algorithms=["RS256"],
audience=client_id,
options={'verify_signature': False, 'verify_aud': True}
)
auth_error = False
except Exception as e:
auth_error = e
return render_template(
'index.html',
attributes=attributes,
not_auth_warn=not_auth_warn,
paint_logout=paint_logout,
user_name=user_name,
user_email=user_email,
auth_error=auth_error,
userinfo_name=userinfo_name,
userinfo_email=userinfo_email,
token_data=token_data,
)

5
requirements.txt
View File

@ -1,3 +1,6 @@
authlib
flask
requests
requests
urllib.parse
PyJWT
cryptography

12
templates/api.html
View File

@ -1,12 +0,0 @@
{% extends "base.html" %}
{% block content %}
{% if not_auth_warn %}
<div class="alert alert-danger" role="alert">Not authorized</div>
{% else %}
<p>The API content</p>
{% endif %}
<a href="/" class="btn btn-dark">Back</a>
{% endblock %}

62
templates/index.html
View File

@ -2,40 +2,32 @@
{% block content %}
{% if not_auth_warn %}
<div class="alert alert-danger" role="alert">Not authenticated</div>
{% endif %}
{% if auth_error %}
<div class="alert alert-danger" role="alert">Not authenticated: {{ auth_error }}</div>
{% else %}
{% if userinfo_name and userinfo_email %}
<div class="alert alert-success" role="alert">Welcome {{ userinfo_name }} ({{ userinfo_email }}) !</div>
{% endif %}
{% if token_data %}
<table class="table table-striped">
<thead>
<th>Name</th><th>Values</th>
</thead>
<tbody>
{% for key in token_data %}
<tr>
<td>{{ key }}</td>
<td>{{ token_data[key] }}</td>
</tr>
{% endfor %}
</tbody>
</table>
<a href="?slo" class="btn btn-danger">Logout</a>
{% else %}
<a href="?sso" class="btn btn-primary">Login</a>
{% endif %}
{% endif %}
{% if user_name and user_email %}
<div class="alert alert-success" role="alert">Welcome {{ user_name }} ({{ user_email }}) !</div>
{% endif %}
<a href="/api" class="btn btn-secondary">Call API</a>
{% if paint_logout %}
{% if attributes %}
<p>You have the following attributes:</p>
<table class="table table-striped">
<thead>
<th>Name</th><th>Values</th>
</thead>
<tbody>
{% for attr in attributes %}
<tr><td>{{ attr.0 }}</td>
<td><ul class="list-unstyled">
{% for val in attr.1 %}
<li>{{ val }}</li>
{% endfor %}
</ul></td></tr>
{% endfor %}
</tbody>
</table>
{% else %}
<div class="alert alert-danger" role="alert">You don't have any attributes</div>
{% endif %}
<a href="?slo" class="btn btn-danger">Logout</a>
{% else %}
<a href="?sso" class="btn btn-primary">Login</a>
{% endif %}
<a href="/api" class="btn btn-secondary">Call API</a>
{% endblock %}
{% endblock %}