first working version (only id token)

2024-06-20 12:12:05 +02:00 · 2024-06-20 12:12:05 +02:00 · 92e6e65022
commit 92e6e65022
parent e3bb5ebdcc
2 changed files with 71 additions and 34 deletions
--- a/app.py
+++ b/app.py
@ -1,22 +1,81 @@
-from flask import Flask, render_template
+import requests
+
+from authlib.integrations.flask_client import OAuth
+from flask import Flask, request, redirect, session, render_template, url_for

 app = Flask(__name__)
 app.config['SECRET_KEY'] = 'onelogindemopytoolkit'

+issuer="https://id.vilanet.fr/realms/vilanet"
+clientId="client-oidc"
+clientSecret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"
+
+oauth = OAuth(app=app)
+oauth.register(
+    name="keycloak",
+    client_id=clientId,
+    client_secret=clientSecret,
+    server_metadata_url=f'{issuer}/.well-known/openid-configuration',
+    client_kwargs={
+        'scope': 'openid email profile',
+        'code_challenge_method': 'S256',
+    }
+)
+
+
+@app.route("/userinfo")
+def userinfo():
+    if not 'tokenResponse' in session:
+        return "Unauthorized", 401
+    tokenResponse = session['tokenResponse']
+    access_token = tokenResponse['access_token']
+    userInfoEndpoint = f'{issuer}/protocol/openid-connect/userinfo'
+    userInfoResponse = requests.post(userInfoEndpoint,
+                                     headers={'Authorization': f'Bearer {access_token}', 'Accept': 'application/json'})
+    return userInfoResponse.text, 200
+
+
+@app.route("/auth")
+def auth():
+    tokenResponse = oauth.keycloak.authorize_access_token()
+    idToken = oauth.keycloak.parse_id_token(tokenResponse, None)
+    if idToken:
+        #session['tokenResponse'] = tokenResponse
+        session['user'] = idToken
+    return redirect('/')
+
+
@app.route("/", methods=['GET', 'POST'])
 def index():
-    errors = []
-    error_reason = None
-    not_auth_warn = False
-    success_slo = False
    attributes = False
    paint_logout = False
+    if 'sso' in request.args:
+        redirect_uri = url_for('auth', _external=True)
+        return oauth.keycloak.authorize_redirect(redirect_uri)
+    elif 'slo' in request.args:
+        tokenResponse = session.get('tokenResponse')
+        if tokenResponse is not None:
+            # propagate logout to Keycloak
+            refreshToken = tokenResponse['refresh_token']
+            endSessionEndpoint = f'{issuer}/protocol/openid-connect/logout'
+            requests.post(endSessionEndpoint, data={
+                "client_id": clientId,
+                "client_secret": clientSecret,
+                "refresh_token": refreshToken,
+            })
+        session.pop('user', None)
+        #session.pop('tokenResponse', None)
+        return redirect('/')
+
+    if 'user' in session:
+        paint_logout = True
+        strDict = {}
+        for k in session['user']:
+            strDict[k] = [ str(session['user'][k]) ]
+        attributes = strDict.items()
+
    return render_template(
        'index.html',
-        errors=errors,
-        error_reason=error_reason,
-        not_auth_warn=not_auth_warn,
-        success_slo=success_slo,
        attributes=attributes,
        paint_logout=paint_logout
    )
--- a/templates/index.html
+++ b/templates/index.html
@ -2,28 +2,6 @@

 {% block content %}

-{% if errors %}
-  <div class="alert alert-danger" role="alert">
-    <strong>Errors:</strong>
-    <ul class="list-unstyled">
-        {% for err in errors %}
-          <li>{{err}}</li>
-        {% endfor %}
-    </ul>
-    {% if error_reason %}
-        <span>{{error_reason}}</span>
-    {% endif %}
-  </div>
-{% endif %}
-
-{% if not_auth_warn %}
-  <div class="alert alert-danger" role="alert">Not authenticated</div>
-{% endif %}
-
-{% if success_slo %}
-  <div class="alert alert-success" role="alert">Successfully logged out</div>
-{% endif %}
-
 {% if paint_logout %}
  {% if attributes %}
    <p>You have the following attributes:</p>
@ -45,10 +23,10 @@
  {% else %}
    <div class="alert alert-danger" role="alert">You don't have any attributes</div>
  {% endif %}
-  <a href="/logout" class="btn btn-danger">Logout</a>
+  <a href="?slo" class="btn btn-danger">Logout</a>
 {% else %}
-  <a href="/login" class="btn btn-primary">Login</a>
+  <a href="?sso" class="btn btn-primary">Login</a>
 {% endif %}
-<a href="/metadata" class="btn btn-info">Metadata</a>
+<a href="/userinfo" class="btn btn-info">Userinfo</a>

 {% endblock %}