diff --git a/app.py b/app.py
index bf71915..b87c86c 100644
--- a/app.py
+++ b/app.py
@@ -1,22 +1,81 @@
-from flask import Flask, render_template
+import requests
+
+from authlib.integrations.flask_client import OAuth
+from flask import Flask, request, redirect, session, render_template, url_for
app = Flask(__name__)
app.config['SECRET_KEY'] = 'onelogindemopytoolkit'
+issuer="https://id.vilanet.fr/realms/vilanet"
+clientId="client-oidc"
+clientSecret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"
+
+oauth = OAuth(app=app)
+oauth.register(
+ name="keycloak",
+ client_id=clientId,
+ client_secret=clientSecret,
+ server_metadata_url=f'{issuer}/.well-known/openid-configuration',
+ client_kwargs={
+ 'scope': 'openid email profile',
+ 'code_challenge_method': 'S256',
+ }
+)
+
+
+@app.route("/userinfo")
+def userinfo():
+ if not 'tokenResponse' in session:
+ return "Unauthorized", 401
+ tokenResponse = session['tokenResponse']
+ access_token = tokenResponse['access_token']
+ userInfoEndpoint = f'{issuer}/protocol/openid-connect/userinfo'
+ userInfoResponse = requests.post(userInfoEndpoint,
+ headers={'Authorization': f'Bearer {access_token}', 'Accept': 'application/json'})
+ return userInfoResponse.text, 200
+
+
+@app.route("/auth")
+def auth():
+ tokenResponse = oauth.keycloak.authorize_access_token()
+ idToken = oauth.keycloak.parse_id_token(tokenResponse, None)
+ if idToken:
+ #session['tokenResponse'] = tokenResponse
+ session['user'] = idToken
+ return redirect('/')
+
+
@app.route("/", methods=['GET', 'POST'])
def index():
- errors = []
- error_reason = None
- not_auth_warn = False
- success_slo = False
attributes = False
paint_logout = False
+ if 'sso' in request.args:
+ redirect_uri = url_for('auth', _external=True)
+ return oauth.keycloak.authorize_redirect(redirect_uri)
+ elif 'slo' in request.args:
+ tokenResponse = session.get('tokenResponse')
+ if tokenResponse is not None:
+ # propagate logout to Keycloak
+ refreshToken = tokenResponse['refresh_token']
+ endSessionEndpoint = f'{issuer}/protocol/openid-connect/logout'
+ requests.post(endSessionEndpoint, data={
+ "client_id": clientId,
+ "client_secret": clientSecret,
+ "refresh_token": refreshToken,
+ })
+ session.pop('user', None)
+ #session.pop('tokenResponse', None)
+ return redirect('/')
+
+ if 'user' in session:
+ paint_logout = True
+ strDict = {}
+ for k in session['user']:
+ strDict[k] = [ str(session['user'][k]) ]
+ attributes = strDict.items()
+
return render_template(
'index.html',
- errors=errors,
- error_reason=error_reason,
- not_auth_warn=not_auth_warn,
- success_slo=success_slo,
attributes=attributes,
paint_logout=paint_logout
)
diff --git a/templates/index.html b/templates/index.html
index 5eb54aa..7341bd3 100644
--- a/templates/index.html
+++ b/templates/index.html
@@ -2,28 +2,6 @@
{% block content %}
-{% if errors %}
-
-
Errors:
-
- {% for err in errors %}
- - {{err}}
- {% endfor %}
-
- {% if error_reason %}
-
{{error_reason}}
- {% endif %}
-
Not authenticated
-{% endif %}
-
-{% if success_slo %}
- Successfully logged out
-{% endif %}
-
{% if paint_logout %}
{% if attributes %}
You have the following attributes:
@@ -45,10 +23,10 @@
{% else %}
You don't have any attributes
{% endif %}
- Logout
+ Logout
{% else %}
- Login
+ Login
{% endif %}
-Metadata
+Userinfo
{% endblock %}
\ No newline at end of file