From 92e6e65022c291a51f0005cf95be5ed3b4694c40 Mon Sep 17 00:00:00 2001 From: kriss Date: Thu, 20 Jun 2024 12:12:05 +0200 Subject: [PATCH] first working version (only id token) --- app.py | 77 ++++++++++++++++++++++++++++++++++++++------ templates/index.html | 28 ++-------------- 2 files changed, 71 insertions(+), 34 deletions(-) diff --git a/app.py b/app.py index bf71915..b87c86c 100644 --- a/app.py +++ b/app.py @@ -1,22 +1,81 @@ -from flask import Flask, render_template +import requests + +from authlib.integrations.flask_client import OAuth +from flask import Flask, request, redirect, session, render_template, url_for app = Flask(__name__) app.config['SECRET_KEY'] = 'onelogindemopytoolkit' +issuer="https://id.vilanet.fr/realms/vilanet" +clientId="client-oidc" +clientSecret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC" + +oauth = OAuth(app=app) +oauth.register( + name="keycloak", + client_id=clientId, + client_secret=clientSecret, + server_metadata_url=f'{issuer}/.well-known/openid-configuration', + client_kwargs={ + 'scope': 'openid email profile', + 'code_challenge_method': 'S256', + } +) + + +@app.route("/userinfo") +def userinfo(): + if not 'tokenResponse' in session: + return "Unauthorized", 401 + tokenResponse = session['tokenResponse'] + access_token = tokenResponse['access_token'] + userInfoEndpoint = f'{issuer}/protocol/openid-connect/userinfo' + userInfoResponse = requests.post(userInfoEndpoint, + headers={'Authorization': f'Bearer {access_token}', 'Accept': 'application/json'}) + return userInfoResponse.text, 200 + + +@app.route("/auth") +def auth(): + tokenResponse = oauth.keycloak.authorize_access_token() + idToken = oauth.keycloak.parse_id_token(tokenResponse, None) + if idToken: + #session['tokenResponse'] = tokenResponse + session['user'] = idToken + return redirect('/') + + @app.route("/", methods=['GET', 'POST']) def index(): - errors = [] - error_reason = None - not_auth_warn = False - success_slo = False attributes = False paint_logout = False + if 'sso' in request.args: + redirect_uri = url_for('auth', _external=True) + return oauth.keycloak.authorize_redirect(redirect_uri) + elif 'slo' in request.args: + tokenResponse = session.get('tokenResponse') + if tokenResponse is not None: + # propagate logout to Keycloak + refreshToken = tokenResponse['refresh_token'] + endSessionEndpoint = f'{issuer}/protocol/openid-connect/logout' + requests.post(endSessionEndpoint, data={ + "client_id": clientId, + "client_secret": clientSecret, + "refresh_token": refreshToken, + }) + session.pop('user', None) + #session.pop('tokenResponse', None) + return redirect('/') + + if 'user' in session: + paint_logout = True + strDict = {} + for k in session['user']: + strDict[k] = [ str(session['user'][k]) ] + attributes = strDict.items() + return render_template( 'index.html', - errors=errors, - error_reason=error_reason, - not_auth_warn=not_auth_warn, - success_slo=success_slo, attributes=attributes, paint_logout=paint_logout ) diff --git a/templates/index.html b/templates/index.html index 5eb54aa..7341bd3 100644 --- a/templates/index.html +++ b/templates/index.html @@ -2,28 +2,6 @@ {% block content %} -{% if errors %} - -{% endif %} - -{% if not_auth_warn %} - -{% endif %} - -{% if success_slo %} - -{% endif %} - {% if paint_logout %} {% if attributes %}

You have the following attributes:

@@ -45,10 +23,10 @@ {% else %} {% endif %} - Logout + Logout {% else %} - Login + Login {% endif %} -Metadata +Userinfo {% endblock %} \ No newline at end of file