full version (only miss access token validation on API)
This commit is contained in:
parent
92e6e65022
commit
e2db6cf56b
117
app.py
117
app.py
@ -1,83 +1,122 @@
|
||||
import requests
|
||||
|
||||
from authlib.integrations.base_client import OAuthError
|
||||
from authlib.integrations.flask_client import OAuth
|
||||
from flask import Flask, request, redirect, session, render_template, url_for
|
||||
|
||||
from flask import Flask, request, redirect, session, render_template, url_for, make_response
|
||||
|
||||
app = Flask(__name__)
|
||||
app.config['SECRET_KEY'] = 'onelogindemopytoolkit'
|
||||
|
||||
issuer="https://id.vilanet.fr/realms/vilanet"
|
||||
clientId="client-oidc"
|
||||
clientSecret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"
|
||||
client_id="client-oidc"
|
||||
client_secret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"
|
||||
|
||||
# To manage OIDC flow for UI client
|
||||
oauth = OAuth(app=app)
|
||||
oauth.register(
|
||||
name="keycloak",
|
||||
client_id=clientId,
|
||||
client_secret=clientSecret,
|
||||
client_id=client_id,
|
||||
client_secret=client_secret,
|
||||
server_metadata_url=f'{issuer}/.well-known/openid-configuration',
|
||||
client_kwargs={
|
||||
'scope': 'openid email profile',
|
||||
'scope': 'openid',
|
||||
'code_challenge_method': 'S256',
|
||||
}
|
||||
)
|
||||
|
||||
|
||||
@app.route("/userinfo")
|
||||
def userinfo():
|
||||
if not 'tokenResponse' in session:
|
||||
return "Unauthorized", 401
|
||||
tokenResponse = session['tokenResponse']
|
||||
access_token = tokenResponse['access_token']
|
||||
userInfoEndpoint = f'{issuer}/protocol/openid-connect/userinfo'
|
||||
userInfoResponse = requests.post(userInfoEndpoint,
|
||||
headers={'Authorization': f'Bearer {access_token}', 'Accept': 'application/json'})
|
||||
return userInfoResponse.text, 200
|
||||
@app.route("/api")
|
||||
def api():
|
||||
not_auth_warn = True
|
||||
# is it OK to use access token to check API authorization on server side
|
||||
# it is not OK to use ID token to check API authorization on server side
|
||||
if 'accessToken' in request.args:
|
||||
access_token = request.args['accessToken']
|
||||
#claims = oidcclient.validate_jwt(access_token)
|
||||
not_auth_warn = False
|
||||
# TODO verify token and check role
|
||||
return render_template(
|
||||
'api.html',
|
||||
not_auth_warn=not_auth_warn,
|
||||
)
|
||||
|
||||
|
||||
@app.route("/auth")
|
||||
def auth():
|
||||
tokenResponse = oauth.keycloak.authorize_access_token()
|
||||
idToken = oauth.keycloak.parse_id_token(tokenResponse, None)
|
||||
if idToken:
|
||||
#session['tokenResponse'] = tokenResponse
|
||||
session['user'] = idToken
|
||||
return redirect('/')
|
||||
try:
|
||||
token_response = oauth.keycloak.authorize_access_token()
|
||||
except OAuthError as e:
|
||||
return redirect('/?error=access_denied')
|
||||
response = make_response(redirect('/'))
|
||||
access_token = token_response['access_token']
|
||||
if access_token:
|
||||
response.set_cookie('accessToken', access_token, httponly=True)
|
||||
refresh_token = token_response['refresh_token']
|
||||
if refresh_token:
|
||||
response.set_cookie('refreshToken', refresh_token, httponly=True)
|
||||
id_token = token_response['id_token']
|
||||
if id_token:
|
||||
response.set_cookie('idToken', id_token, httponly=True)
|
||||
if token_response['userinfo']:
|
||||
session['name'] = token_response['userinfo']['name']
|
||||
session['email'] = token_response['userinfo']['email']
|
||||
return response
|
||||
|
||||
|
||||
@app.route("/", methods=['GET', 'POST'])
|
||||
def index():
|
||||
attributes = False
|
||||
access_token = False
|
||||
paint_logout = False
|
||||
not_auth_warn = False
|
||||
user_name = False
|
||||
user_email = False
|
||||
if 'sso' in request.args:
|
||||
redirect_uri = url_for('auth', _external=True)
|
||||
return oauth.keycloak.authorize_redirect(redirect_uri)
|
||||
elif 'slo' in request.args:
|
||||
tokenResponse = session.get('tokenResponse')
|
||||
if tokenResponse is not None:
|
||||
if 'refresh_token' in request.cookies:
|
||||
# propagate logout to Keycloak
|
||||
refreshToken = tokenResponse['refresh_token']
|
||||
endSessionEndpoint = f'{issuer}/protocol/openid-connect/logout'
|
||||
requests.post(endSessionEndpoint, data={
|
||||
"client_id": clientId,
|
||||
"client_secret": clientSecret,
|
||||
"refresh_token": refreshToken,
|
||||
refresh_token = request.cookies['refresh_token']
|
||||
requests.post(f'{issuer}/protocol/openid-connect/logout', data={
|
||||
"client_id": client_id,
|
||||
"client_secret": client_secret,
|
||||
"refresh_token": refresh_token,
|
||||
})
|
||||
session.pop('user', None)
|
||||
#session.pop('tokenResponse', None)
|
||||
return redirect('/')
|
||||
response = make_response(redirect('/'))
|
||||
response.set_cookie('accessToken', '', expires=0)
|
||||
response.set_cookie('refreshToken', '', expires=0)
|
||||
response.set_cookie('idToken', '', expires=0)
|
||||
del session['name']
|
||||
del session['email']
|
||||
return response
|
||||
elif 'error' in request.args:
|
||||
not_auth_warn = True
|
||||
|
||||
if 'user' in session:
|
||||
# it is OK to use ID token to display user info on client side
|
||||
# is it not OK to use access token on client side
|
||||
if 'idToken' in request.cookies:
|
||||
paint_logout = True
|
||||
strDict = {}
|
||||
for k in session['user']:
|
||||
strDict[k] = [ str(session['user'][k]) ]
|
||||
attributes = strDict.items()
|
||||
attributes = {'idToken': [request.cookies['idToken']]}.items()
|
||||
|
||||
if 'name' in session:
|
||||
user_name = session['name']
|
||||
|
||||
if 'email' in session:
|
||||
user_email = session['email']
|
||||
|
||||
if 'accessToken' in request.cookies:
|
||||
access_token = request.cookies['accessToken']
|
||||
|
||||
return render_template(
|
||||
'index.html',
|
||||
attributes=attributes,
|
||||
paint_logout=paint_logout
|
||||
access_token=access_token,
|
||||
not_auth_warn=not_auth_warn,
|
||||
paint_logout=paint_logout,
|
||||
user_name=user_name,
|
||||
user_email=user_email,
|
||||
)
|
||||
|
||||
|
||||
|
||||
@ -1,2 +1,2 @@
|
||||
authlib
|
||||
flask
|
||||
flask
|
||||
|
||||
12
templates/api.html
Normal file
12
templates/api.html
Normal file
@ -0,0 +1,12 @@
|
||||
{% extends "base.html" %}
|
||||
|
||||
{% block content %}
|
||||
|
||||
{% if not_auth_warn %}
|
||||
<div class="alert alert-danger" role="alert">Not authorized</div>
|
||||
{% else %}
|
||||
<p>The API content</p>
|
||||
{% endif %}
|
||||
<a href="/" class="btn btn-dark">Back</a>
|
||||
|
||||
{% endblock %}
|
||||
@ -2,6 +2,14 @@
|
||||
|
||||
{% block content %}
|
||||
|
||||
{% if not_auth_warn %}
|
||||
<div class="alert alert-danger" role="alert">Not authenticated</div>
|
||||
{% endif %}
|
||||
|
||||
{% if user_name and user_email %}
|
||||
<div class="alert alert-success" role="alert">Welcome {{ user_name }} ({{ user_email }}) !</div>
|
||||
{% endif %}
|
||||
|
||||
{% if paint_logout %}
|
||||
{% if attributes %}
|
||||
<p>You have the following attributes:</p>
|
||||
@ -27,6 +35,11 @@
|
||||
{% else %}
|
||||
<a href="?sso" class="btn btn-primary">Login</a>
|
||||
{% endif %}
|
||||
<a href="/userinfo" class="btn btn-info">Userinfo</a>
|
||||
|
||||
{% if access_token %}
|
||||
<a href="/api?accessToken={{ access_token }}" class="btn btn-secondary">Call protected API</a>
|
||||
{% else %}
|
||||
<a href="/api" class="btn btn-secondary">Call protected API</a>
|
||||
{% endif %}
|
||||
|
||||
{% endblock %}
|
||||
Loading…
Reference in New Issue
Block a user