import requests

from authlib.integrations.base_client import OAuthError
from authlib.integrations.flask_client import OAuth

from flask import Flask, request, redirect, session, render_template, url_for, make_response

# TODO add client export json in project & git


app = Flask(__name__)
# TODO still useful ?
app.config['SECRET_KEY'] = 'onelogindemopytoolkit'

issuer="https://id.vilanet.fr/realms/vilanet"
client_id="client-oidc"
client_secret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"

# To manage OIDC flow for UI client
oauth = OAuth(app=app)
oauth.register(
    name="keycloak",
    client_id=client_id,
    client_secret=client_secret,
    server_metadata_url=f'{issuer}/.well-known/openid-configuration',
    client_kwargs={
        'scope': 'openid',
        'code_challenge_method': 'S256',
    }
)


@app.route("/api")
def api():
    if 'accessToken' in request.cookies:
        access_token = request.cookies['access_token']
        print(access_token)
    return make_response(redirect('http://localhost:5002/api?callbackUrl=http%3A%2F%2Flocalhost%3A5001'))

@app.route("/auth")
def auth():
    try:
        token_response = oauth.keycloak.authorize_access_token()
    except OAuthError as e:
        return redirect('/?error=access_denied')
    response = make_response(redirect('/'))
    access_token = token_response['access_token']
    if access_token:
        response.set_cookie('access_token', access_token, httponly=True)
    refresh_token = token_response['refresh_token']
    if refresh_token:
        response.set_cookie('refresh_token', refresh_token, httponly=True)
    id_token = token_response['id_token']
    if id_token:
        response.set_cookie('id_token', id_token, httponly=True)
    if token_response['userinfo']:
        session['name'] = token_response['userinfo']['name']
        session['email'] = token_response['userinfo']['email']
    return response


@app.route("/", methods=['GET', 'POST'])
def index():
    attributes = False
    paint_logout = False
    not_auth_warn = False
    user_name = False
    user_email = False
    if 'sso' in request.args:
        redirect_uri = url_for('auth', _external=True)
        return oauth.keycloak.authorize_redirect(redirect_uri)
    elif 'slo' in request.args:
        if 'refresh_token' in request.cookies:
            # propagate logout to Keycloak
            refresh_token = request.cookies['refresh_token']
            requests.post(f'{issuer}/protocol/openid-connect/logout', data={
                "client_id": client_id,
                "client_secret": client_secret,
                "refresh_token": refresh_token,
            })
        response = make_response(redirect('/'))
        response.set_cookie('access_token', '', expires=0)
        response.set_cookie('refresh_token', '', expires=0)
        response.set_cookie('id_token', '', expires=0)
        if 'name' in session:
            del session['name']
        if 'email' in session:
            del session['email']
        return response
    elif 'error' in request.args:
        not_auth_warn = True

    # it is OK to use ID token to display user info on client side
    # is it not OK to use access token on client side
    if 'id_token' in request.cookies:
        paint_logout = True
        attributes = {'id_token': [request.cookies['id_token']]}.items()

    if 'name' in session:
        user_name = session['name']

    if 'email' in session:
        user_email = session['email']

    return render_template(
        'index.html',
        attributes=attributes,
        not_auth_warn=not_auth_warn,
        paint_logout=paint_logout,
        user_name=user_name,
        user_email=user_email,
    )


if __name__ == "__main__":
    app.run(host='127.0.0.1', port=5001, debug=True)