kriss/client-oidc
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7478dee246
client-oidc/app.py
Kriss 7478dee246 use dummy server
2024-06-25 18:53:25 +02:00

117 lines
3.7 KiB
Python
Raw Blame History

import requests
from authlib.integrations.base_client import OAuthError
from authlib.integrations.flask_client import OAuth
from flask import Flask, request, redirect, session, render_template, url_for, make_response
# TODO add client export json in project & git
app = Flask(__name__)
# TODO still useful ?
app.config['SECRET_KEY'] = 'onelogindemopytoolkit'
issuer="https://id.vilanet.fr/realms/vilanet"
client_id="client-oidc"
client_secret="BqWWnuj5JkgZZWEaXuR8bprEx53lqGxC"
# To manage OIDC flow for UI client
oauth = OAuth(app=app)
oauth.register(
name="keycloak",
client_id=client_id,
client_secret=client_secret,
server_metadata_url=f'{issuer}/.well-known/openid-configuration',
client_kwargs={
'scope': 'openid',
'code_challenge_method': 'S256',
}
)
@app.route("/api")
def api():
if 'accessToken' in request.cookies:
access_token = request.cookies['access_token']
print(access_token)
return make_response(redirect('http://localhost:5002/api?callbackUrl=http%3A%2F%2Flocalhost%3A5001'))
@app.route("/auth")
def auth():
try:
token_response = oauth.keycloak.authorize_access_token()
except OAuthError as e:
return redirect('/?error=access_denied')
response = make_response(redirect('/'))
access_token = token_response['access_token']
if access_token:
response.set_cookie('access_token', access_token, httponly=True)
refresh_token = token_response['refresh_token']
if refresh_token:
response.set_cookie('refresh_token', refresh_token, httponly=True)
id_token = token_response['id_token']
if id_token:
response.set_cookie('id_token', id_token, httponly=True)
if token_response['userinfo']:
session['name'] = token_response['userinfo']['name']
session['email'] = token_response['userinfo']['email']
return response
@app.route("/", methods=['GET', 'POST'])
def index():
attributes = False
paint_logout = False
not_auth_warn = False
user_name = False
user_email = False
if 'sso' in request.args:
redirect_uri = url_for('auth', _external=True)
return oauth.keycloak.authorize_redirect(redirect_uri)
elif 'slo' in request.args:
if 'refresh_token' in request.cookies:
# propagate logout to Keycloak
refresh_token = request.cookies['refresh_token']
requests.post(f'{issuer}/protocol/openid-connect/logout', data={
"client_id": client_id,
"client_secret": client_secret,
"refresh_token": refresh_token,
})
response = make_response(redirect('/'))
response.set_cookie('access_token', '', expires=0)
response.set_cookie('refresh_token', '', expires=0)
response.set_cookie('id_token', '', expires=0)
if 'name' in session:
del session['name']
if 'email' in session:
del session['email']
return response
elif 'error' in request.args:
not_auth_warn = True
# it is OK to use ID token to display user info on client side
# is it not OK to use access token on client side
if 'id_token' in request.cookies:
paint_logout = True
attributes = {'id_token': [request.cookies['id_token']]}.items()
if 'name' in session:
user_name = session['name']
if 'email' in session:
user_email = session['email']
return render_template(
'index.html',
attributes=attributes,
not_auth_warn=not_auth_warn,
paint_logout=paint_logout,
user_name=user_name,
user_email=user_email,
)
if __name__ == "__main__":
app.run(host='127.0.0.1', port=5001, debug=True)
Reference in New Issue View Git Blame Copy Permalink