Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

full oidc example with autoconfiguration #222

Merged
merged 1 commit into from
Jan 14, 2019
Merged

full oidc example with autoconfiguration #222

merged 1 commit into from
Jan 14, 2019

Conversation

styk-tv
Copy link
Contributor

@styk-tv styk-tv commented Jan 14, 2019
edited
Loading

I was able to use flask-jwt-extended with tokens issued by RedHat's Keycloak. This example retrieves OIDC .well-known/openid-configuration for the purpose of assembly RSAPublic key to validate signature of the token.

It honestly took me few months to learn how to do this. I am hoping by adding this example to flask-jwt_extended others can be saved that pain.

This example follows 4 basic OIDC configuration input parameters example used by places like OpenAPI https://swagger.io/docs/specification/authentication/openid-connect-discovery/ (not implemented for Python) or Kubernetes https://kubernetes.io/docs/reference/access-authn-authz/authentication/ (mostly for reference) to name few.

Below parameters are documented in code example:

    OIDC_ISSUER_URL = 'https://my-identity-server.example/auth/realms/master'
    OIDC_CLIENT_ID = 'example.my-identity-server'
    OIDC_USERNAME_CLAIM = 'email'
    OIDC_GROUPS_CLAIM = 'groups'

I have included endpoints for anonymous, token_protected and group_protected examples. This can obviously be extended further. With identity servers such as Keycloak https://www.keycloak.org/ that can be spun up as Docker container https://hub.docker.com/r/jboss/keycloak/ or into Kubernetes Helm Charts https://github.com/helm/charts/tree/master/stable/keycloak this addition makes added features really attractive on microservice role(group)-based-access-control level.

@pep8speaks
Copy link

Hello @styk-tv! Thanks for submitting the PR.

Line 20:91: E501 line too long (132 > 90 characters)
Line 21:91: E501 line too long (138 > 90 characters)
Line 33:91: E501 line too long (138 > 90 characters)
Line 34:91: E501 line too long (126 > 90 characters)
Line 35:91: E501 line too long (126 > 90 characters)
Line 36:91: E501 line too long (148 > 90 characters)
Line 70:91: E501 line too long (101 > 90 characters)
Line 81:91: E501 line too long (109 > 90 characters)
Line 86:91: E501 line too long (92 > 90 characters)
Line 89:91: E501 line too long (110 > 90 characters)
Line 110:91: E501 line too long (108 > 90 characters)
Line 127:91: E501 line too long (126 > 90 characters)
Line 137:1: W391 blank line at end of file

@styk-tv styk-tv mentioned this pull request Jan 14, 2019
Closed
@styk-tv
Copy link
Contributor Author

styk-tv commented Jan 14, 2019

One note we should add to documentation is the warning on InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. caused by bypassed verification of SSL endpoint by requests lib. But that's a different issue all together.

Few extra libs are added to deal with json conversion and requests. Maybe there is a way to use what is already in flask. I tried to minimize use of external libraries and this is what i came up with.

@coveralls
Copy link

Coverage Status

Coverage remained the same at 100.0% when pulling d4adb11 on styk-tv:master into f300015 on vimalloc:master.

2 similar comments
@coveralls
Copy link

Coverage Status

Coverage remained the same at 100.0% when pulling d4adb11 on styk-tv:master into f300015 on vimalloc:master.

@coveralls
Copy link

Coverage Status

Coverage remained the same at 100.0% when pulling d4adb11 on styk-tv:master into f300015 on vimalloc:master.

@vimalloc vimalloc merged commit 8ba49aa into vimalloc:master Jan 14, 2019
@vimalloc
Copy link
Owner

Right on, thanks for putting this together! 👍

@styk-tv styk-tv mentioned this pull request Jan 23, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@styk-tv @pep8speaks @coveralls @vimalloc