Select Git revision
app.py 2.87 KiB
import os
import secrets
from flask import Flask, session, request, redirect, abort, Response
from requests_oauthlib import OAuth2Session
def create_app(test_config=None):
app = Flask(__name__)
app.config['SECRET_KEY'] = secrets.token_hex(128)
app.config.from_pyfile('default_config.py')
if not test_config:
app.config.from_pyfile('config.py', silent=True)
else:
app.config.from_mapping(test_config)
@app.route("/auth")
def auth():
if not session.get('user_id'):
abort(401)
resp = Response('Ok', 200)
resp.headers['OAUTH-USER-ID'] = session['user_id']
resp.headers['OAUTH-USER-NAME'] = session['user_name']
resp.headers['OAUTH-USER-NICKNAME'] = session['user_nickname']
resp.headers['OAUTH-USER-EMAIL'] = session['user_email']
resp.headers['OAUTH-USER-GROUPS'] = ','.join(session['user_groups'])
return resp
def get_oauth(**kwargs):
return OAuth2Session(request.headers['X-CLIENT-ID'],
redirect_uri=request.headers['X-REDIRECT-URI'], **kwargs)
@app.route("/login")
def login():
client = get_oauth()
url, state = client.authorization_url(app.config['OAUTH2_AUTH_URL'])
session['state'] = state
session['url'] = request.values.get('url', '/')
return redirect(url)
@app.route("/callback")
def callback():
client = get_oauth(state=session.pop('state'))
token = client.fetch_token(app.config['OAUTH2_TOKEN_URL'],
client_secret=request.headers['X-CLIENT-SECRET'],
authorization_response=request.url, verify=(not app.debug))
userinfo = client.get(app.config['OAUTH2_USERINFO_URL']).json()
session['user_id'] = userinfo['id']
session['user_name'] = userinfo['name']
session['user_nickname'] = userinfo['nickname']
session['user_email'] = userinfo['email']
session['user_groups'] = userinfo['groups']
return redirect(session.pop('url'))
@app.route("/logout")
def logout():
session.clear()
return 'Ok', 200
@app.route("/status")
def status():
resp = Response('''Proxy Configuration Status
For this proxy service to work properly, the OAuth client crendentials must
be injected in by the webserver as HTTP-headers:
X-CLIENT-ID: %s
X-CLIENT-SECRET: %s
X-REDIRECT-URI: %s
If you accessed this ressource with the URL
https://mydomain/mysubpath/info
then the redirect URI must be set to:
https://mydomain/mysubpath/callback
This exact redirect URI must also be registered with the OAuth server as
a valid redirect_uri for the client_id.
'''%(request.headers.get('X-CLIENT-ID', '(unset)'),
'(set)' if request.headers.get('X-CLIENT-SECRET') else '(unset)',
request.headers.get('X-REDIRECT-URI', '(unset)')))
resp.mimetype = 'text/plain; charset=utf-8'
return resp
return app
if __name__ == '__main__':
# oauthlib enforces the OAuth2.0 requirement to use HTTPS, when this is not set
os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1' # Don't do that in production!
testapp = create_app()
testapp.run(debug=True, host='localhost', port=5002)