Updated code and sample nginx config to uffd changes

151cf0b3 · Julian · bb28339c · 151cf0b3 · 151cf0b3
Commit 151cf0b3 authored Oct 8, 2020 by Julian
--- a/app.py
+++ b/app.py
@@ -16,16 +16,19 @@ app.config['OAUTH2_USERINFO_URL'] = 'http://localhost:5001/oauth2/userinfo'
 @app.route("/auth")
 def auth():
-	if not session.get('user'):
+	if not session.get('user_id'):
 		abort(401)
 	resp = Response('Ok', 200)
-	resp.headers['REMOTE_USER'] = session['user']
+	resp.headers['OAUTH-USER-ID'] = session['user_id']
+	resp.headers['OAUTH-USER-NAME'] = session['user_name']
+	resp.headers['OAUTH-USER-NICKNAME'] = session['user_nickname']
+	resp.headers['OAUTH-USER-EMAIL'] = session['user_email']
+	resp.headers['OAUTH-USER-GROUPS'] = ','.join(session['user_groups'])
 	return resp
 def get_oauth(**kwargs):
 	return OAuth2Session(request.headers['X-CLIENT-ID'],
-		redirect_uri=request.headers['X-REDIRECT-URI'],
+		redirect_uri=request.headers['X-REDIRECT-URI'], **kwargs)
-		scope=request.headers['X-SCOPE'], **kwargs)
 @app.route("/login")
 def login():
@@ -40,7 +43,11 @@ def callback():
 	client = get_oauth(state=session.pop('state'))
 	token = client.fetch_token(app.config['OAUTH2_TOKEN_URL'], client_secret=request.headers['X-CLIENT-SECRET'], authorization_response=request.url, verify=(not app.debug))
 	userinfo = client.get(app.config['OAUTH2_USERINFO_URL']).json()
-	session['user'] = userinfo['email']
+	session['user_id'] = userinfo['id'] # (usually numeric) unique user id
+	session['user_name'] = userinfo['name'] # display name
+	session['user_nickname'] = userinfo['nickname'] # unique user name (for urls, @-handles, ...)
+	session['user_email'] = userinfo['email']
+	session['user_groups'] = userinfo['groups']
 	return redirect(session.pop('url'))
 @app.route("/logout")

--- a/testapp/nginx.conf
+++ b/testapp/nginx.conf
@@ -24,17 +24,19 @@ http {
 	#ssl_certificate mycert.crt;
 	#ssl_certificate_key myert.key;
 	server {
-		#listen 50004;
+		#listen 5004;
 		#listen [::]:5004;
 		listen localhost:5004;
 		location / {
+			# Unprotected resource
 			proxy_pass http://localhost:5003;
 		}
 		location /test {
+			# Protected resource
 			auth_request /oauthproxy/auth;
-			auth_request_set $auth_header $upstream_http_REMOTE_USER;
+			auth_request_set $auth_header $upstream_http_OAUTH_USER_NICKNAME;
 			more_clear_input_headers REMOTE-USER; # prevent spoofing
 			proxy_set_header REMOTE-USER $auth_header;
 			proxy_pass http://localhost:5003;
@@ -45,14 +47,12 @@ http {
 			proxy_set_header X-REDIRECT-URI "http://localhost:5004/oauthproxy/callback";
 			proxy_set_header X-CLIENT-ID "test";
 			proxy_set_header X-CLIENT-SECRET "testsecret";
-			proxy_set_header X-SCOPE "userinfo";
 			proxy_pass http://localhost:5002/;
 		}
 		error_page 401 = @error401;
 		location @error401 {
-			return 302 /oauthproxy/login?url=http://$http_host$request_uri;
+			return 302 "/oauthproxy/login?url=$scheme://$http_host$request_uri";
 		}
 	}
 }