Simple oauth proxy

app.py

+from functools import wraps
+import secrets, json
+import urllib.parse
+
+from flask import Flask, session, request, redirect, abort, render_template, url_for, flash, Response
+
+import requests
+
+app = Flask(__name__)
+app.secret_key = b'my secret'
+app.config['SESSION_COOKIE_NAME'] = 'oauth-session'
+app.config['OAUTH2_AUTH_URL'] = 'http://localhost:5001/oauth2/authorize'
+app.config['OAUTH2_TOKEN_URL'] = 'http://localhost:5001/oauth2/token'
+app.config['OAUTH2_USERINFO_URL'] = 'http://localhost:5001/oauth2/userinfo'
+
+@app.route("/auth")
+def auth():
+	if not session.get('user'):
+		abort(401)
+	resp = Response('Ok', 200)
+	resp.headers['REMOTE_USER'] = session['user']
+	return resp
+
+@app.route("/login")
+def login():
+	client_id = request.headers['X-CLIENT-ID']
+	scope = request.headers['X-SCOPE']
+	redirect_uri = request.headers['X-REDIRECT-URI']
+	session['oauth-state'] = secrets.token_urlsafe()
+	session['oauth-ref'] = request.values.get('url', '/')
+	return redirect(app.config['OAUTH2_AUTH_URL']+'?'+urllib.parse.urlencode({'response_type': 'code', 'client_id': client_id, 'scope': scope, 'state': session['oauth-state'], 'redirect_uri': redirect_uri}))
+
+@app.route("/callback")
+def callback():
+	client_id = request.headers['X-CLIENT-ID']
+	client_secret = request.headers['X-CLIENT-SECRET']
+	redirect_uri = request.headers['X-REDIRECT-URI']
+	code = request.values['code']
+	if session.pop('oauth-state') != request.values['state']:
+		abort(500)
+	r = requests.request('POST', app.config['OAUTH2_TOKEN_URL'], data={'grant_type': 'authorization_code', 'code': code, 'redirect_uri': redirect_uri, 'client_id': client_id, 'client_secret': client_secret})
+	if r.status_code != 200:
+		abort(403)
+	data = r.json()
+	r = requests.request('GET', app.config['OAUTH2_USERINFO_URL'], headers={'Authorization': 'Bearer %s'%data['access_token']})
+	if r.status_code != 200:
+		abort(403)
+	session['user'] = r.json()['email']
+	return redirect(session.pop('oauth-ref'))
+
+@app.route("/logout")
+def logout():
+	session.clear()
+	return 'Ok', 200
+
+if __name__ == '__main__':
+	app.run(port=5002)

testapp/README.md

+
+1. Setup uffd to run on `http://localhost:5001` and add the following line to the `OAUTH2_CLIENTS` config variable:
+```'test': {'client_secret': 'testsecret', 'redirect_uris': ['http://localhost:5004/oauthproxy/callback']},```
+2. Start the oauthproxy app on `http://localhost:5002`: `python3 ../app.py`
+3. Start the test app on `http://localhost:5003`: `python3 testapp.py`
+4. Start nginx: `nginx -c nginx.conf -p .`
+5. Open `http://localhost:5004/test`
+

testapp/nginx.conf

+
+pid nginx.pid;
+error_log nginx.err.log;
+
+events {
+	worker_connections 768;
+}
+
+http {
+	access_log nginx.log;
+	client_body_in_file_only off;
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	server {
+		#listen 50004;
+		#listen [::]:5004;
+		listen localhost:5004;
+
+		location / {
+			proxy_pass http://localhost:5003;
+		}
+
+		location /test {
+			auth_request /oauthproxy/auth;
+			auth_request_set $auth_header $upstream_http_REMOTE_USER;
+			proxy_set_header REMOTE_USER $auth_header;
+			proxy_pass http://localhost:5003;
+		}
+
+		location /oauthproxy/ {
+			proxy_set_header X-REDIRECT-URI "http://localhost:5004/oauthproxy/callback";
+			proxy_set_header X-CLIENT-ID "test";
+			proxy_set_header X-CLIENT-SECRET "testsecret";
+			proxy_set_header X-SCOPE "userinfo";
+			proxy_pass http://localhost:5002/;
+		}
+
+		error_page 401 = @error401;
+		location @error401 {
+			return 302 /oauthproxy/login?url=http://$http_host$request_uri;
+		}
+
+	}
+}

testapp/testapp.py

+from flask import Flask, session, request, redirect, abort, render_template, url_for, flash
+
+app = Flask(__name__)
+
+@app.route("/")
+def index():
+	print(request.headers)
+	return 'Ok'
+
+@app.route("/test")
+def login():
+	print(request.headers)
+	username = request.headers['REMOTE_USER']
+	return 'logged in as "%s"'%username
+
+if __name__ == "__main__":
+	app.run(debug=True, port=5003)
+
+