diff --git a/app.py b/app.py index 8f5cee366b2040c4d61a8c00ad5d1d965fa1c896..521263b48d3e0752e4d7cb495d530f8ecd324ee3 100644 --- a/app.py +++ b/app.py @@ -16,16 +16,19 @@ app.config['OAUTH2_USERINFO_URL'] = 'http://localhost:5001/oauth2/userinfo' @app.route("/auth") def auth(): - if not session.get('user'): + if not session.get('user_id'): abort(401) resp = Response('Ok', 200) - resp.headers['REMOTE_USER'] = session['user'] + resp.headers['OAUTH-USER-ID'] = session['user_id'] + resp.headers['OAUTH-USER-NAME'] = session['user_name'] + resp.headers['OAUTH-USER-NICKNAME'] = session['user_nickname'] + resp.headers['OAUTH-USER-EMAIL'] = session['user_email'] + resp.headers['OAUTH-USER-GROUPS'] = ','.join(session['user_groups']) return resp def get_oauth(**kwargs): return OAuth2Session(request.headers['X-CLIENT-ID'], - redirect_uri=request.headers['X-REDIRECT-URI'], - scope=request.headers['X-SCOPE'], **kwargs) + redirect_uri=request.headers['X-REDIRECT-URI'], **kwargs) @app.route("/login") def login(): @@ -40,7 +43,11 @@ def callback(): client = get_oauth(state=session.pop('state')) token = client.fetch_token(app.config['OAUTH2_TOKEN_URL'], client_secret=request.headers['X-CLIENT-SECRET'], authorization_response=request.url, verify=(not app.debug)) userinfo = client.get(app.config['OAUTH2_USERINFO_URL']).json() - session['user'] = userinfo['email'] + session['user_id'] = userinfo['id'] # (usually numeric) unique user id + session['user_name'] = userinfo['name'] # display name + session['user_nickname'] = userinfo['nickname'] # unique user name (for urls, @-handles, ...) + session['user_email'] = userinfo['email'] + session['user_groups'] = userinfo['groups'] return redirect(session.pop('url')) @app.route("/logout") diff --git a/testapp/nginx.conf b/testapp/nginx.conf index 06c8b76887f81088d4544fec03fa0d2bbb7dc1a3..4232b4a620a223e35f4476cb93468ff72a85bd39 100644 --- a/testapp/nginx.conf +++ b/testapp/nginx.conf @@ -24,17 +24,19 @@ http { #ssl_certificate mycert.crt; #ssl_certificate_key myert.key; server { - #listen 50004; + #listen 5004; #listen [::]:5004; listen localhost:5004; location / { + # Unprotected resource proxy_pass http://localhost:5003; } location /test { + # Protected resource auth_request /oauthproxy/auth; - auth_request_set $auth_header $upstream_http_REMOTE_USER; + auth_request_set $auth_header $upstream_http_OAUTH_USER_NICKNAME; more_clear_input_headers REMOTE-USER; # prevent spoofing proxy_set_header REMOTE-USER $auth_header; proxy_pass http://localhost:5003; @@ -45,14 +47,12 @@ http { proxy_set_header X-REDIRECT-URI "http://localhost:5004/oauthproxy/callback"; proxy_set_header X-CLIENT-ID "test"; proxy_set_header X-CLIENT-SECRET "testsecret"; - proxy_set_header X-SCOPE "userinfo"; proxy_pass http://localhost:5002/; } error_page 401 = @error401; location @error401 { - return 302 /oauthproxy/login?url=http://$http_host$request_uri; + return 302 "/oauthproxy/login?url=$scheme://$http_host$request_uri"; } - } }