-
-
Save thomasdarimont/145dc9aa857b831ff2eff221b79d179a to your computer and use it in GitHub Desktop.
| import json | |
| import logging | |
| from flask import Flask, g | |
| from flask_oidc import OpenIDConnect | |
| import requests | |
| logging.basicConfig(level=logging.DEBUG) | |
| app = Flask(__name__) | |
| app.config.update({ | |
| 'SECRET_KEY': 'SomethingNotEntirelySecret', | |
| 'TESTING': True, | |
| 'DEBUG': True, | |
| 'OIDC_CLIENT_SECRETS': 'client_secrets.json', | |
| 'OIDC_ID_TOKEN_COOKIE_SECURE': False, | |
| 'OIDC_REQUIRE_VERIFIED_EMAIL': False, | |
| 'OIDC_USER_INFO_ENABLED': True, | |
| 'OIDC_OPENID_REALM': 'flask-demo', | |
| 'OIDC_SCOPES': ['openid', 'email', 'profile'], | |
| 'OIDC_INTROSPECTION_AUTH_METHOD': 'client_secret_post' | |
| }) | |
| oidc = OpenIDConnect(app) | |
| @app.route('/') | |
| def hello_world(): | |
| if oidc.user_loggedin: | |
| return ('Hello, %s, <a href="/private">See private</a> ' | |
| '<a href="/logout">Log out</a>') % \ | |
| oidc.user_getfield('preferred_username') | |
| else: | |
| return 'Welcome anonymous, <a href="/private">Log in</a>' | |
| @app.route('/private') | |
| @oidc.require_login | |
| def hello_me(): | |
| """Example for protected endpoint that extracts private information from the OpenID Connect id_token. | |
| Uses the accompanied access_token to access a backend service. | |
| """ | |
| info = oidc.user_getinfo(['preferred_username', 'email', 'sub']) | |
| username = info.get('preferred_username') | |
| email = info.get('email') | |
| user_id = info.get('sub') | |
| if user_id in oidc.credentials_store: | |
| try: | |
| from oauth2client.client import OAuth2Credentials | |
| access_token = OAuth2Credentials.from_json(oidc.credentials_store[user_id]).access_token | |
| print 'access_token=<%s>' % access_token | |
| headers = {'Authorization': 'Bearer %s' % (access_token)} | |
| # YOLO | |
| greeting = requests.get('http://localhost:8080/greeting', headers=headers).text | |
| except: | |
| print "Could not access greeting-service" | |
| greeting = "Hello %s" % username | |
| return ("""%s your email is %s and your user_id is %s! | |
| <ul> | |
| <li><a href="/">Home</a></li> | |
| <li><a href="//localhost:8081/auth/realms/pysaar/account?referrer=flask-app&referrer_uri=http://localhost:5000/private&">Account</a></li> | |
| </ul>""" % | |
| (greeting, email, user_id)) | |
| @app.route('/api', methods=['POST']) | |
| @oidc.accept_token(require_token=True, scopes_required=['openid']) | |
| def hello_api(): | |
| """OAuth 2.0 protected API endpoint accessible via AccessToken""" | |
| return json.dumps({'hello': 'Welcome %s' % g.oidc_token_info['sub']}) | |
| @app.route('/logout') | |
| def logout(): | |
| """Performs local logout by removing the session cookie.""" | |
| oidc.logout() | |
| return 'Hi, you have been logged out! <a href="/">Return</a>' | |
| if __name__ == '__main__': | |
| app.run() |
| { | |
| "web": { | |
| "issuer": "http://localhost:8081/auth/realms/pysaar", | |
| "auth_uri": "http://localhost:8081/auth/realms/pysaar/protocol/openid-connect/auth", | |
| "client_id": "flask-app", | |
| "client_secret": "a41060dd-b5a8-472e-a91f-6a3ab0e04714", | |
| "redirect_uris": [ | |
| "http://localhost:5000/*" | |
| ], | |
| "userinfo_uri": "http://localhost:8081/auth/realms/pysaar/protocol/openid-connect/userinfo", | |
| "token_uri": "http://localhost:8081/auth/realms/pysaar/protocol/openid-connect/token", | |
| "token_introspection_uri": "http://localhost:8081/auth/realms/pysaar/protocol/openid-connect/token/introspect" | |
| } | |
| } |
@oudcheikh I think it’s just that Thomas set it up with keycloak, so that’s what he documented (it may/may not work with other providers).
To get the secrets file see https://github.com/puiterwijk/flask-oidc/blob/master/docs/index.rst#registration
There’s also a section for manually making it right below.
See sample format and included fields in https://gist.github.com/thomasdarimont/145dc9aa857b831ff2eff221b79d179a#file-client_secrets-json above
can i use this approach without client_secret_key ?
<>_<>
Hi, I am using Keycloak in "User Federation" mode with microsoft active directory. Does this sample work? Thanks.
Where / how is the login handled from 'Welcome anonymous, <a href="/private">Log in</a>'
Just an update on a 4 years old gist :)
"Simple python example using flask, flask_oidc and keycloak, needs a small patch of flask_oidc: puiterwijk/flask-oidc#35"
not needed anymore
How do I properly logout, when I click logout. It shows that I have logged out, but clicking login directly logins and doesn't ask for username and password again. On keycloak the session is not closed as well. Until i close the session on keycloak, it keeps me logged in there. Is it an ok behavior and If I want to do complete logout, how can i do that?
@DroidUnknown You have to logout from Keycloak as well before login in the app
@kaanoguzhan that I understood. Is there any API endpoint that I can use? Or document reference that you can point out thanks.
@DroidUnknown you can also clear Flasks session/cookie.
For keycloak's API call, you should refer to the docs.
Ideally, you should do both.
Line:50 is giving me empty array for credential store for a logged in user. due to which I am unable to get the access token I guess
@DroidUnknown the following worked for me
@app.route('/logout')
@oidc.require_login
def logout():
refresh_token = oidc.get_refresh_token()
oidc.logout()
keycloak_openid.logout(refresh_token)
response = redirect(url_for('login'))
return response
I used python-keycloak library to logout from keycloak, you can find more details here - https://github.com/marcospereirampj/python-keycloak
Hope it helps :)
If you don't want to add another dependency to your project and you just need the logout you can redirect it to the keycloak logout
@app.route("/logout")
def logout():
oidc.logout()
return redirect(
****keycloack****
+ "/protocol/openid-connect/logout?redirect_uri="
+ host_url
)
Where:
****keycloack**** would be your keycloak server+realm like: "https://key.server.com/auth/realms/demo-realm"
host_url: it could be the login page or landing page
@app.route('/logout')
@oidc.require_login
def logout():
url = oidc.client_secrets.get('issuer')
hosturl = 'http%3A%2F%2Flocalhost%3A5000%2F'
oidc.logout()
return redirect(
url + '/protocol/openid-connect/logout?redirect_uri=' + hosturl)
if __name__ == '__main__':
app.run()
The issuer is in the client_secret.json file
{
"web": {
"issuer": "http://localhost:8080/auth/realms/myflaskapp",
"auth_uri": "http://localhost:8080/auth/realms/myflaskapp/protocol/openid-connect/auth",
"client_id": "flask-app",
"client_secret": "blablabla",
"redirect_uris": ["http://localhost:5000/oidc_callback"],
"userinfo_uri": "http://localhost:8080/auth/realms/myflaskapp/protocol/openid-connect/userinfo",
"token_uri": "http://localhost:8080/auth/realms/myflaskapp/protocol/openid-connect/token",
"token_introspection_uri": "http://localhost:8080/auth/realms/myflaskapp/protocol/openid-connect/token/introspect"
}
}
Hi all, @thomasdarimont - I'm looking for a full example of keycloak client config and a secured flask app. Please can anyone point me in the right direction for a working example? Thank you!
Hi all, @thomasdarimont - I'm looking for a full example of keycloak client config and a secured flask app. Please can anyone point me in the right direction for a working example? Thank you!
@phil-doyle-369 this is pretty much ready (as a demo only). What is confusing you?
Hi @AseedUsmani,
@phil-doyle-369 this is pretty much ready (as a demo only). What is confusing you?
Well I setup keycloak on a server and have the app.py service running on localhost:5000. I visit the localhost:5000 and see a login link which redirects me to keycloak to login. The login is successful as I can see the user session in the keycloak admin.
When keycloak redirects back to the Flask service the oidc_callback throws the following error.
Traceback (most recent call last):
File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 2464, in call
return self.wsgi_app(environ, start_response)
File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 2450, in wsgi_app
response = self.handle_exception(e)
File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 1867, in handle_exception
reraise(exc_type, exc_value, tb)
File "/home/phild/.local/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 2447, in wsgi_app
response = self.full_dispatch_request()
File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 1952, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 1821, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/home/phild/.local/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise
raise value
File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 1950, in full_dispatch_request
rv = self.dispatch_request()
File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 1936, in dispatch_request
return self.view_functionsrule.endpoint
File "/home/phild/.local/lib/python3.6/site-packages/flask_oidc/init.py", line 657, in _oidc_callback
plainreturn, data = self._process_callback('destination')
File "/home/phild/.local/lib/python3.6/site-packages/flask_oidc/init.py", line 689, in _process_callback
credentials = flow.step2_exchange(code)
File "/home/phild/.local/lib/python3.6/site-packages/oauth2client/_helpers.py", line 133, in positional_wrapper
return wrapped(*args, **kwargs)
File "/home/phild/.local/lib/python3.6/site-packages/oauth2client/client.py", line 2054, in step2_exchange
http, self.token_uri, method='POST', body=body, headers=headers)
File "/home/phild/.local/lib/python3.6/site-packages/oauth2client/transport.py", line 282, in request
connection_type=connection_type)
File "/home/phild/.local/lib/python3.6/site-packages/httplib2/init.py", line 1314, in request
(response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey)
File "/home/phild/.local/lib/python3.6/site-packages/httplib2/init.py", line 1064, in _request
(response, content) = self._conn_request(conn, request_uri, method, body, headers)
File "/home/phild/.local/lib/python3.6/site-packages/httplib2/init.py", line 987, in _conn_request
conn.connect()
File "/home/phild/anaconda3/envs/runner6/lib/python3.6/http/client.py", line 1448, in connect
server_hostname=server_hostname)
File "/home/phild/anaconda3/envs/runner6/lib/python3.6/ssl.py", line 407, in wrap_socket
_context=self, _session=session)
File "/home/phild/anaconda3/envs/runner6/lib/python3.6/ssl.py", line 817, in init
self.do_handshake()
File "/home/phild/anaconda3/envs/runner6/lib/python3.6/ssl.py", line 1077, in do_handshake
self._sslobj.do_handshake()
File "/home/phild/anaconda3/envs/runner6/lib/python3.6/ssl.py", line 689, in do_handshake
self._sslobj.do_handshake()
ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
I also tried running the Flask service in a docker container as a reverse proxy on the same server as the keycloak server (also in a docker container) and this gives the following error.
phild@dmz-werkstatt-00:~$ docker logs test-svr
- Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead. - Debug mode: off
- Running on http://0.0.0.0:8080/ (Press CTRL+C to quit)
192.168.0.7 - - [30/Mar/2022 13:34:40] "GET /test-svr/ HTTP/1.0" 200 -
192.168.0.7 - - [30/Mar/2022 13:34:45] "GET /test-svr/private HTTP/1.0" 302 -
192.168.0.7 - - [30/Mar/2022 13:35:06] "GET /test-svr/oidc_callback?state=eyJjc3JmX3Rva2VuIjogInhRTkdTUXVseEVhb2VQaUQ2TDYwekZUNTl6bHk3aUZqIiwgImRlc3RpbmF0aW9uIjogImV5SmhiR2NpT2lKSVV6VXhNaUo5LkltaDBkSEE2THk5M1pYSnJjM1JoZEhRdVlYTjBjbWwyYVhNdVkyOXRMM1JsYzNRdGMzWnlMM0J5YVhaaGRHVWkudjdQTHdReTl1Y0ZjcDZZZEw0Yzkzd2VBbzU2cHNiVTJDNG5KNG12MVFhYldkOHZiZ21fVTREbkJ0VmJqUmttNzB0TDhpOWRkZU5ETjl1VUZwZlExblEifQ%3D%3D&session_state=271a337f-894b-44e2-8100-7fc44115f613&code=bf7ad4e5-fc6c-42f8-b3fb-f6f4c5e01161.271a337f-894b-44e2-8100-7fc44115f613.0917bdbe-6a63-4a58-b1ea-16c97e0d3547 HTTP/1.0" 404 -
Any ideas regarding the issue would be much appreciated.
Hello, a quick question. Does the client_secrets.json have to be in the following format?
{
"web": {
"issuer": "http://localhost:8081/auth/realms/pysaar",
"auth_uri": "http://localhost:8081/auth/realms/pysaar/protocol/openid-connect/auth",
"client_id": "flask-app",
"client_secret": "a41060dd-b5a8-472e-a91f-6a3ab0e04714",
"redirect_uris": [
"http://localhost:5000/*"
],
"userinfo_uri": "http://localhost:8081/auth/realms/pysaar/protocol/openid-connect/userinfo",
"token_uri": "http://localhost:8081/auth/realms/pysaar/protocol/openid-connect/token",
"token_introspection_uri": "http://localhost:8081/auth/realms/pysaar/protocol/openid-connect/token/introspect"
}
}
Hello.
Flask-OIDC is not working in 32bit R-Pi server board.
Could anyone help me to solve this issue?
Could you suggest some alternatives for flask-oidc packages and dJango packages?
This was a terrific launching point for me. There's a lot of examples on the 'net that are dead ends or just don't work. Thank so much
Hi, i need help please! After adding apache as a reverse proxy and dockerization, I get a redirect to the ip address of the container and not back to the application. And as a consequence: "not authorized"
Apache config:
<Location /api_gateway>
ProxyPass http://172.18.0.16:5000/
ProxyPassReverse http://172.18.0.16:5000/
Hi @AseedUsmani,
@phil-doyle-369 this is pretty much ready (as a demo only). What is confusing you?
Well I setup keycloak on a server and have the app.py service running on localhost:5000. I visit the localhost:5000 and see a login link which redirects me to keycloak to login. The login is successful as I can see the user session in the keycloak admin.
When keycloak redirects back to the Flask service the oidc_callback throws the following error.
Traceback (most recent call last): File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 2464, in call return self.wsgi_app(environ, start_response) File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 2450, in wsgi_app response = self.handle_exception(e) File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 1867, in handle_exception reraise(exc_type, exc_value, tb) File "/home/phild/.local/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise raise value File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 2447, in wsgi_app response = self.full_dispatch_request() File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 1952, in full_dispatch_request rv = self.handle_user_exception(e) File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 1821, in handle_user_exception reraise(exc_type, exc_value, tb) File "/home/phild/.local/lib/python3.6/site-packages/flask/_compat.py", line 39, in reraise raise value File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 1950, in full_dispatch_request rv = self.dispatch_request() File "/home/phild/.local/lib/python3.6/site-packages/flask/app.py", line 1936, in dispatch_request return self.view_functionsrule.endpoint File "/home/phild/.local/lib/python3.6/site-packages/flask_oidc/init.py", line 657, in _oidc_callback plainreturn, data = self._process_callback('destination') File "/home/phild/.local/lib/python3.6/site-packages/flask_oidc/init.py", line 689, in _process_callback credentials = flow.step2_exchange(code) File "/home/phild/.local/lib/python3.6/site-packages/oauth2client/_helpers.py", line 133, in positional_wrapper return wrapped(*args, **kwargs) File "/home/phild/.local/lib/python3.6/site-packages/oauth2client/client.py", line 2054, in step2_exchange http, self.token_uri, method='POST', body=body, headers=headers) File "/home/phild/.local/lib/python3.6/site-packages/oauth2client/transport.py", line 282, in request connection_type=connection_type) File "/home/phild/.local/lib/python3.6/site-packages/httplib2/init.py", line 1314, in request (response, content) = self._request(conn, authority, uri, request_uri, method, body, headers, redirections, cachekey) File "/home/phild/.local/lib/python3.6/site-packages/httplib2/init.py", line 1064, in _request (response, content) = self._conn_request(conn, request_uri, method, body, headers) File "/home/phild/.local/lib/python3.6/site-packages/httplib2/init.py", line 987, in _conn_request conn.connect() File "/home/phild/anaconda3/envs/runner6/lib/python3.6/http/client.py", line 1448, in connect server_hostname=server_hostname) File "/home/phild/anaconda3/envs/runner6/lib/python3.6/ssl.py", line 407, in wrap_socket _context=self, _session=session) File "/home/phild/anaconda3/envs/runner6/lib/python3.6/ssl.py", line 817, in init self.do_handshake() File "/home/phild/anaconda3/envs/runner6/lib/python3.6/ssl.py", line 1077, in do_handshake self._sslobj.do_handshake() File "/home/phild/anaconda3/envs/runner6/lib/python3.6/ssl.py", line 689, in do_handshake self._sslobj.do_handshake() ssl.SSLError: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:852)
I also tried running the Flask service in a docker container as a reverse proxy on the same server as the keycloak server (also in a docker container) and this gives the following error.
phild@dmz-werkstatt-00:~$ docker logs test-svr
- Environment: production
WARNING: This is a development server. Do not use it in a production deployment.
Use a production WSGI server instead.- Debug mode: off
- Running on http://0.0.0.0:8080/ (Press CTRL+C to quit)
192.168.0.7 - - [30/Mar/2022 13:34:40] "GET /test-svr/ HTTP/1.0" 200 -
192.168.0.7 - - [30/Mar/2022 13:34:45] "GET /test-svr/private HTTP/1.0" 302 -
192.168.0.7 - - [30/Mar/2022 13:35:06] "GET /test-svr/oidc_callback?state=eyJjc3JmX3Rva2VuIjogInhRTkdTUXVseEVhb2VQaUQ2TDYwekZUNTl6bHk3aUZqIiwgImRlc3RpbmF0aW9uIjogImV5SmhiR2NpT2lKSVV6VXhNaUo5LkltaDBkSEE2THk5M1pYSnJjM1JoZEhRdVlYTjBjbWwyYVhNdVkyOXRMM1JsYzNRdGMzWnlMM0J5YVhaaGRHVWkudjdQTHdReTl1Y0ZjcDZZZEw0Yzkzd2VBbzU2cHNiVTJDNG5KNG12MVFhYldkOHZiZ21fVTREbkJ0VmJqUmttNzB0TDhpOWRkZU5ETjl1VUZwZlExblEifQ%3D%3D&session_state=271a337f-894b-44e2-8100-7fc44115f613&code=bf7ad4e5-fc6c-42f8-b3fb-f6f4c5e01161.271a337f-894b-44e2-8100-7fc44115f613.0917bdbe-6a63-4a58-b1ea-16c97e0d3547 HTTP/1.0" 404 -Any ideas regarding the issue would be much appreciated.
Are you running keycloak out of HTTPS ? You need to have that cert added in your trust store in the python service if that's the case.
Hi,
I am able to authorize the APIs using the keycloak token generated from the client secret. Now I have an extra use case where I have two different DNS to reach keycloak, I have added one of them in the client_secrets.json file. When I generate the access token using the other (different) DNS and authorize the API, they are failing with 401 error but with the access token generated from the DNS configured in the client_secrets.json file it is successful.
Please let me know if there is any way I can update both the keycloak endpoints in the client_secrets.json file.
Hi,
thanks for this example. It works so far. But now I have to add some dash stuff.
Dash needs a function for layout. As soon as I am using this, the oidc stuff does not work anymore (and oidc is not recognised within the layout function). Does anyone maybe have a working example for flask plus dash and could post it?
For logout I was only able to do it with:
@app.route('/signout')
def logout():
id_token = session.get('oidc_auth_token').get('id_token')
return redirect(
"https://my-key-cloak/realms/my-realm/protocol/openid-connect/logout?id_token_hint=%s&post_logout_redirect_uri=%s" % (id_token, urllib.parse.quote("http://localhost/logout", safe='')))The signout process will logout on keycloak and redirect to /logout to discard cookies.
And I changed the link on main page to point to /signout instead of /logout.
This "fix" was based on keycloak 18 upgrade docs:
- https://www.keycloak.org/docs/latest/upgrading/index.html#openid-connect-logout
- the
redirect_uriisn't supported anymore, it was replaced bypost_logout_redirect_uriandid_token_hint
Hi everyone, does this code still works?
It seems that the endpoints have changed from http://localhost:8081/auth/realms/pysaar to http://localhost:8081/realms/pysaar
I tried to run the app but I get this error message:
Maybe because this method is not resolved:
Hello! @alex27riva
I got it working! 🎉 GitHub Gist Link
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:24.0.1 start-devThen I built the realm and client, and modified the code according to the latest release of flask-oidc (1.2.0) (Sep 28, 2017).
Thank you!
If you've discovered a new way to deal with Flask Keycloak, please let me know too!
Hello! @alex27riva
I got it working! 🎉 GitHub Gist Link
docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:24.0.1 start-devThen I built the realm and client, and modified the code according to the latest release of flask-oidc (1.2.0) (Sep 28, 2017).
Thank you!
If you've discovered a new way to deal with Flask Keycloak, please let me know too!
Hi @LUCIFERsDen26 , thank your for your reply.
I tried your code, but I'm getting the same error as before.
Are these client setting correct?
Hello! @alex27riva
I got it working! 🎉 GitHub Gist Linkdocker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:24.0.1 start-devThen I built the realm and client, and modified the code according to the latest release of flask-oidc (1.2.0) (Sep 28, 2017).
Thank you!
If you've discovered a new way to deal with Flask Keycloak, please let me know too!Hi @LUCIFERsDen26 , thank your for your reply. I tried your code, but I'm getting the same error as before.
Are these client setting correct?
Hey!
thanks for reaching out!
the adress should be same as you python flask app is running on like shown in image!
BTW it has username : lucifer
password: test (i guess, i dont remenber, i change it from admin account)
Hello
what is the configuration to do with keycloak ?
how to get secret file ?