canaille-globuzma/oidc_ldap_bridge/oauth.py

from authlib.jose import jwk
from authlib.oauth2 import OAuth2Error
from flask import Blueprint, request, session, redirect
from flask import render_template, jsonify, flash, current_app
from flask_babel import gettext
from .models import User, Client, Consent
from .oauth2utils import authorization, IntrospectionEndpoint, RevocationEndpoint
from .forms import LoginForm
from .flaskutils import current_user


bp = Blueprint(__name__, "oauth")


@bp.route("/authorize", methods=["GET", "POST"])
def authorize():
    user = current_user()
    client = Client.get(request.values["client_id"])
    scopes = request.args.get("scope", "").split(" ")

    # LOGIN

    if not user:
        if request.args.get("prompt") == "none":
            return jsonify({"error": "login_required"})

        form = LoginForm(request.form or None)
        if request.method == "GET":
            return render_template("login.html", form=form, menu=False)

        if not form.validate() or not User.authenticate(
            form.login.data, form.password.data, True
        ):
            flash(gettext("Login failed, please check your information"), "error")
            return render_template("login.html", form=form, menu=False)

        return redirect(request.url)

    # CONSENT

    consents = Consent.filter(
        oauthClient=client.dn,
        oauthSubject=user.dn,
    )
    consent = consents[0] if consents else None

    if request.method == "GET":
        if consent and all(scope in set(consent.oauthScope) for scope in scopes):
            return authorization.create_authorization_response(grant_user=user.dn)

        elif request.args.get("prompt") == "none":
            return jsonify({"error": "consent_required"})

        try:
            grant = authorization.validate_consent_request(end_user=user)
        except OAuth2Error as error:
            return jsonify(dict(error.get_body()))

        if consent:
            consent.oauthScope = list(set(scopes + consents[0].oauthScope))
        else:
            consent = Consent(
                oauthClient=client.dn,
                oauthSubject=user.dn,
                oauthScope=scopes,
            )

        consent.save()

        return render_template(
            "authorize.html", user=user, grant=grant, client=client, menu=False
        )

    if request.form["answer"] == "logout":
        del session["user_dn"]
        flash(gettext("You have been successfully logged out."), "success")
        return redirect(request.url)

    if request.form["answer"] == "deny":
        grant_user = None

    if request.form["answer"] == "accept":
        grant_user = user.dn

    return authorization.create_authorization_response(grant_user=grant_user)


@bp.route("/token", methods=["POST"])
def issue_token():
    return authorization.create_token_response()


@bp.route("/introspect", methods=["POST"])
def introspect_token():
    return authorization.create_endpoint_response(IntrospectionEndpoint.ENDPOINT_NAME)


@bp.route("/revoke", methods=["POST"])
def revoke_token():
    return authorization.create_endpoint_response(RevocationEndpoint.ENDPOINT_NAME)


@bp.route("/jwks.json")
def jwks():
    with open(current_app.config["JWT"]["PUBLIC_KEY"]) as fd:
        pubkey = fd.read()

    obj = jwk.dumps(pubkey, current_app.config["JWT"]["KTY"])
    return jsonify(
        {
            "keys": [
                {
                    "kid": None,
                    "use": "sig",
                    "alg": current_app.config["JWT"]["ALG"],
                    **obj,
                }
            ]
        }
    )
Use private/public keys to sign JWTs 2020-08-28 14:07:39 +00:00			`from authlib.jose import jwk`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`from authlib.oauth2 import OAuth2Error`
			`from flask import Blueprint, request, session, redirect`
Temporary jwks endpoint 2020-08-26 09:54:35 +00:00			`from flask import render_template, jsonify, flash, current_app`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`from flask_babel import gettext`
Remember consents 2020-09-17 08:00:39 +00:00			`from .models import User, Client, Consent`
Token revocation endpoint 2020-08-24 13:56:30 +00:00			`from .oauth2utils import authorization, IntrospectionEndpoint, RevocationEndpoint`
Admin login 2020-08-19 14:20:57 +00:00			`from .forms import LoginForm`
			`from .flaskutils import current_user`
Some authorization_code work 2020-08-17 15:49:49 +00:00

			`bp = Blueprint(__name__, "oauth")`


			`@bp.route("/authorize", methods=["GET", "POST"])`
			`def authorize():`
Admin login 2020-08-19 14:20:57 +00:00			`user = current_user()`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`client = Client.get(request.values["client_id"])`
Remember consents 2020-09-17 08:00:39 +00:00			`scopes = request.args.get("scope", "").split(" ")`

			`# LOGIN`
Some authorization_code work 2020-08-17 15:49:49 +00:00
			`if not user:`
Remember consents 2020-09-17 08:00:39 +00:00			`if request.args.get("prompt") == "none":`
			`return jsonify({"error": "login_required"})`

Some authorization_code work 2020-08-17 15:49:49 +00:00			`form = LoginForm(request.form or None)`
			`if request.method == "GET":`
Authorization screen do not display menu 2020-08-20 09:32:33 +00:00			`return render_template("login.html", form=form, menu=False)`
Some authorization_code work 2020-08-17 15:49:49 +00:00
User refactoring 2020-08-21 08:23:39 +00:00			`if not form.validate() or not User.authenticate(`
			`form.login.data, form.password.data, True`
			`):`
Some authorization_code work 2020-08-17 15:49:49 +00:00			`flash(gettext("Login failed, please check your information"), "error")`
Authorization screen do not display menu 2020-08-20 09:32:33 +00:00			`return render_template("login.html", form=form, menu=False)`
Some authorization_code work 2020-08-17 15:49:49 +00:00
			`return redirect(request.url)`

Remember consents 2020-09-17 08:00:39 +00:00			`# CONSENT`

			`consents = Consent.filter(`
			`oauthClient=client.dn,`
			`oauthSubject=user.dn,`
			`)`
			`consent = consents[0] if consents else None`

Some authorization_code work 2020-08-17 15:49:49 +00:00			`if request.method == "GET":`
Remember consents 2020-09-17 08:00:39 +00:00			`if consent and all(scope in set(consent.oauthScope) for scope in scopes):`
			`return authorization.create_authorization_response(grant_user=user.dn)`

			`elif request.args.get("prompt") == "none":`
			`return jsonify({"error": "consent_required"})`

Some authorization_code work 2020-08-17 15:49:49 +00:00			`try:`
			`grant = authorization.validate_consent_request(end_user=user)`
			`except OAuth2Error as error:`
			`return jsonify(dict(error.get_body()))`

Remember consents 2020-09-17 08:00:39 +00:00			`if consent:`
			`consent.oauthScope = list(set(scopes + consents[0].oauthScope))`
			`else:`
			`consent = Consent(`
			`oauthClient=client.dn,`
			`oauthSubject=user.dn,`
			`oauthScope=scopes,`
			`)`

			`consent.save()`

Authorization screen do not display menu 2020-08-20 09:32:33 +00:00			`return render_template(`
			`"authorize.html", user=user, grant=grant, client=client, menu=False`
			`)`
Some authorization_code work 2020-08-17 15:49:49 +00:00
			`if request.form["answer"] == "logout":`
			`del session["user_dn"]`
			`flash(gettext("You have been successfully logged out."), "success")`
			`return redirect(request.url)`

			`if request.form["answer"] == "deny":`
			`grant_user = None`

			`if request.form["answer"] == "accept":`
			`grant_user = user.dn`

			`return authorization.create_authorization_response(grant_user=grant_user)`


			`@bp.route("/token", methods=["POST"])`
			`def issue_token():`
			`return authorization.create_token_response()`
Token introspection 2020-08-24 12:44:32 +00:00

			`@bp.route("/introspect", methods=["POST"])`
			`def introspect_token():`
			`return authorization.create_endpoint_response(IntrospectionEndpoint.ENDPOINT_NAME)`
Token revocation endpoint 2020-08-24 13:56:30 +00:00

			`@bp.route("/revoke", methods=["POST"])`
			`def revoke_token():`
			`return authorization.create_endpoint_response(RevocationEndpoint.ENDPOINT_NAME)`
Temporary jwks endpoint 2020-08-26 09:54:35 +00:00

			`@bp.route("/jwks.json")`
			`def jwks():`
Use private/public keys to sign JWTs 2020-08-28 14:07:39 +00:00			`with open(current_app.config["JWT"]["PUBLIC_KEY"]) as fd:`
			`pubkey = fd.read()`

			`obj = jwk.dumps(pubkey, current_app.config["JWT"]["KTY"])`
			`return jsonify(`
			`{`
			`"keys": [`
			`{`
			`"kid": None,`
			`"use": "sig",`
			`"alg": current_app.config["JWT"]["ALG"],`
			`**obj,`
			`}`
			`]`
			`}`
Temporary jwks endpoint 2020-08-26 09:54:35 +00:00			`)`