philorg/oidc-fastapi-test
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 2 Wiki Activity Actions
Testing OAuth2 and OpenID Connect with FastApi
124 commits 2 branches 76 tags 1,005 KiB
Find a file
Exact
phil 8b3a339196
All checks were successful
/ build (push) Successful in 17s
Details
/ test (push) Successful in 5s
Details
CI: fix container tag
2025-03-22 01:01:32 +01:00
.forgejo/workflows CI: fix container tag 2025-03-22 01:01:32 +01:00
deployment Run container with uvicorn, move templates for packaging, add systemd config for container deployment, add OIDC_TEST_SETTINGS_FILE env var for setting, misc fixes 2025-01-10 17:33:10 +01:00
src/oidc_test Add log messages for debugging connection to auth server 2025-02-25 18:34:52 +01:00
tests Add basic test 2025-01-10 19:18:57 +01:00
.containerignore Container, bug fixes 2025-01-09 23:41:32 +01:00
.gitignore Git ignore actual settings 2025-01-02 02:17:06 +01:00
.python-version Container, bug fixes 2025-01-09 23:41:32 +01:00
Containerfile CI: WIP 2025-02-25 12:30:23 +01:00
pyproject.toml Semver versioning, show version on web page 2025-02-25 01:37:17 +01:00
README.md Update README (config example) 2025-02-24 03:29:23 +01:00
settings_template.yaml Initial commit 2025-01-02 02:14:30 +01:00
TODO Cleanup 2025-01-20 01:16:17 +01:00
uv.lock Dynamic versioning 2025-02-24 19:56:00 +01:00

README.md

OIDC test application

oidc-test is a simple web application for testing different OIDC providers, and a template for Python FastAPI.

It has been tested with some OIDC providers like Auth0 (public), Keycloak (private), Forgejo (private and public with Codeberg).

It should work with Google, Azure and other cloud services providing an OIDC authentication service.

It is a stateless application (no data are saved and it restarts as vanilla), and there is no database connection, although models are defined with the SQLModel library and it is designed as a template for integration in other FastAPI/SQLModel applications.

Feedback welcome.

Resource server

It also functions as a resource server in a OAuth architecture. See a sibling test project, a web based OIDC/OAuth: oidc-vue-test.

RBAC

The application is also a playground for RBAC (Role Based Access control) implemented with OIDC. The application has few different resources (web pages) for testing RBAC. The home page checks (with Javascript) if those are accessible by the end user for convenience, color-coding the links to those pages.

2 roles are defined in the application: foorole and barrole.

If the user has these roles defined in the ID provider and they are exposed in the userinfo endpoint, the return code of these pages should be HTTP success (200).

If the user does not have the required role(s), a HTTP access denied (401) code is returned.

Deployment

A Python package and a container are provided.

Configuration

The application reads a simple yaml file that you should configure to expose different login options in the application's "Login" box, with values given by the OIDC providers.

For example:

secret_key: AVeryWellKeptSecret
debug_token: no
show_token: yes
log: yes

auth:
  providers:
    - id: auth0
      name: Okta / Auth0
      url: https://<your_auth0_app_URL>
      public_key_url: https://<your_auth0_app_URL>/pem
      client_id: <your_auth0_client_id>
      client_secret: client_secret_generated_by_auth0
      hint: A hint for test credentials

    - id: keycloak
      name: Keycloak at somewhere
      url: https://<the_keycloak_realm_url>
      info_url: https://philo.ydns.eu/auth/realms/test
      account_url_template: /account
      client_id: <your_keycloak_client_id>
      client_secret: <client_secret_generated_by_keycloak>
      hint: A hint for test credentials
      code_challenge_method: S256
      resource_provider_scopes:
        - get:time
        - get:bs
      resource_providers:
        - id: <third_party_resource_provider_id>
          name: A third party resource provider
          base_url: https://some.example.com/
          verify_ssl: yes
          resources:
            - name: Public RS2
              resource_name: public
              url: resource/public
            - name: BS RS2
              resource_name: bs
              url: resource/bs
            - name: Time RS2
              resource_name: time
              url: resource/time

    - id: codeberg
      disabled: no
      name: Codeberg
      url: https://codeberg.org
      account_url_template: /user/settings
      client_id: <your_codeberg_client_id>
      client_secret: client_secret_generated_by_codeberg
      info_url: https://codeberg.org/login/oauth/keys
      session_key: sub
      skip_verify_signature: no
      resources:
        - name: List of repos
          id: repos
          url: /api/v1/user/repos
        - name: List of OAuth2 applications
          id: oauth2_applications
          url: /api/v1/user/applications/oauth2

cors_origins:
  - https://some.client
  - https://localhost:8000

The application reads the OIDC_TEST_SETTINGS_FILE environment variable to determine the location of this file at startup.

For example, to run on port 8000 in a container, with the setting file in the current working directory:

podman run -p 8000:80 --env OIDC_TEST_CONFIG_FILE=/app/settings.yaml --mount type=bind,source=settings.yaml,destination=/app/settings.yaml code.philo.ydns.eu/philorg/oidc-fastapi-test:latest