# OIDC test application *oidc-test* is a simple web application for testing different OIDC providers, and a template for Python FastAPI. It has been tested with some OIDC providers like Auth0 (public), Keycloak (private), Forgejo (private and public with Codeberg). It should work with Google, Azure and other cloud services providing an OIDC authentication service. It is a *stateless* application (no data are saved and it restarts as vanilla), and there is no database connection, although models are defined with the SQLModel library and it is designed as a template for integration in other FastAPI/SQLModel applications. Feedback welcome. ## Resource server It also functions as a resource server in a OAuth architecture. See a sibling test project, a web based OIDC/OAuth: [oidc-vue-test](https://code.philo.ydns.eu/philorg/oidc-vue-test). ## RBAC The application is also a playground for RBAC (Role Based Access control) implemented with OIDC. The application has few different resources (web pages) for testing RBAC. The home page checks (with Javascript) if those are accessible by the end user for convenience, color-coding the links to those pages. 2 roles are defined in the application: foorole and barrole. If the user has these roles defined in the ID provider and they are exposed in the `userinfo` endpoint, the return code of these pages should be HTTP success (200). If the user does not have the required role(s), a HTTP access denied (401) code is returned. ## Deployment A Python package and a container are provided. ## Configuration The application reads a simple `yaml` file that you should configure to expose different login options in the application's "Login" box, with values given by the OIDC providers. For example: ```yaml secret_key: AVeryWellKeptSecret debug_token: no show_token: yes log: yes auth: providers: - id: auth0 name: Okta / Auth0 url: https:// public_key_url: https:///pem client_id: client_secret: client_secret_generated_by_auth0 hint: A hint for test credentials - id: keycloak name: Keycloak at somewhere url: https:// info_url: https://philo.ydns.eu/auth/realms/test account_url_template: /account client_id: client_secret: hint: A hint for test credentials code_challenge_method: S256 resource_provider_scopes: - get:time - get:bs resource_providers: - id: name: A third party resource provider base_url: https://some.example.com/ verify_ssl: yes resources: - name: Public RS2 resource_name: public url: resource/public - name: BS RS2 resource_name: bs url: resource/bs - name: Time RS2 resource_name: time url: resource/time - id: codeberg disabled: no name: Codeberg url: https://codeberg.org account_url_template: /user/settings client_id: client_secret: client_secret_generated_by_codeberg info_url: https://codeberg.org/login/oauth/keys session_key: sub skip_verify_signature: no resources: - name: List of repos id: repos url: /api/v1/user/repos - name: List of OAuth2 applications id: oauth2_applications url: /api/v1/user/applications/oauth2 cors_origins: - https://some.client - https://localhost:8000 ``` The application reads the `OIDC_TEST_SETTINGS_FILE` environment variable to determine the location of this file at startup. For example, to run on port 8000 in a container, with the setting file in the current working directory: ```sh podman run -p 8000:80 --env OIDC_TEST_CONFIG_FILE=/app/settings.yaml --mount type=bind,source=settings.yaml,destination=/app/settings.yaml code.philo.ydns.eu/philorg/oidc-fastapi-test:latest ```