340 lines
12 KiB
Python
340 lines
12 KiB
Python
"""
|
|
Test of OpenId Connect & OAuth2 with FastAPI
|
|
"""
|
|
|
|
from typing import Annotated
|
|
from pathlib import Path
|
|
from datetime import datetime
|
|
import logging
|
|
from urllib.parse import urlencode
|
|
from contextlib import asynccontextmanager
|
|
|
|
from httpx import HTTPError
|
|
from fastapi import Depends, FastAPI, HTTPException, Request, status
|
|
from fastapi.staticfiles import StaticFiles
|
|
from fastapi.responses import HTMLResponse, RedirectResponse
|
|
from fastapi.templating import Jinja2Templates
|
|
from fastapi.middleware.cors import CORSMiddleware
|
|
from jwt import InvalidTokenError, PyJWTError
|
|
from starlette.middleware.sessions import SessionMiddleware
|
|
from authlib.integrations.starlette_client.apps import StarletteOAuth2App
|
|
from authlib.integrations.base_client import OAuthError
|
|
from authlib.oauth2.rfc6749 import OAuth2Token
|
|
|
|
# TODO: PKCE
|
|
# from authlib.integrations.httpx_client import AsyncOAuth2Client
|
|
# from fastapi.security import OpenIdConnect
|
|
# from pkce import generate_code_verifier, generate_pkce_pair
|
|
|
|
from .settings import settings, oidc_providers_settings
|
|
from .models import User
|
|
from .auth_utils import (
|
|
get_oidc_provider,
|
|
get_oidc_provider_or_none,
|
|
get_current_user_or_none,
|
|
authlib_oauth,
|
|
get_providers_info,
|
|
get_token_or_none,
|
|
get_token,
|
|
update_token,
|
|
)
|
|
from .auth_misc import pretty_details
|
|
from .database import TokenNotInDb, db
|
|
from .resource_server import resource_server
|
|
|
|
logger = logging.getLogger("oidc-test")
|
|
|
|
templates = Jinja2Templates(Path(__file__).parent / "templates")
|
|
|
|
|
|
@asynccontextmanager
|
|
async def lifespan(app: FastAPI):
|
|
assert app is not None
|
|
await get_providers_info()
|
|
yield
|
|
|
|
|
|
app = FastAPI(title="OIDC auth test", lifespan=lifespan)
|
|
|
|
app.add_middleware(
|
|
CORSMiddleware,
|
|
allow_origins=settings.cors_origins,
|
|
allow_credentials=True,
|
|
allow_methods=["*"],
|
|
allow_headers=["*"],
|
|
)
|
|
|
|
# SessionMiddleware is required by authlib
|
|
app.add_middleware(
|
|
SessionMiddleware,
|
|
secret_key=settings.secret_key,
|
|
)
|
|
|
|
app.mount("/static", StaticFiles(directory=Path(__file__).parent / "static"), name="static")
|
|
app.mount("/resource", resource_server, name="resource_server")
|
|
|
|
|
|
@app.get("/")
|
|
async def home(
|
|
request: Request,
|
|
user: Annotated[User, Depends(get_current_user_or_none)],
|
|
oidc_provider: Annotated[StarletteOAuth2App | None, Depends(get_oidc_provider_or_none)],
|
|
token: Annotated[OAuth2Token | None, Depends(get_token_or_none)],
|
|
) -> HTMLResponse:
|
|
now = datetime.now()
|
|
if oidc_provider and (
|
|
(
|
|
oidc_provider_settings := oidc_providers_settings.get(
|
|
request.session.get("oidc_provider_id", "")
|
|
)
|
|
)
|
|
is not None
|
|
):
|
|
resources = oidc_provider_settings.resources
|
|
else:
|
|
resources = []
|
|
oidc_provider_settings = None
|
|
|
|
if user is None:
|
|
access_token_scope = None
|
|
else:
|
|
try:
|
|
access_token_scope = user.get_scope(verify_signature=False)
|
|
except InvalidTokenError as err:
|
|
access_token_scope = None
|
|
logger.info("Invalid token")
|
|
logger.exception(err)
|
|
|
|
context = {
|
|
"settings": settings.model_dump(),
|
|
"user": user,
|
|
"access_token_scope": access_token_scope,
|
|
"now": now,
|
|
"oidc_provider": oidc_provider,
|
|
"oidc_provider_settings": oidc_provider_settings,
|
|
"resources": resources,
|
|
}
|
|
if token is None:
|
|
context["access_token"] = None
|
|
context["id_token_parsed"] = None
|
|
context["access_token_parsed"] = None
|
|
context["refresh_token_parsed"] = None
|
|
else:
|
|
context["access_token"] = token["access_token"]
|
|
assert oidc_provider is not None
|
|
assert oidc_provider.name is not None
|
|
oidc_provider_settings = oidc_providers_settings[oidc_provider.name]
|
|
# context["id_token_parsed"] = pretty_details(user, now)
|
|
context["id_token_parsed"] = oidc_provider_settings.decode(
|
|
token["id_token"], verify_signature=False
|
|
)
|
|
context["access_token_parsed"] = oidc_provider_settings.decode(
|
|
token["access_token"], verify_signature=False
|
|
)
|
|
context["refresh_token_parsed"] = oidc_provider_settings.decode(
|
|
token["refresh_token"], verify_signature=False
|
|
)
|
|
return templates.TemplateResponse(name="home.html", request=request, context=context)
|
|
|
|
|
|
# Endpoints for the login / authorization process
|
|
|
|
|
|
@app.get("/login/{oidc_provider_id}")
|
|
async def login(request: Request, oidc_provider_id: str) -> RedirectResponse:
|
|
"""Login with the provider id, giving the browser a redirect to its authorize page.
|
|
The provider is expected to send the browser back to our own /auth/{oidc_provider_id} url
|
|
with the token.
|
|
"""
|
|
redirect_uri = request.url_for("auth", oidc_provider_id=oidc_provider_id)
|
|
try:
|
|
provider: StarletteOAuth2App = getattr(authlib_oauth, oidc_provider_id)
|
|
except AttributeError:
|
|
raise HTTPException(status.HTTP_401_UNAUTHORIZED, "No such provider")
|
|
# if (
|
|
# code_challenge_method := oidc_providers_settings[
|
|
# oidc_provider_id
|
|
# ].code_challenge_method
|
|
# ) is not None:
|
|
# #client = AsyncOAuth2Client(..., code_challenge_method=code_challenge_method)
|
|
# code_verifier = generate_code_verifier()
|
|
# logger.debug("TODO: PKCE")
|
|
# else:
|
|
# code_verifier = None
|
|
try:
|
|
response = await provider.authorize_redirect(
|
|
request,
|
|
redirect_uri,
|
|
access_type="offline",
|
|
code_verifier=None,
|
|
)
|
|
return response
|
|
except HTTPError:
|
|
raise HTTPException(status.HTTP_401_UNAUTHORIZED, "Cannot reach provider")
|
|
|
|
|
|
@app.get("/auth/{oidc_provider_id}")
|
|
async def auth(request: Request, oidc_provider_id: str) -> RedirectResponse:
|
|
"""Decrypt the auth token, store it to the session (cookie based)
|
|
and response to the browser with a redirect to a "welcome user" page.
|
|
"""
|
|
try:
|
|
oidc_provider: StarletteOAuth2App = getattr(authlib_oauth, oidc_provider_id)
|
|
except AttributeError:
|
|
raise HTTPException(status.HTTP_401_UNAUTHORIZED, "No such provider")
|
|
try:
|
|
token: OAuth2Token = await oidc_provider.authorize_access_token(request)
|
|
except OAuthError as error:
|
|
raise HTTPException(status.HTTP_401_UNAUTHORIZED, detail=error.error)
|
|
# Remember the oidc_provider in the session
|
|
# logger.info(f"Scope: {token['scope']}")
|
|
request.session["oidc_provider_id"] = oidc_provider_id
|
|
#
|
|
# One could process the full decoded token which contains extra information
|
|
# eg for updates. Here we are only interested in roles
|
|
#
|
|
if userinfo := token.get("userinfo"):
|
|
# Remember the oidc_provider in the session
|
|
request.session["oidc_provider_id"] = oidc_provider_id
|
|
# User id (sub) given by oidc provider
|
|
sub = userinfo["sub"]
|
|
# Build and remember the user in the session
|
|
request.session["user_sub"] = sub
|
|
# Store the user in the database, which also verifies the token validity and signature
|
|
try:
|
|
user = await db.add_user(
|
|
sub,
|
|
user_info=userinfo,
|
|
oidc_provider=oidc_provider,
|
|
access_token=token["access_token"],
|
|
)
|
|
except PyJWTError as err:
|
|
raise HTTPException(
|
|
status.HTTP_401_UNAUTHORIZED,
|
|
detail=f"Token invalid: {err.__class__.__name__}",
|
|
)
|
|
assert isinstance(user, User)
|
|
# Add the provider session id to the session
|
|
request.session["sid"] = userinfo["sid"]
|
|
# Add the token to the db because it is used for logout
|
|
assert oidc_provider.name is not None
|
|
oidc_provider_settings = oidc_providers_settings[oidc_provider.name]
|
|
await db.add_token(oidc_provider_settings, token)
|
|
# Send the user to the home: (s)he is authenticated
|
|
return RedirectResponse(url=request.url_for("home"))
|
|
else:
|
|
# Not sure if it's correct to redirect to plain login
|
|
# if no userinfo is provided
|
|
return RedirectResponse(url=request.url_for("login", oidc_provider_id=oidc_provider_id))
|
|
|
|
|
|
@app.get("/account")
|
|
async def account(
|
|
request: Request,
|
|
) -> RedirectResponse:
|
|
if (
|
|
oidc_provider_settings := oidc_providers_settings.get(
|
|
request.session.get("oidc_provider_id", "")
|
|
)
|
|
) is None:
|
|
raise HTTPException(status.HTTP_406_NOT_ACCEPTABLE, detail="No oidc provider settings")
|
|
return RedirectResponse(f"{oidc_provider_settings.account_url_template}")
|
|
|
|
|
|
@app.get("/logout")
|
|
async def logout(
|
|
request: Request,
|
|
oidc_provider: Annotated[StarletteOAuth2App, Depends(get_oidc_provider)],
|
|
) -> RedirectResponse:
|
|
# Clear session
|
|
request.session.pop("user_sub", None)
|
|
# Get provider's endpoint
|
|
if (provider_logout_uri := oidc_provider.server_metadata.get("end_session_endpoint")) is None:
|
|
logger.warn(f"Cannot find end_session_endpoint for provider {oidc_provider.name}")
|
|
return RedirectResponse(request.url_for("non_compliant_logout"))
|
|
post_logout_uri = request.url_for("home")
|
|
oidc_provider_settings = oidc_providers_settings.get(
|
|
request.session.get("oidc_provider_id", "")
|
|
)
|
|
assert oidc_provider_settings is not None
|
|
try:
|
|
token = await db.get_token(oidc_provider_settings, request.session.pop("sid", None))
|
|
except TokenNotInDb:
|
|
logger.warn("No session in db for the token or no token")
|
|
return RedirectResponse(request.url_for("home"))
|
|
logout_url = (
|
|
provider_logout_uri
|
|
+ "?"
|
|
+ urlencode(
|
|
{
|
|
"post_logout_redirect_uri": post_logout_uri,
|
|
"id_token_hint": token["id_token"],
|
|
"cliend_id": "oidc_local_test",
|
|
}
|
|
)
|
|
)
|
|
return RedirectResponse(logout_url)
|
|
|
|
|
|
@app.get("/non-compliant-logout")
|
|
async def non_compliant_logout(
|
|
request: Request,
|
|
oidc_provider: Annotated[StarletteOAuth2App, Depends(get_oidc_provider)],
|
|
):
|
|
"""A page for non-compliant OAuth2 servers that we cannot log out."""
|
|
# Clear the remain of the session
|
|
request.session.pop("oidc_provider_id", None)
|
|
return templates.TemplateResponse(
|
|
name="non_compliant_logout.html",
|
|
request=request,
|
|
context={"oidc_provider": oidc_provider, "home_url": request.url_for("home")},
|
|
)
|
|
|
|
|
|
@app.get("/refresh")
|
|
async def refresh(
|
|
request: Request,
|
|
oidc_provider: Annotated[StarletteOAuth2App, Depends(get_oidc_provider)],
|
|
token: Annotated[OAuth2Token, Depends(get_token)],
|
|
) -> RedirectResponse:
|
|
"""Manually refresh token"""
|
|
new_token = await oidc_provider.fetch_access_token(
|
|
refresh_token=token["refresh_token"],
|
|
grant_type="refresh_token",
|
|
)
|
|
await update_token(oidc_provider.name, new_token)
|
|
return RedirectResponse(url=request.url_for("home"))
|
|
|
|
|
|
# Snippet for running standalone
|
|
# Mostly useful for the --version option,
|
|
# as running with uvicorn is easy and provides better flexibility, eg.
|
|
# uvicorn --host foo oidc_test.main:app --reload
|
|
|
|
|
|
def main():
|
|
from uvicorn import run
|
|
from argparse import ArgumentParser
|
|
|
|
parser = ArgumentParser(description=__doc__)
|
|
parser.add_argument(
|
|
"-l",
|
|
"--host",
|
|
type=str,
|
|
default="0.0.0.0",
|
|
help="Address to listen to (default: 0.0.0.0)",
|
|
)
|
|
parser.add_argument(
|
|
"-p", "--port", type=int, default=80, help="Port to listen to (default: 80)"
|
|
)
|
|
parser.add_argument("-v", "--version", action="store_true", help="Print version and exit")
|
|
args = parser.parse_args()
|
|
|
|
if args.version:
|
|
import sys
|
|
from importlib.metadata import version
|
|
|
|
print(version("oidc-fastapi-test"))
|
|
sys.exit(0)
|
|
|
|
run(app, host=args.host, port=args.port)
|