mirror of
https://github.com/donaldzou/WGDashboard.git
synced 2025-07-13 16:46:58 +00:00
Update DashboardOIDC.py
Testing more with OIDC
This commit is contained in:
Donald Zou
parent
491119d676
commit
a619e7f571
@ -3,6 +3,7 @@ import json
|
|||||||
import requests
|
import requests
|
||||||
from jose import jwt
|
from jose import jwt
|
||||||
import certifi
|
import certifi
|
||||||
|
from flask import current_app
|
||||||
|
|
||||||
|
|
||||||
class DashboardOIDC:
|
class DashboardOIDC:
|
||||||
@ -29,67 +30,80 @@ class DashboardOIDC:
|
|||||||
providers = {}
|
providers = {}
|
||||||
for k in self.providers.keys():
|
for k in self.providers.keys():
|
||||||
if all([self.providers[k]['client_id'], self.providers[k]['client_secret'], self.providers[k]['issuer']]):
|
if all([self.providers[k]['client_id'], self.providers[k]['client_secret'], self.providers[k]['issuer']]):
|
||||||
providers[k] = {
|
try:
|
||||||
'client_id': self.providers[k]['client_id'],
|
oidc_config = requests.get(
|
||||||
'issuer': self.providers[k]['issuer'].strip('/')
|
f"{self.providers[k]['issuer'].strip('/')}/.well-known/openid-configuration",
|
||||||
}
|
verify=certifi.where()
|
||||||
|
).json()
|
||||||
|
providers[k] = {
|
||||||
|
'client_id': self.providers[k]['client_id'],
|
||||||
|
'issuer': self.providers[k]['issuer'].strip('/')
|
||||||
|
}
|
||||||
|
except Exception as e:
|
||||||
|
current_app.logger.error("Failed to request OIDC config for this provider: " + self.providers[k]['issuer'].strip('/'), exc_info=e)
|
||||||
|
|
||||||
return providers
|
return providers
|
||||||
|
|
||||||
def VerifyToken(self, provider, code, redirect_uri):
|
def VerifyToken(self, provider, code, redirect_uri):
|
||||||
if not all([provider, code, redirect_uri]):
|
|
||||||
return False, ""
|
|
||||||
|
|
||||||
if provider not in self.providers.keys():
|
|
||||||
return False, "Provider does not exist"
|
|
||||||
|
|
||||||
provider = self.providers.get(provider)
|
|
||||||
oidc_config = requests.get(
|
|
||||||
f"{provider.get('issuer').strip('/')}/.well-known/openid-configuration",
|
|
||||||
verify=certifi.where()
|
|
||||||
|
|
||||||
).json()
|
|
||||||
|
|
||||||
data = {
|
|
||||||
"grant_type": "authorization_code",
|
|
||||||
"code": code,
|
|
||||||
"redirect_uri": redirect_uri,
|
|
||||||
"client_id": provider.get('client_id'),
|
|
||||||
"client_secret": provider.get('client_secret')
|
|
||||||
}
|
|
||||||
|
|
||||||
try:
|
try:
|
||||||
tokens = requests.post(oidc_config.get('token_endpoint'), data=data).json()
|
if not all([provider, code, redirect_uri]):
|
||||||
if not all([tokens.get('access_token'), tokens.get('id_token')]):
|
return False, ""
|
||||||
return False, tokens.get('error_description', None)
|
|
||||||
except Exception as e:
|
if provider not in self.providers.keys():
|
||||||
return False, str(e)
|
return False, "Provider does not exist"
|
||||||
|
|
||||||
|
|
||||||
|
provider = self.providers.get(provider)
|
||||||
id_token = tokens.get('id_token')
|
oidc_config = requests.get(
|
||||||
jwks_uri = oidc_config.get("jwks_uri")
|
f"{provider.get('issuer').strip('/')}/.well-known/openid-configuration",
|
||||||
issuer = oidc_config.get("issuer")
|
verify=certifi.where()
|
||||||
jwks = requests.get(jwks_uri, verify=certifi.where()).json()
|
|
||||||
print(jwks)
|
).json()
|
||||||
headers = jwt.get_unverified_header(id_token)
|
|
||||||
kid = headers["kid"]
|
data = {
|
||||||
|
"grant_type": "authorization_code",
|
||||||
key = next(k for k in jwks["keys"] if k["kid"] == kid)
|
"code": code,
|
||||||
|
"redirect_uri": redirect_uri,
|
||||||
payload = jwt.decode(
|
"client_id": provider.get('client_id'),
|
||||||
id_token,
|
"client_secret": provider.get('client_secret')
|
||||||
key,
|
}
|
||||||
algorithms=[key["alg"]],
|
|
||||||
audience=provider.get('client_id'),
|
try:
|
||||||
issuer=issuer
|
tokens = requests.post(oidc_config.get('token_endpoint'), data=data).json()
|
||||||
)
|
if not all([tokens.get('access_token'), tokens.get('id_token')]):
|
||||||
|
return False, tokens.get('error_description', None)
|
||||||
return True, payload
|
except Exception as e:
|
||||||
|
return False, str(e)
|
||||||
|
|
||||||
|
id_token = tokens.get('id_token')
|
||||||
|
jwks_uri = oidc_config.get("jwks_uri")
|
||||||
|
issuer = oidc_config.get("issuer")
|
||||||
|
jwks = requests.get(jwks_uri, verify=certifi.where()).json()
|
||||||
|
|
||||||
|
headers = jwt.get_unverified_header(id_token)
|
||||||
|
kid = headers["kid"]
|
||||||
|
|
||||||
|
key = next(k for k in jwks["keys"] if k["kid"] == kid)
|
||||||
|
|
||||||
|
payload = jwt.decode(
|
||||||
|
id_token,
|
||||||
|
key,
|
||||||
|
algorithms=[key["alg"]],
|
||||||
|
audience=provider.get('client_id'),
|
||||||
|
issuer=issuer
|
||||||
|
)
|
||||||
|
|
||||||
|
return True, payload
|
||||||
|
except Exception as e:
|
||||||
|
current_app.logger.error('Read OIDC file failed. Reason: ' + str(e), provider, code, redirect_uri)
|
||||||
|
return False, str(e)
|
||||||
|
|
||||||
|
|
||||||
def ReadFile(self):
|
def ReadFile(self):
|
||||||
decoder = json.JSONDecoder()
|
decoder = json.JSONDecoder()
|
||||||
self.providers = decoder.decode(
|
try:
|
||||||
open(DashboardOIDC.ConfigurationFilePath, 'r').read()
|
self.providers = decoder.decode(
|
||||||
)
|
open(DashboardOIDC.ConfigurationFilePath, 'r').read()
|
||||||
|
)
|
||||||
|
except Exception as e:
|
||||||
|
current_app.logger.error('Read OIDC file failed. Reason: ' + str(e))
|
||||||
|
return False
|
||||||
Loading…
x
Reference in New Issue
Block a user