From 950fcb4174899c969c71d457a221445dd54d6697 Mon Sep 17 00:00:00 2001 From: Helmut Merz Date: Wed, 26 Mar 2025 18:15:38 +0100 Subject: [PATCH] oidc auth: login and retrieval of user data basically working --- demo/config.py | 4 +++- scopes/server/auth.py | 26 +++++++++++++++++++++----- 2 files changed, 24 insertions(+), 6 deletions(-) diff --git a/demo/config.py b/demo/config.py index 1bee53c..3acaaab 100644 --- a/demo/config.py +++ b/demo/config.py @@ -24,10 +24,12 @@ oidc_provider = 'https://a1.cy7.de' oidc_client_id = getenv('OIDC_CLIENT_ID', '311613119816392525') oidc_params = dict( auth_url=getenv('OIDC_PROVIDER_URL', oidc_provider + '/oauth/v2/authorize'), + token_url=getenv('OIDC_TOKEN_URL', oidc_provider + '/oauth/v2/token'), + userinfo_url=getenv('OIDC_USERINFO_URL', oidc_provider + '/oidc/v1/userinfo'), callback_url=getenv('OIDC_CALLBACK_URL', base_url + '/auth/callback'), client_id = oidc_client_id, cookie_name=getenv('OIDC_COOKIE_NAME', 'oidc_' + oidc_client_id), - cookie_domain=getenv('OIDC_COOKIE_DOMAIN', 'cy7.de'), + cookie_domain=getenv('OIDC_COOKIE_DOMAIN', None), cookie_lifetime=getenv('OIDC_COOKIE_LIFETIME', '86400'), ) diff --git a/scopes/server/auth.py b/scopes/server/auth.py index 8fc4090..7cf8a3b 100644 --- a/scopes/server/auth.py +++ b/scopes/server/auth.py @@ -4,6 +4,7 @@ from email.utils import formatdate import json from oic import oic, rndstr, unreserved from oic.oic.message import AuthorizationResponse +import requests from time import time from zope.authentication.interfaces import IAuthentication from zope.interface import implementer @@ -67,7 +68,7 @@ class Authenticator(DummyFolder): print('*** login', self, req.getTraversalStack(), req['PATH_INFO']) #print('***', dir(req)) client = oic.Client() - #providerInfo = client.provider_config(params['provider_url']) + #providerInfo = client.provider_config(config.oidc_provider) #print('***', providerInfo) state = rndstr() nonce = rndstr() @@ -78,9 +79,10 @@ class Authenticator(DummyFolder): scope=['openid', 'profile'], redirect_uri=self.params['callback_url'], ) - addArgs, codeVerifyer = client.add_code_challenge() + addArgs, codeVerifier = client.add_code_challenge() + print('***', addArgs, codeVerifier) args.update(addArgs) - self.storeSession(dict(state=state, nonce=nonce, codeVerifyer=codeVerifyer)) + self.storeSession(dict(state=state, nonce=nonce, code_verifier=codeVerifier)) authReq = client.construct_AuthorizationRequest(request_args=args) loginUrl = authReq.request(self.params['auth_url']) print('***', loginUrl) @@ -91,8 +93,22 @@ class Authenticator(DummyFolder): print('*** callback', self, req.form) data = self.loadSession() code = req.form['code'] - client = oic.Client() - print('***', data, code, client) + print('***', data, code) + # !check state: req.form['state'] == data['state'] + args = dict( + grant_type='authorization_code', + code=code, + redirect_uri=self.params['callback_url'], + client_id=self.params['client_id'], + code_verifier=data['code_verifier'] + ) + # !set header: 'Content-Type: application/x-www-form-urlencoded' + tokenResponse = requests.post(self.params['token_url'], data=args) + tdata = tokenResponse.json() + print('***', tdata) + headers = dict(Authorization='Bearer ' + tdata['access_token']) + userInfo = requests.get(self.params['userinfo_url'], headers=headers) + print('***', userInfo.json()) def storeSession(self, data): options = {}