oidc auth: login and retrieval of user data basically working

2025-03-26 18:15:38 +01:00 · 2025-03-26 18:15:38 +01:00 · 950fcb4174
commit 950fcb4174
parent c1f07effee
2 changed files with 24 additions and 6 deletions
--- a/demo/config.py
+++ b/demo/config.py
@ -24,10 +24,12 @@ oidc_provider = 'https://a1.cy7.de'
 oidc_client_id = getenv('OIDC_CLIENT_ID', '311613119816392525')
 oidc_params = dict(
    auth_url=getenv('OIDC_PROVIDER_URL', oidc_provider + '/oauth/v2/authorize'),
+    token_url=getenv('OIDC_TOKEN_URL', oidc_provider + '/oauth/v2/token'),
+    userinfo_url=getenv('OIDC_USERINFO_URL', oidc_provider + '/oidc/v1/userinfo'),
    callback_url=getenv('OIDC_CALLBACK_URL', base_url + '/auth/callback'),
    client_id = oidc_client_id,
    cookie_name=getenv('OIDC_COOKIE_NAME', 'oidc_' + oidc_client_id),
-    cookie_domain=getenv('OIDC_COOKIE_DOMAIN', 'cy7.de'),
+    cookie_domain=getenv('OIDC_COOKIE_DOMAIN', None),
    cookie_lifetime=getenv('OIDC_COOKIE_LIFETIME', '86400'),
 )

--- a/scopes/server/auth.py
+++ b/scopes/server/auth.py
@ -4,6 +4,7 @@ from email.utils import formatdate
 import json
 from oic import oic, rndstr, unreserved
 from oic.oic.message import AuthorizationResponse
+import requests
 from time import time
 from zope.authentication.interfaces import IAuthentication
 from zope.interface import implementer
@ -67,7 +68,7 @@ class Authenticator(DummyFolder):
        print('*** login', self, req.getTraversalStack(), req['PATH_INFO'])
        #print('***', dir(req))
        client = oic.Client()
-        #providerInfo = client.provider_config(params['provider_url'])
+        #providerInfo = client.provider_config(config.oidc_provider)
        #print('***', providerInfo)
        state = rndstr()
        nonce = rndstr()
@ -78,9 +79,10 @@ class Authenticator(DummyFolder):
                scope=['openid', 'profile'],
                redirect_uri=self.params['callback_url'],
        )
-        addArgs, codeVerifyer = client.add_code_challenge()
+        addArgs, codeVerifier = client.add_code_challenge()
+        print('***', addArgs, codeVerifier)
        args.update(addArgs)
-        self.storeSession(dict(state=state, nonce=nonce, codeVerifyer=codeVerifyer))
+        self.storeSession(dict(state=state, nonce=nonce, code_verifier=codeVerifier))
        authReq = client.construct_AuthorizationRequest(request_args=args)
        loginUrl = authReq.request(self.params['auth_url'])
        print('***', loginUrl)
@ -91,8 +93,22 @@ class Authenticator(DummyFolder):
        print('*** callback', self, req.form)
        data = self.loadSession()
        code = req.form['code']
-        client = oic.Client()
-        print('***', data, code, client)
+        print('***', data, code)
+        # !check state: req.form['state'] == data['state']
+        args = dict(
+                grant_type='authorization_code',
+                code=code,
+                redirect_uri=self.params['callback_url'],
+                client_id=self.params['client_id'],
+                code_verifier=data['code_verifier']
+        )
+        # !set header: 'Content-Type: application/x-www-form-urlencoded'
+        tokenResponse = requests.post(self.params['token_url'], data=args)
+        tdata =  tokenResponse.json()
+        print('***', tdata)
+        headers = dict(Authorization='Bearer ' + tdata['access_token'])
+        userInfo = requests.get(self.params['userinfo_url'], headers=headers)
+        print('***', userInfo.json())

    def storeSession(self, data):
        options = {}