def __init__(self, application):
"""Initialize the class.
Only create the oidc object when it is None (prevent duplicate instantiation)
and the application is defined (allow import prior to instantiation).
"""
if not Keycloak._oidc and application:
Keycloak._oidc = flask_oidc.OpenIDConnect(application)
def create_app(config, oidc_overrides=None):
global oidc
app = Flask(__name__)
app.config.update(config)
if oidc_overrides is None:
oidc_overrides = {}
app.oidc = flask_oidc.OpenIDConnect(app, **oidc_overrides)
oidc = app.oidc
app.route('/')(app.oidc.check(index))
app.route('/at')(app.oidc.check(get_at))
app.route('/rt')(app.oidc.check(get_rt))
# Check standalone usage
rendered = app.oidc.accept_token(True, ['openid'],
auth_header_key='Authorization')(api)
app.route('/api', methods=['GET', 'POST'])(rendered)
configure_keycloak_test_uris(app)
# Check combination with an external API renderer like Flask-RESTful
unrendered = app.oidc.accept_token(
True, ['openid'], render_errors=False,
auth_header_key='Authorization')(raw_api)
def externally_rendered_api(*args, **kwds):
inner_response = unrendered(*args, **kwds)
if isinstance(inner_response, tuple):
raw_response, response_code, headers = inner_response
rendered_response = json.dumps(
raw_response), response_code, headers
else:
rendered_response = json.dumps(inner_response)
return rendered_response
app.route('/external_api', methods=['GET',
'POST'])(externally_rendered_api)
return app
user the userinfo endpoint to validate it. This is because the token
info endpoint used by the Flask-OIDC accept_token wrapper has some
issues with validating tokens for certain application types.
'''
from __future__ import absolute_import
import cli_common.log
import flask
import flask_oidc
import functools
import json
import requests
logger = cli_common.log.get_logger(__name__)
auth0 = flask_oidc.OpenIDConnect()
def mozilla_accept_token(render_errors=True):
'''
Use this to decorate view functions that should accept OAuth2 tokens,
this will most likely apply to API functions.
Tokens are accepted as part of
* the query URL (access_token value)
* a POST form value (access_token)
* the header Authorization: Bearer <token value>
:param render_errors: Whether or not to eagerly render error objects
as JSON API responses. Set to False to pass the error object back
unmodified for later rendering.
app = flask.Flask(__name__)
# Set the redirect URI to /callback.
# APP_BASE_URL should be set to e.g. "https://myapp.example.com"
app.config["OVERWRITE_REDIRECT_URI"] = urllib.parse.urljoin(
os.environ["APP_BASE_URL"], "/callback")
# Set the secret key used by Flask to encrypt session data.
# FLASK_SECRET_KEY should be a random hexadecimal string; the same for each iteration.
app.config["SECRET_KEY"] = binascii.unhexlify(os.environ["FLASK_SECRET_KEY"])
# Set the location of the client_secrets.json file.
app.config["OIDC_CLIENT_SECRETS"] = os.environ.get("CLIENT_SECRETS_FILE",
"/app/client_secrets.json")
oidc = flask_oidc.OpenIDConnect(app)
TMPL = jinja2.Environment(autoescape=True).from_string("""
<html>
<p>Hello, {{ term_of_address }}!</p>
<p>{{ content }}</p>
<ul>
<li><a href="/secret">secret</a></li>
<li><a href="/other-secret">other secret</a></li>
</ul>
</html>
""")
def __init__(self, application):
if not Keycloak._oidc and application:
Keycloak._oidc = flask_oidc.OpenIDConnect(application)
