def oidcCallback(): """ Once the authorization provider has cleared the user, the browser is returned here with a code. This function takes that code and checks it with the authorization provider to prove that it is valid, and get a bit more information about the user (which we don't use). A token is generated and given to the user, and the authorization info retrieved above is stored against this token. Later, when a client connects with this token, it is assumed to be a valid user. :return: A display of the authentication token to use in the client. If OIDC is not configured, raises a NotImplementedException. """ if app.oidcClient is None: raise exceptions.NotImplementedException() response = dict(flask.request.args.iteritems(multi=True)) aresp = app.oidcClient.parse_response( message.AuthorizationResponse, info=response, sformat='dict') sessState = flask.session.get('state') respState = aresp['state'] if (not isinstance(aresp, message.AuthorizationResponse) or respState != sessState): raise exceptions.NotAuthenticatedException() args = { "code": aresp['code'], "redirect_uri": app.oidcClient.redirect_uris[0], "client_id": app.oidcClient.client_id, "client_secret": app.oidcClient.client_secret } atr = app.oidcClient.do_access_token_request( scope="openid", state=respState, request_args=args) if not isinstance(atr, message.AccessTokenResponse): raise exceptions.NotAuthenticatedException() atrDict = atr.to_dict() if flask.session.get('nonce') != atrDict['id_token']['nonce']: raise exceptions.NotAuthenticatedException() key = oic.oauth2.rndstr(SECRET_KEY_LENGTH) flask.session['key'] = key token_data = aresp["code"], respState, atrDict app.cache.set(key, token_data) # flask.url_for is broken. It relies on SERVER_NAME for both name # and port, and defaults to 'localhost' if not found. Therefore # we need to fix the returned url indexUrl = flask.url_for('index', _external=True) indexParts = list(urlparse.urlparse(indexUrl)) if ':' not in indexParts[1]: indexParts[1] = '{}:{}'.format(socket.gethostname(), app.myPort) indexUrl = urlparse.urlunparse(indexParts) response = flask.redirect(indexUrl) return response
def checkAuthentication(): """ The request will have a parameter 'key' if it came from the command line client, or have a session key of 'key' if it's the browser. If the token is not found, start the login process. If there is no oidcClient, we are running naked and we don't check. If we're being redirected to the oidcCallback we don't check. :returns None if all is ok (and the request handler continues as usual). Otherwise if the key was in the session (therefore we're in a browser) then startLogin() will redirect to the OIDC provider. If the key was in the request arguments, we're using the command line and just raise an exception. """ if app.oidcClient is None: return if flask.request.endpoint == 'oidcCallback': return key = flask.session.get('key') or flask.request.args.get('key') if key is None or not app.cache.get(key): if 'key' in flask.request.args: raise exceptions.NotAuthenticatedException() else: return startLogin()
def index(): response = flask.render_template('index.html', info=app.serverStatus) if app.config.get('AUTH0_ENABLED'): key = (flask.request.args.get('key')) try: print(key) profile = app.cache.get(key) except: raise exceptions.NotAuthorizedException() if (profile): return response else: exceptions.NotAuthenticatedException() else: return response
def is_active(cache, token): """ Accepts the cache and ID token and checks to see if the profile is currently logged in. If so, return the token, otherwise throw a NotAuthenticatedException. :param cache: :param token: :return: """ profile = cache.get(token) if not profile: raise exceptions.NotAuthenticatedException( 'The token is good, but you are not logged in. Please ' 'try logging in again.') return profile
def notAuthenticatedHandler(errorString): return handleException(exceptions.NotAuthenticatedException(errorString))
def is_authorized(cache, email): if not cache.get(email): message = '{} is not authorized to ' \ 'access this resource'.format(email) raise exceptions.NotAuthenticatedException(message) return email