def before_request(): if oidc.user_loggedin: g.user = oidc.user_getfield('name') g.role = "employee" email = oidc.user_getfield('email') groups = oidc.user_getfield('groups') print('groups : ', app_config['KEYCLOAK_URL']) keycloak_admin = KeycloakAdmin(server_url=app_config['KEYCLOAK_URL'], username=app_config['USERNAME'], password=app_config['PASSWORD'], realm_name=app_config['REALM_NAME'], verify=True) users = keycloak_admin.get_users({}) #print(users) for user in users: print(user) if (email.strip().lower() == user['email'].strip().lower()): print(user['attributes']['emp_id']) print(user['attributes']['role'][0]) g.role = user['attributes']['role'][0] g.empId = user['attributes']['emp_id'][0] else: g.user = None
def decorated_function(*args,**kwargs): #Lese gültige Rollen für die Berechtigungsgruppe auth_group = db.session.query(auth_groups).filter_by(name=self.role_required).first() # Find auth_group DB Entry with that name #Lese die verfügbaren Rollen vom Benutzer access_token = oidc.get_access_token() user_permission = oidc.user_getfield('role',access_token) # Check is access_token still valid and roles are able to export from access_token if user_permission is None: #If not, forward to authentication server return oidc.redirect_to_auth_server(None, request.values) #If user has role "admin", anything is allowed if 'admin' in user_permission: print("oauth role. User has Admin Permission") #Welcher return Befehl muss hier hin??!!! for role in auth_group.roles: if role.name in user_permission: print("Oauth role. User has required Permission") return func(*args,**kwargs) else: print("Oauth role: User has no Role ") return render_template("mod_auth/403.html", user=get_userobject())
def logout(): email = oidc.user_getfield('email') oidc.logout() redirect_url = request.url_root.strip('/') keycloak_issuer = oidc.client_secrets.get('issuer') keycloak_logout_url = '{}/protocol/openid-connect/logout'.format( keycloak_issuer) _logger.info('{} logged out'.format(email)) return redirect('{}?redirect_uri={}'.format(keycloak_logout_url, redirect_url))
def callback(data): session_state = request.args.get("state") print("oauth. Start Callback") try: access_token = oidc.get_access_token() #print("oauth callback. accesstoken ", access_token) #print("oauth callback. id_token: ",g.oidc_id_token) user_id = oidc.user_getfield('sub',access_token) session['user_id'] = user_id user_permission = oidc.user_getfield('role',access_token) #print("oauth callback. Roles: ", user_permission) # Manage die Lodur Gruppe in der DB lodurGroupsToDB(user_permission) user = User.query.filter_by(open_id=session['user_id']).first() if user is not None: # User existiert bereits, aktualisieren user.username = oidc.user_getfield('user_name',access_token) user.email = oidc.user_getfield('email',access_token) else: # User existiert noch nicht, neu anlegen user = User( oidc.user_getfield('user_name',access_token), oidc.user_getfield('email',access_token), user_id ) if user_id in oidc.credentials_store: db.session.add(user) db.session.commit() else: return "ERROR: User can't find in Credentials Store." except: print("oauth. Error found" + sys.exc_info()) return redirect('/') return redirect('/')
def hr_dashboard(): print(oidc.user_getfield('attributes')) return render_template('home/hr_dashboard.html', title='Admin Dashboard')
def before_request(): if oidc.user_loggedin: g.user = okta_client.get_user(oidc.user_getfield("sub")) else: g.user = None
def login(): _logger.info('{} logged in successfully'.format( oidc.user_getfield('email'))) return redirect(url_for('view.index'))