class AuthTypeOAuth(AuthTypeClientBase): """An authentication type for oauth2 logins.""" CXG_TOKENS = "auth_tokens" def __init__(self, server_config): super().__init__() if missingimport: raise ConfigurationError( f"oauth requires these modules: {', '.join(missingimport)}") self.algorithms = ["RS256"] self.oauth_api_base_url = server_config.authentication__params_oauth__oauth_api_base_url self.client_id = server_config.authentication__params_oauth__client_id self.client_secret = server_config.authentication__params_oauth__client_secret self.session_cookie = server_config.authentication__params_oauth__session_cookie self.cookie_params = server_config.authentication__params_oauth__cookie self.jwt_decode_options = server_config.authentication__params_oauth__jwt_decode_options self._validate_cookie_params() self._validate_jwt_decode_options() self.api_base_url = server_config.get_api_base_url() self.web_base_url = server_config.get_web_base_url() if self.api_base_url is None: raise ConfigurationError( "oauth requires the app__api_base_url to be set") # set the audience self.audience = self.client_id # load the jwks (JSON Web Key Set). # The JSON Web Key Set (JWKS) is a set of keys which contains the public keys used to verify # any JSON Web Token (JWT) issued by the authorization server and signed using the RS256 try: jwksloc = f"{self.oauth_api_base_url}/.well-known/jwks.json" jwksurl = requests.get(jwksloc) self.jwks = jwksurl.json() except Exception: raise ConfigurationError( f"error in oauth, api_url_base: {self.oauth_api_base_url}, cannot access {jwksloc}" ) def _validate_cookie_params(self): """check the cookie_params, and raise a ConfigurationError if there is something wrong""" if self.session_cookie: return if not isinstance(self.cookie_params, dict): raise ConfigurationError( "either session_cookie or cookie must be set") valid_keys = { "key", "max_age", "expires", "path", "domain", "secure", "httponly", "samesite" } keys = set(self.cookie_params.keys()) unknown = keys - valid_keys if unknown: raise ConfigurationError( f"unexpected key in cookie params: {', '.join(unknown)}") if "key" not in keys: raise ConfigurationError( "must have a key (name) in the cookie params") def _validate_jwt_decode_options(self): """check the jwt_decode_options, and raise a ConfigurationError if there is something wrong""" if self.jwt_decode_options is None: self.jwt_decode_options = {} return valid_keys = { "verify_signature", "verify_aud", "verify_iat", "verify_exp", "verify_nbf", "verify_iss", "verify_sub", "verify_jti", "verify_at_hash", "leeway", } keys = set(self.jwt_decode_options.keys()) unknown = keys - valid_keys if unknown: raise ConfigurationError( f"unexpected key in jwt_decode_options: {', '.join(unknown)}") def is_valid_authentication_type(self): return True def requires_client_login(self): return True def add_url_rules(self, app): parse = urlparse(self.api_base_url) app.add_url_rule(f"{parse.path}/login", "login", self.login, methods=["GET"]) app.add_url_rule(f"{parse.path}/logout", "logout", self.logout, methods=["GET"]) app.add_url_rule(f"{parse.path}/logout_redirect", "logout_redirect", self.logout_redirect, methods=["GET"]) app.add_url_rule(f"{parse.path}/oauth2/callback", "callback", self.callback, methods=["GET"]) def complete_setup(self, flask_app): self.oauth = OAuth(flask_app) self.client = self.oauth.register( "auth0", client_id=self.client_id, client_secret=self.client_secret, api_base_url=self.oauth_api_base_url, refresh_token_url=f"{self.oauth_api_base_url}/oauth/token", access_token_url=f"{self.oauth_api_base_url}/oauth/token", authorize_url=f"{self.oauth_api_base_url}/authorize", client_kwargs={"scope": "openid profile email offline_access"}, ) def is_user_authenticated(self): payload = self.get_userinfo() return payload is not None def get_user_id(self): payload = self.get_userinfo() return payload.get("sub") if payload else None def get_user_name(self): payload = self.get_userinfo() return payload.get("name") if payload else None def get_user_email(self): payload = self.get_userinfo() return payload.get("email") if payload else None def get_user_picture(self): payload = self.get_userinfo() return payload.get("picture") if payload else None def update_response(self, response): response.cache_control.update( dict(public=True, max_age=0, no_store=True, no_cache=True, must_revalidate=True)) def login(self): callbackurl = f"{self.api_base_url}/oauth2/callback" return_path = request.args.get("dataset", "") return_to = f"{self.web_base_url}/{return_path}" # save the return path in the session cookie, accessed in the callback function session["oauth_callback_redirect"] = return_to response = self.client.authorize_redirect(redirect_uri=callbackurl) self.update_response(response) return response def logout(self): """ We would like for the user to remain on the same dataset after logout. oauth requires that the redirect `returnTo` path be whitelisted by the oauth server, therefore a level of indirection is used. We first redirect to a single path "logout_redirect", and logout_redirect will redirect the user's browser back to the current page. """ self.remove_tokens() redirect_path = request.args.get("dataset", "") redirect_to = f"{self.web_base_url}/{redirect_path}" session["oauth_logout_redirect"] = redirect_to return_to = f"{self.api_base_url}/logout_redirect" params = {"returnTo": return_to, "client_id": self.client_id} response = redirect(self.client.api_base_url + "/v2/logout?" + urlencode(params)) self.update_response(response) return response def logout_redirect(self): oauth_logout_redirect = session.pop("oauth_logout_redirect", "/") response = redirect(oauth_logout_redirect) self.update_response(response) return response def callback(self): data = self.client.authorize_access_token() tokens = Tokens( access_token=data.get("access_token"), id_token=data.get("id_token"), refresh_token=data.get("refresh_token"), expires_at=data.get("expires_at"), ) self.save_tokens(tokens) oauth_callback_redirect = session.pop("oauth_callback_redirect", "/") response = redirect(oauth_callback_redirect) self.update_response(response) return response def get_tokens(self): """Extract the tokens from the cookie, and store them in the flask global context""" if "tokens" in g: return g.tokens try: if self.session_cookie: value = session.get(self.CXG_TOKENS) if value: g.tokens = Tokens(**value) else: return None else: value = request.cookies.get(self.cookie_params["key"]) if value is None: return None value = base64.b64decode(value) value = json.loads(value) g.tokens = Tokens(**value) except Exception: # there are many types of exceptions that can be raise in the above section. # It is impractical to list all the exceptions here, since that would be brittle. # If an exception occurs, then return None, meaning that no token could be retrieved. current_app.logger.warning( f"auth cookie is in the wrong format: {str(value)}") g.pop("tokens", None) return None return g.tokens def save_tokens(self, tokens): g.tokens = tokens if self.session_cookie: session[self.CXG_TOKENS] = tokens.__dict__ else: @after_this_request def set_cookie(response): args = self.cookie_params.copy() value = base64.b64encode( json.dumps(tokens.__dict__).encode("utf-8")) del args["key"] try: response.set_cookie(self.cookie_params["key"], value, **args) except Exception as e: raise AuthenticationError( f"unable to set_cookie {self.cookie_params}") from e return response def remove_tokens(self): g.pop("tokens", None) if self.session_cookie: if self.CXG_TOKENS in session: del session[self.CXG_TOKENS] else: @after_this_request def remove_cookie(response): response.set_cookie(self.cookie_params["key"], "", expires=0) self.update_response(response) return response def get_login_url(self, data_adaptor): """Return the url for the login route""" if data_adaptor and current_app.app_config.is_multi_dataset(): return f"{self.api_base_url}/login?dataset={data_adaptor.uri_path}/" else: return f"{self.api_base_url}/login" def get_logout_url(self, data_adaptor): """Return the url for the logout route""" if data_adaptor and current_app.app_config.is_multi_dataset(): return f"{self.api_base_url}/logout?dataset={data_adaptor.uri_path}/" else: return f"{self.api_base_url}/logout" def check_jwt_payload(self, id_token): try: unverified_header = jwt.get_unverified_header(id_token) except JWTError: return None rsa_key = {} for key in self.jwks["keys"]: if key["kid"] == unverified_header["kid"]: rsa_key = { "kty": key["kty"], "kid": key["kid"], "use": key["use"], "n": key.get("n"), "e": key.get("e"), } if rsa_key: try: payload = jwt.decode( id_token, rsa_key, algorithms=self.algorithms, audience=self.audience, issuer=self.oauth_api_base_url + "/", options=self.jwt_decode_options, ) return payload except ExpiredSignatureError: # This exception is handled in get_userinfo raise except JWTClaimsError as e: raise AuthenticationError(f"invalid claims {str(e)}") from e except JWTError as e: raise AuthenticationError( f"invalid signature: {str(e)}") from e raise AuthenticationError("Unable to find the appropriate key") def get_userinfo(self): if not has_request_context(): return None # check if the userinfo has been retrieved already in this request if "userinfo" in g: return g.get("userinfo") # if there is no id_token, return None (user is not authenticated) tokens = self.get_tokens() if tokens is None or tokens.id_token is None: return None try: # check the jwt payload. This raises an AuthenticationError if the token is not valid. # It the token has expired, we attempt to refresh the token g.userinfo = self.check_jwt_payload(tokens.id_token) return g.userinfo except ExpiredSignatureError: tokens = self.refresh_expired_token(tokens.refresh_token) if tokens is None or tokens.id_token is None: return None else: try: g.userinfo = self.check_jwt_payload(tokens.id_token) return g.userinfo except JWTError as e: raise AuthenticationError( f"error during token refresh: {str(e)}") from e except AuthenticationError: self.remove_tokens() raise def refresh_expired_token(self, refresh_token): params = { "grant_type": "refresh_token", "client_id": self.client_id, "refresh_token": refresh_token, "client_secret": self.client_secret, } headers = {"content-type": "application/x-www-form-urlencoded"} request = requests.post(f"{self.oauth_api_base_url}/oauth/token", urlencode(params), headers=headers) if request.status_code != 200: # unable to refresh the token, log the user out self.remove_tokens() return None data = request.json() tokens = Tokens( access_token=data.get("access_token"), id_token=data.get("id_token"), refresh_token=data.get("refresh_token", refresh_token), expires_at=data.get("expires_at"), ) self.save_tokens(tokens) return tokens
from flask import Flask, url_for, redirect, session, render_template from authlib.integrations.flask_client import OAuth app = Flask(__name__) app.secret_key = 'random secret' # oauth config oauth = OAuth(app) oauth.register(name='google', client_id='', client_sectet='', access_token_url='https://accounts.google.com/o/auth2/token', access_tokern_params=None, authorize_url='https://accounts.google.com/o/oauth2/auth', authorize_params=None, api_base_url='https://www.googleapis.com/oauth2/v1', client_kwargs={'scope': 'openid profile email'}) @app.route('/') def hello_world(): return "Hello, World!" @app.route('/login') def login(): google = oauth.create_client('google') redirect_uri = url_for('authorize', _external=True) return google.authorize_redirect(redirect_uri) @app.route('/authorize')
from flask import Flask, url_for, redirect, session, render_template from authlib.integrations.flask_client import OAuth app = Flask(__name__) app.secret_key = 'random secret' #https://docs.authlib.org/en/latest/basic/index.html #oauth config oauth = OAuth(app) google = oauth.register( name='google', client_id= '495451370244-vmk79jh8653v4t8719cb26m4eil8j4le.apps.googleusercontent.com', client_secret='OlOWxgzZM2M2_iVoUQjAevgx', access_token_url='https://accounts.google.com/o/oauth2/token', access_token_params=None, authorize_url='https://accounts.google.com/o/oauth2/auth', authorize_params=None, api_base_url='https://www.googleapis.com/oauth2/v1/', userinfo_endpoint= 'https://openidconnect.googleapis.com/v1/userinfo', # This is only needed if using openId to fetch user info client_kwargs={'scope': 'openid email profile'}, ) @app.route('/') def index(): return render_template('login.html') @app.route('/home')
class OAuthModule(bp.AuthModule): def __init__(self, app, bp): super(OAuthModule, self).__init__(app, bp) self.oauth = OAuth() self.oauth.init_app(app) self.app = self.register_oauth(self.oauth, app) bp.route("/login", methods = ["POST"])(self.login) bp.route("/authorize", methods = ["GET"])(self.authorize) @abc.abstractmethod def register_oauth(self, oauth, app): pass @abc.abstractmethod def get_login_form_button_text(self): pass @overrides def is_flat(self) -> bool: return True @overrides def can_manage_users(self) -> bool: return False @overrides def get_login_form(self) -> models.LoginForm: return models.LoginForm([], self.get_login_form_button_text()) def login(self) -> Response: if "return_to" in request.args: redirect = self.app.authorize_redirect(request.args.get("return_to"), response_type = "token") else: redirect = self.app.authorize_redirect(response_type = "token") return jsonify(redirect.headers["Location"]) def authorize(self): authorization_response = request.full_path + "#" + request.args.get("fragment") try: token = self.app.fetch_access_token(authorization_response = authorization_response) except Exception as e: traceback.print_exc() sys.stderr.flush() raise exceptions.SecurityError(description = str(e)) access_token = token["access_token"] secret = current_app.config["VEGAS_CLIENT_SECRET"] try: decoded = jwt.decode(access_token, secret, verify = False) decoded = jwt.decode(access_token, secret, verify = True, audience = decoded["aud"]) except jwt.exceptions.InvalidTokenError as e: traceback.print_exc() sys.stderr.flush() raise exceptions.SecurityError(description = str(e)) session["auth"] = { "user": OAuthUser(decoded).to_dict(), "user_data": decoded, "token": token } log.access_flask_login() return jsonify(self.get_logged_in_user())
from flask import Flask, Blueprint from flask_restplus import Api from pymongo_helplib import MongoClient import os from dotenv import load_dotenv, find_dotenv from authlib.integrations.flask_client import OAuth from six.moves.urllib.parse import urlencode app = Flask(__name__) oauth = OAuth(app) auth0 = oauth.register( 'auth0', client_id='1xL7s3OaXnI0mpu3zdCeKQ9nhK8CGiHK', client_secret=os.environ['client_secret'], api_base_url='https://launcher-plan-b.eu.auth0.com', access_token_url='https://launcher-plan-b.eu.auth0.com/oauth/token', authorize_url='https://launcher-plan-b.eu.auth0.com/authorize', client_kwargs={ 'scope': 'openid profile', }, ) """ app.config.from_pyfile('config.cfg') """ app.secret_key = os.environ['SECRET_KEY'] blueprint = Blueprint('api', __name__, url_prefix='/api') api_app = Api(app=app, blueprint=blueprint, doc='/doc/', version="0.0", title="Launcher",
from authlib.integrations.flask_client import OAuth # .register() will automatically read GITHUB_CLIENT_ID and GITHUB_CLIENT_SECRET from app configuration # as described here: https://docs.authlib.org/en/latest/client/flask.html#configuration oauth_registry = OAuth() oauth_registry.register( # nosec name='github', access_token_url='https://github.com/login/oauth/access_token', access_token_params=None, authorize_url='https://github.com/login/oauth/authorize', authorize_params=None, api_base_url='https://api.github.com/', client_kwargs={'scope': 'user'})
from functools import wraps from os import environ from authlib.integrations.flask_client import OAuth from flask import session from app import app oauth = OAuth(app) AUTH0_CALLBACK_URL = environ.get("AUTH0_CALLBACK_URL") AUTH0_CLIENT_ID = environ.get("AUTH0_CLIENT_ID") AUTH0_CLIENT_SECRET = environ.get("AUTH0_CLIENT_SECRET") AUTH0_DOMAIN = environ.get("AUTH0_DOMAIN") AUTH0_BASE_URL = 'https://' + AUTH0_DOMAIN PROFILE_KEY = environ.get("PROFILE_KEY") JWT_PAYLOAD = environ.get("JWT_PAYLOAD") SECRET_KEY = environ.get("SECRET_KEY") auth0 = oauth.register( 'auth0', client_id=AUTH0_CLIENT_ID, client_secret=AUTH0_CLIENT_SECRET, api_base_url=AUTH0_BASE_URL, access_token_url=AUTH0_BASE_URL + '/oauth/token', authorize_url=AUTH0_BASE_URL + '/authorize', client_kwargs={ 'scope': 'openid profile email', }, )
from flask import Flask, url_for, redirect, session import os from authlib.integrations.flask_client import OAuth app = Flask(__name__) app.secret_key = os.environ.get("SECRET_KEY") # OAuth Config oauth = OAuth(app) google = oauth.register( name="google", client_id=os.environ.get("CLIENT_ID"), client_secret=os.environ.get("CLIENT_SECRET"), access_token_url="https://accounts.google.com/o/oauth2/token", access_token_params=None, authorize_url="https://accounts.google.com/o/oauth2/auth", authorize_params=None, api_base_url="https://www.googleapis.com/oauth2/v1/", userinfo_endpoint= "https://openidconnect.googleapis.com/v1/userinfo", # This is only needed if using openId to fetch user info client_kwargs={"scope": "openid email profile"}, ) @app.route("/") def hello_world(): email = dict(session).get("email", None) return f"Hello {email}"
from dotenv import load_dotenv load_dotenv() import requests from authlib.integrations.flask_client import OAuth app = Flask(__name__) app.secret_key = os.getenv("SECRET_KEY") app.config['LICHESS_CLIENT_ID'] = os.getenv("LICHESS_CLIENT_ID") app.config['LICHESS_CLIENT_SECRET'] = os.getenv("LICHESS_CLIENT_SECRET") app.config['LICHESS_ACCESS_TOKEN_URL'] = 'https://oauth.lichess.org/oauth' app.config[ 'LICHESS_AUTHORIZE_URL'] = 'https://oauth.lichess.org/oauth/authorize' oauth = OAuth(app) oauth.register('lichess') @app.route('/') def login(): redirect_uri = url_for('authorize', _external=True) return oauth.lichess.authorize_redirect(redirect_uri) @app.route('/authorize') def authorize(): token = oauth.lichess.authorize_access_token() bearer = token['access_token'] headers = {'Authorization': f'Bearer {bearer}'} response = requests.get("https://lichess.org/api/account", headers=headers)
from flask import Flask, url_for, session from flask import render_template, redirect from authlib.integrations.flask_client import OAuth app = Flask(__name__) app.secret_key = '!secret' app.config.from_object('config') CONF_URL = 'https://accounts.google.com/.well-known/openid-configuration' oauth = OAuth(app) oauth.register(name='google', server_metadata_url=CONF_URL, client_kwargs={'scope': 'openid email profile'}) @app.route('/') def homepage(): print("Hello") user = session.get('user') return render_template('home.html', user=user) @app.route('/login') def login(): redirect_uri = url_for('auth', _external=True) return oauth.google.authorize_redirect(redirect_uri) @app.route('/auth') def auth(): token = oauth.google.authorize_access_token()
def create_authenticated_app(test_config=None): # Create and Configure OKIT Web Designer App app = Flask(__name__, instance_relative_config=True, instance_path='/okit/instance') # Load Config if test_config is None: app.config.from_pyfile('config.py', silent=True) else: app.config.from_mapping(test_config) # Ensure if instance folder exists try: os.makedirs(app.instance_path) except OSError: pass # Add Upload location app.config['UPLOADS_FOLDER'] = '/okit/uploads' # The secret key must be static to be the same for all gunicorn workers app.secret_key = '8980ffsd675747jjjh' idcs_metadata_url = app.config['IDCS_API_BASE_URL'] + '/.well-known/openid-configuration' oauth = OAuth(app) idcs = oauth.register(name='idcs', server_metadata_url=idcs_metadata_url, client_kwargs={'scope':'openid email profile'}) if 'OKIT_SERVER_BASE' not in app.config: app.config['OKIT_SERVER_BASE'] = 'http://' + socket.getfqdn() @app.route('/favicon.ico') def favicon(): return send_from_directory(os.path.join(app.root_path, 'static'), 'favicon.ico', mimetype='image/vnd.microsoft.icon') from . import okitWebDesigner # Login Step 1 - Redirect to IDCS @okitWebDesigner.bp.route('/login', methods=(['GET', 'POST'])) def login(): return idcs.authorize_redirect(app.config['OKIT_SERVER_BASE'] + url_for('okit.postlogin')) # Login Step 2 - Local local token handling @okitWebDesigner.bp.route('/postlogin', methods=(['GET', 'POST'])) def postlogin(): token = idcs.authorize_access_token() userinfo = idcs.parse_id_token(token) session['username'] = userinfo['user_displayname'] session['home_region'] = app.config['OCI_HOME_REGION'] session['tenant'] = app.config['OCI_TENANT'] logger.info(f"App Config {app.config}") end_session_endpoint = idcs.server_metadata['end_session_endpoint'] logout_redirect_url = { 'post_logout_redirect_url' : app.config['OKIT_SERVER_BASE'] + url_for('okit.postlogout'), 'id_token_hint' : token['id_token'] } logout_url = end_session_endpoint + '?post_logout_redirect_url=' + str(logout_redirect_url['post_logout_redirect_url']) + '&id_token_hint=' + str(logout_redirect_url['id_token_hint']) session['logout'] = logout_url return redirect(url_for('okit.designer'), code=302) # Logout Step 1 - Handled by IDCS # Logout Step 2 - Local cleanup @okitWebDesigner.bp.route('/logout', methods=(['GET', 'POST'])) def logout(): session.pop('username', None) session.pop('logout', None) session.pop('tenant', None) session.pop('home_region', None) return Response(status=200) # Logout Step 3 - Local redirect to home page @okitWebDesigner.bp.route('/postlogout', methods=(['GET', 'POST'])) def postlogout(): session.pop('username', None) session.pop('logout', None) session.pop('tenant', None) session.pop('home_region', None) return redirect(url_for('okit.designer'), code=302) app.register_blueprint(okitWebDesigner.bp) from . import okitPricing app.register_blueprint(okitPricing.bp) from . import okitOci app.register_blueprint(okitOci.bp) from . import okitImport app.register_blueprint(okitImport.bp) @app.route('/') def index(): return login() return app
def create_app(config: Optional[TmvConfig] = None, config_override: Optional[Dict] = None): if config is None: config = create_tmv_config_from_env() if config_override is None: config_override = {} """ Set up logging Logging uses the built-in logging-module, see the Python docs for details. If you want to log something, please use one of the following methods, depending on the level you want to log. logging.debug() logging.info() logging.warning() logging.error() logging.critical() You can configure from which level log messages get output by modifying the parameter `level` in the lines below. You can add further handlers (for example for sending e-mails on critical errors) to the logging system if you want. Make sure to always log using an appropriate level to not clutter the logs with meaningless messages. """ log_level = logging.DEBUG if config.DEV_MODE else logging.WARNING logging.basicConfig( format="[%(asctime)s] %(levelname)s in %(module)s: %(message)s", level=log_level, handlers=[logging.StreamHandler()], ) logging.info("Dev mode is " + ("on" if config.DEV_MODE else "off") + ".") # Initialize flask app app = flask.Flask( __name__, template_folder=str(BASE_DIR / "tmv" / "templates"), ) app.url_map.strict_slashes = False app.config.from_mapping( SECRET_KEY=config.SECRET_KEY, SQLALCHEMY_DATABASE_URI=config.SQLALCHEMY_DATABASE_URI, SQLALCHEMY_TRACK_MODIFICATIONS=False, TEMP_UPLOADS_FOLDER=str(BASE_DIR / config.TEMP_UPLOADS_FOLDER), SECURITY_PASSWORD_SALT=config.SECURITY_PASSWORD_SALT, SECURITY_REGISTERABLE=config.SECURITY_REGISTERABLE, SECURITY_SEND_REGISTER_EMAIL=False, # TODO: requires mail setup SECURITY_USER_IDENTITY_ATTRIBUTES=["email"], SECURITY_PASSWORD_HASH="pbkdf2_sha512", SECURITY_TRACKABLE=True, SECURITY_FORGOT_PASSWORD_TEMPLATE= "security/custom_forgot_password.html", SECURITY_LOGIN_USER_TEMPLATE="security/custom_login_user.html", SECURITY_REGISTER_USER_TEMPLATE="security/custom_register_user.html", SECURITY_RESET_PASSWORD_TEMPLATE="security/custom_reset_password.html", SECURITY_CHANGE_PASSWORD_TEMPLATE= "security/custom_change_password.html", SECURITY_SEND_CONFIRMATION_TEMPLATE= "security/custom_send_confirmation.html", SECURITY_SEND_LOGIN_TEMPLATE="security/custom_send_login.html", OKTA_ORG_BASEURL=config.OKTA_ORG_BASEURL, OKTA_CLIENT_ID=config.OKTA_CLIENT_ID, OKTA_CLIENT_SECRET=config.OKTA_CLIENT_SECRET, AWS_REGION=config.AWS_REGION, JIRA_OAUTH_LOC=config.JIRA_OAUTH_LOC, JIRA_SERVER=config.JIRA_SERVER, JIRA_CONSUMER_KEY=config.JIRA_CONSUMER_KEY, JIRA_CONSUMER_SECRET=config.JIRA_CONSUMER_SECRET, JIRA_ACCESS_TOKEN=config.JIRA_ACCESS_TOKEN, JIRA_ACCESS_SEC=config.JIRA_ACCESS_SEC, JIRA_RSA_PEM=config.JIRA_RSA_PEM, JIRA_FIELD_SPRINT=config.JIRA_FIELD_SPRINT, JIRA_FIELD_STORYPOINTS=config.JIRA_FIELD_STORYPOINTS, FLASK_ADMIN_SWATCH="simplex", CELERY_BROKER_URL=config.CELERY_BROKER_URL, CELERY_RESULT_BACKEND=config.CELERY_RESULT_BACKEND, ) app.config.update(config_override) db.init_app(app) migrate.init_app(app, db, directory=str(BASE_DIR / "./tmv/migrations/")) app.security = Security(app, user_datastore, anonymous_user=CustomAnonymousUser) app.oauth = OAuth(app) if config.OKTA_ORG_BASEURL: app.oauth.register( "okta", server_metadata_url=( config.OKTA_ORG_BASEURL + "/oauth2/default/.well-known/openid-configuration"), client_kwargs={"scope": "openid profile email"}, ) # Create directories if they not already exist. FOLDERS_TO_CREATE = { app.config["TEMP_UPLOADS_FOLDER"], } for folder in FOLDERS_TO_CREATE: os.makedirs(folder, exist_ok=True) # Register flask pages # Add your page here by creating a blueprint in /views, importing it and # registering it via `app.register_blueprint`. admin.init_app(app) app.register_blueprint(user) dash_app = dash.Dash( __name__, server=app, # The route to put dash in: routes_pathname_prefix=DASHBOARD_PREFIX, external_stylesheets=[ ("https://fonts.googleapis.com/css2?" "family=Roboto:wght@300;400;500;700&display=swap"), ], assets_folder="static/dash", assets_url_path="/static/dash", suppress_callback_exceptions=True, meta_tags=[{ "name": "viewport", "content": "width=device-width, initial-scale=1" }], ) dash_app.title = "Team Metrics Visualizer" DashFlaskSecurityAuth(dash_app) if config.DEV_MODE: dash_app.enable_dev_tools() # Initialize dashboards. # Add your dashboard here by creating an instance and adding it to TABS dashboards = [ TeamHealthCheckDashboardController(), LongTermHealthDashboardController(), BurnupDashboardController(), CumulativeFlowDashboardController(), WorktimeDashboardController(), ] def layout_fn(*args, **kwargs): if flask.has_app_context() and flask.has_request_context(): dash_app._cached_layout = None # pylint: disable=protected-access return layout(dashboards, DASHBOARD_PREFIX) dash_app.layout = layout_fn init_tabs_for_navbar(dash_app, dashboards, DASHBOARD_PREFIX) register_common_callbacks(dash_app) return app
CACHE_TIMEOUT = 300 # 5 mn cache cache = Cache(config={"CACHE_TYPE": "simple"}) app = Flask(__name__) cache.init_app(app) app.secret_key = os.urandom(16) CORS( app, resources={r"/api/0/*": { "origins": os.getenv("ALLOW_ORIGIN", "*") }}, supports_credentials=True, ) oauth = OAuth(app) oauth.register( name="github", client_id=os.getenv("CLIENT_ID"), client_secret=os.getenv("CLIENT_SECRET"), access_token_url="https://github.com/login/oauth/access_token", access_token_params=None, authorize_url="https://github.com/login/oauth/authorize", authorize_params=None, api_base_url="https://api.github.com/", client_kwargs={"scope": "user:email"}, ) indexes_acl: Dict[str, List[config.Username]] = {}
# # This program is distributed in the hope that it will be useful, but WITHOUT # ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or # FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for # more details. # # You should have received a copy of the GNU General Public License along # with this program. If not, see <http://www.gnu.org/licenses/>. from authlib.integrations.flask_client import OAuth import flask app = flask.Flask(__name__) app.config.from_object("config") oauth = OAuth(app) oauth.register(name="toolhub") @app.route("/") def index(): """Home screen.""" ctx = { "profile": None, } if "token" in flask.session: resp = oauth.toolhub.get("user/", token=flask.session["token"]) resp.raise_for_status() ctx["profile"] = resp.json() return flask.render_template("home.html", **ctx)
from authlib.integrations.flask_client import OAuth\ authlib_oauth_client = OAuth()
from rest_api_demo.api.restplus import api from rest_api_demo.database import db # Integrate security from authlib.integrations.flask_client import OAuth # decorator for routes that should be accessible only by logged in users from auth_decorator import login_required from datetime import timedelta app = Flask(__name__) logging_conf_path = os.path.normpath( os.path.join(os.path.dirname(__file__), '../logging.conf')) logging.config.fileConfig(logging_conf_path) log = logging.getLogger(__name__) # set oauth to the app oauth = OAuth(app) # Set oAuth Register for Google google = oauth.register( name='google', client_id= '917119924009-80eq2p27e8096ne7ecccmuvh08l3hbkv.apps.googleusercontent.com', client_secret='yaHRsURbCudieEReNCARfZSP', access_token_url='http://accounts.google.com/o/oauth2/token', access_token_params=None, authorize_url='http://accounts.google.com/o/oauth2/auth', authorize_params=None, api_base_url='https://www.googleapis.com/oauth2/v1/', userinfo_endpoint= 'https://openidconnect.googleapis.com/v1/userinfo', # This is only needed if using openId to fetch user info client_kwargs={'scope': 'openid profile email'},
def create_oauth_app(service_config, name): service_oauth = OAuth(app) service_app = service_oauth.register(name, **service_config) return service_app
from functools import wraps from flask import Blueprint, url_for, session, request, g, jsonify, current_app from authlib.integrations.flask_client import OAuth from werkzeug.exceptions import abort from werkzeug.utils import redirect from dog_api_backend.db import db from dog_api_backend.models import User oauth = OAuth() github = oauth.register('github') auth = Blueprint('auth', __name__, url_prefix='/auth') @auth.route('/login') def login(): redirect_uri = url_for('auth.callback', _external=True) if current_app.config.get('CUSTOM_REDIRECT'): redirect_uri = current_app.config.get('CUSTOM_REDIRECT') return oauth.github.authorize_redirect(redirect_uri) @auth.route('/logout') def logout(): session.clear() return jsonify({"ok": True}) @auth.route('/callback')
"""Set Flask config variables.""" FLASK_ENV = 'development' TESTING = True SECRET_KEY = environ.get('SECRET_KEY') # SQLALCHEMY_DATABASE_URI = os.environ['DATABASE_URL'] # for more redding use https://hackersandslackers.com/configure-flask-applications/ GOOGLE_CLIENT_ID = environ.get("GOOGLE_CLIENT_ID", None) GOOGLE_CLIENT_SECRET = environ.get("GOOGLE_CLIENT_SECRET", None) GOOGLE_DISCOVERY_URL = ( "https://accounts.google.com/.well-known/openid-configuration") oauth = OAuth(app) google = oauth.register( name='google', client_id=GOOGLE_CLIENT_ID, client_secret=GOOGLE_CLIENT_SECRET, access_token_url='https://accounts.google.com/o/oauth2/token', access_token_params=None, authorize_url='https://accounts.google.com/o/oauth2/auth', authorize_params=None, api_base_url='https://www.googleapis.com/oauth2/v1/', jwks_uri="https://www.googleapis.com/oauth2/v3/certs", userinfo_endpoint= 'https://openidconnect.googleapis.com/v1/userinfo', # This is only needed if using openId to fetch user info client_kwargs={'scope': 'openid email profile'}, )
def create_app(test_config=None): app = Flask(__name__) setup_db(app) CORS(app) oauth = OAuth(app) secret = secrets.token_urlsafe(32) app.secret_key = secret auth0 = oauth.register( 'auth0', client_id=os.environ.get('CLIENT_ID'), client_secret=os.environ.get('CLIENT_SECRET'), api_base_url=os.environ.get('API_BASE_URL'), access_token_url=os.environ.get('ACCESS_TOKEN_URL'), authorize_url=os.environ.get('AUTHORIZE_URL'), client_kwargs={ 'scope': 'openid profile email', }, ) AUTH0_URL = os.environ.get('AUTH0_LOGIN_URL') CORS(app, resources={r"/api/*": {"origins": "*"}}) # ROUTES @app.after_request def after_request(response): response.headers.add('Access-Control-Allow-Headers', 'Content-Type,Authorization,true') response.headers.add('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,OPTIONS') return response # main page @app.route('/') def index(): return 'Hello, friend !' # login page @app.route('/login') def login(): return render_template('login.html', AUTH0_AUTHORIZE_URL=AUTH0_URL) # logout @app.route('/logout') def logout(): # Clear session stored data session.clear() # Redirect user to logout endpoint params = {'returnTo': url_for( 'index', _external=True), 'client_id': '5FmE550Gvrv7iLRl1WxYleKWZx44su3a'} return redirect(auth0.api_base_url + '/v2/logout?' + urlencode(params)) # GET endpoints ################################################################## # retrieves all the actors @app.route('/actors', methods=['GET']) @requires_auth('get:actors') def show_actors(jwt): actors = Actor.query.all() if actors is None: abort(404) actors_list = [] for actor in actors: actors_list.append({ 'actor_id': actor.id, 'actor_name': actor.name, 'actor_age': actor.age, 'actor_gender': actor.gender }) return jsonify({ 'success': True, 'actors': actors_list }) # retrieves all the movies @app.route('/movies', methods=['GET']) @requires_auth('get:movies') def show_movies(jwt): movies = Movie.query.all() if movies is None: abort(404) movies_list = [] for movie in movies: movies_list.append({ 'movie_id': movie.id, 'movie_title': movie.title, 'movie_release_date': movie.release_date }) return jsonify({ 'success': True, 'movies': movies_list }) # retrieves a certain actor @app.route('/actors/<int:actor_id>', methods=['GET']) @requires_auth('get:actor') def show_actor(jwt, actor_id): actor = Actor.query.filter(Actor.id == actor_id).one_or_none() if actor is None: abort(404) return jsonify({ 'success': True, 'name': actor.name, 'age': actor.age, 'gender': actor.gender }) # retrieves a certain movie @app.route('/movies/<int:movie_id>', methods=['GET']) @requires_auth('get:movie') def show_movie(jwt, movie_id): movie = Movie.query.filter(Movie.id == movie_id).one_or_none() if movie is None: abort(404) return jsonify({ 'success': True, 'title': movie.title, 'release_date': movie.release_date }) # Delete endpoints ################################################################## # deletes a certain actor @app.route('/actors/<int:actor_id>', methods=['DELETE']) @requires_auth('delete:actor') def delete_actor(jwt, actor_id): try: actor = Actor.query.filter(Actor.id == actor_id).one_or_none() if actor is None: abort(404) actor.delete() return jsonify({ "success": True, "deleted": actor_id }) except Exception: abort(422) # retrieves a certain movie @app.route('/movies/<int:movie_id>', methods=['DELETE']) @requires_auth('delete:movie') def delete_movie(jwt, movie_id): try: movie = Movie.query.filter(Movie.id == movie_id).one_or_none() if movie is None: abort(404) movie.delete() return jsonify({ "success": True, "deleted": movie_id }) except Exception: abort(422) # POST endpoints ################################################################## # adds a new actor @app.route('/actors', methods=['POST']) @requires_auth('post:actor') def add_actor(jwt): body = request.get_json() if body is None: abort(400) new_name = body.get('name', None) new_age = body.get('age', None) new_gender = body.get('gender', None) try: if new_name and new_age and new_gender: new_actor = Actor( name=new_name, age=new_age, gender=new_gender ) new_actor.insert() return jsonify({ 'success': True, 'created_id': new_actor.id, 'actors': [actor.format() for actor in Actor.query.all()] }) else: abort(422) except Exception: abort(422) # adds a new movie @app.route('/movies', methods=['POST']) @requires_auth('post:movie') def add_movie(jwt): body = request.get_json() if body is None: abort(400) new_title = body.get('title', None) release_date_str = body.get('release_date', None) y, m, d = release_date_str.split('-') new_release_date = datetime(int(y), int(m), int(d)).date() try: if new_title and release_date_str: new_movie = Movie( title=new_title, release_date=new_release_date) new_movie.insert() return jsonify({ 'success': True, 'created_id': new_movie.id, 'movies': [movie.format() for movie in Movie.query.all()] }) else: abort(422) except Exception: abort(422) # PATCH endpoints ################################################################## # updates an existing actor @app.route('/actors/<int:actor_id>', methods=['PATCH']) @requires_auth('patch:actor') def update_actor(jwt, actor_id): actor = Actor.query.filter(Actor.id == actor_id).one_or_none() if actor is None: abort(404) body = request.get_json() if body is None: abort(400) new_name = body.get('name', None) new_age = body.get('age', None) new_gender = body.get('gender', None) try: if new_name: actor.name = new_name if new_age: actor.age = new_age if new_gender: actor.gender = new_gender actor.update() return jsonify({ "success": True, "actor": [actor.format() for actor in Actor.query.all()] }) except Exception: abort(422) # updates an existing movie @app.route('/movies/<int:movie_id>', methods=['PATCH']) @requires_auth('patch:movie') def update_movie(jwt, movie_id): movie = Movie.query.filter(Movie.id == movie_id).one_or_none() if movie is None: abort(404) body = request.get_json() if body is None: abort(400) new_title = body.get('title', None) new_release_date_str = body.get('release_date', None) try: if new_title: movie.title = new_title if new_release_date_str: y, m, d = new_release_date_str.split('-') new_release_date = datetime(int(y), int(m), int(d)).date() movie.release_date = new_release_date movie.update() return jsonify({ "success": True, "movies": [movie.format() for movie in Movie.query.all()] }) except Exception: abort(422) # Error Handling @app.errorhandler(422) def unprocessable(error): return jsonify({ "success": False, "error": 422, "message": "unprocessable" }), 422 @app.errorhandler(404) def not_found(error): return jsonify({ "success": False, "error": 404, "message": "resource not found" }), 404 @app.errorhandler(AuthError) def authentication_error(error): return jsonify({ "success": False, "error": 401, "message": "AuthError" }), 401 @app.errorhandler(400) def bad_request(error): return jsonify({ "success": False, "error": 400, "message": 'bad request' }), 400 return app
# CONFIG load_dotenv(verbose=True) JWT_SECRET = os.getenv("JWT_SECRET") REQUEST_CREDENTIALS_EXPIRE = int(os.getenv("REQUEST_CREDENTIALS_EXPIRE")) PUBLICATIONS_ACCESS = int(os.getenv("PUBLICATIONS_ACCESS")) API_URL = os.getenv("API_URL") CLIENT_ID = os.getenv("CLIENT_ID") CLIENT_SECRET = os.getenv("CLIENT_SECRET") API_BASE_URL = os.getenv("API_BASE_URL") ACCESS_TOKEN_URL = os.getenv("ACCESS_TOKEN_URL") AUTHORIZE_URL = os.getenv("AUTHORIZE_URL") app.config["SECRET_KEY"] = secrets.token_urlsafe(16) oauth = OAuth(app) auth0 = oauth.register( 'auth0', client_id=CLIENT_ID, client_secret=CLIENT_SECRET, api_base_url=API_BASE_URL, access_token_url=ACCESS_TOKEN_URL, authorize_url=AUTHORIZE_URL, client_kwargs={ 'scope': 'openid profile email', }, ) #######
from flask import Flask, url_for, session from flask import render_template, redirect from authlib.integrations.flask_client import OAuth import sys app = Flask(__name__) app.secret_key = 'a-secret-key' app.config.from_object('config') oauth = OAuth(app) oauth.register(name='donelogin', server_metadata_url=app.config['DONELOGIN_CONFIG_URL'], client_kwargs=app.config['DONELOGIN_CLIENT_KWARGS']) @app.route('/') def homepage(): user = session.get('user') return render_template('home.html', user=user) @app.route('/login') def login(): print(session) redirect_uri = url_for('auth', _external=True) return oauth.donelogin.authorize_redirect(redirect_uri) @app.route('/auth') def auth(): print(session)
from flask import Flask, request from authlib.integrations.flask_client import OAuth from splitwise import Splitwise from splitwise.expense import Expense, ExpenseUser import configparser import webbrowser import urllib import threading import tempfile import os import json import datetime import argparse app = Flask(__name__) oauth = OAuth(app) parser = argparse.ArgumentParser(description="Add T-Mobile bill to Splitwise") parser.add_argument("-c", "--config", required=True, help="path to .ini config file") parser.add_argument("-e", "--expense", required=True, help="path to JSON expense file") parser.add_argument("-d", "--dry-run", action='store_true', default=False, help="show what would happen without actually creating the expense on Splitwise") args = parser.parse_args() CONFIG_PATH = args.config EXPENSE_PATH = args.expense DRY_RUN = args.dry_run # https://stackoverflow.com/questions/15562446/how-to-stop-flask-application-without-using-ctrl-c def shutdown_server(): func = request.environ.get('werkzeug.server.shutdown') if func is None:
from auth.auth import AuthError, requires_auth from authlib.integrations.flask_client import OAuth def create_app(test_config=None): # create and configure the app app = Flask(__name__) setup_db(app) CORS(app) # db_drop_and_create_all() return app app = create_app() app.secret_key = os.urandom(24) oauth = OAuth(app) auth0 = oauth.register( 'auth0', client_id='sTJG5iVLA8tx8loet75JrKYpTBmWTetY', client_secret= 'lsWRwh0KUhyqx06hKNf8OWPs_qXVQpz7lL7Vvou9-D5L9R1IscpvEyehq3iOce6p', api_base_url='https://full-stack-2020.us.auth0.com', access_token_url='https://full-stack-2020.us.auth0.com/oauth/token', authorize_url='https://full-stack-2020.us.auth0.com/authorize', client_kwargs={ 'scope': 'openid profile email', }, ) if __name__ == '__main__':
from authlib.integrations.flask_client import OAuth oauth = OAuth() client_id = '3silBpYY8BSfVWca3Q0suIwB8h24vMzz' domain = 'issue-tracker-7.auth0.com' def configure_oauth(client_secret): """Configures Authlib with auth0's application info.""" auth0 = oauth.register( 'auth0', client_id=client_id, client_secret=client_secret, api_base_url=f'https://{domain}', access_token_url=f'https://{domain}/oauth/token', authorize_url=f'https://{domain}/authorize', client_kwargs={'scope': 'openid profile email'}, ) return auth0
from threading import __all__ from flask import Flask, render_template, request, redirect, url_for, flash, session from flask_sqlalchemy import SQLAlchemy from authlib.integrations.flask_client import OAuth from flask_login import logout_user import datetime import json from flask_mail import Mail, Message app = Flask(__name__) app.secret_key = "Secret Key" oauth = OAuth(app) app.config['SQLALCHEMY_DATABASE_URI'] = 'mysql://root:@localhost/my_data' app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False app.config[ 'GOOGLE_CLIENT_ID'] = "53375158605-vbg4tdc9jpa5g34cmo0j29lqbnspnjgc.apps.googleusercontent.com" app.config['GOOGLE_CLIENT_SECRET'] = "N7mHeR7Ksqw3g79vxRfuZfcs" app.config['MAIL_SERVER'] = 'smtp.gmail.com' app.config['MAIL_PORT'] = 465 app.config['MAIL_USERNAME'] = "******" app.config['MAIL_PASSWORD'] = "******" app.config['MAIL_USE_TLS'] = False app.config['MAIL_USE_SSL'] = True mail = Mail(app) google = oauth.register( name='google', client_id=app.config["GOOGLE_CLIENT_ID"],
#Load this config object for development mode app.config.from_object('configs.DevelopmentConfig') class Cache(object): def __init__(self): self._data = {} def get(self, k): return self._data.get(k) def set(self, k, v, timeout=None): self._data[k] = v def delete(self, k): if k in self._data: del self._data[k] # Cache is used for OAuth 1 services. You MUST use a real # cache service like memcache/redis on production. # THIS IS JUST A DEMO. oauth = OAuth(app, Cache()) def handle_authorize(remote, token, user_info): user_info = jsonify(user_info) return user_info for backend in OAUTH_BACKENDS: bp = create_flask_blueprint(backend, oauth, handle_authorize) app.register_blueprint(bp, url_prefix='/{}'.format(backend.OAUTH_NAME)) app.run()
import braintree from app import app import boto3, botocore from authlib.integrations.flask_client import OAuth oauth = OAuth() oauth.register('google', client_id=app.config.get("G_CLIENT_ID"), client_secret=app.config.get("G_CLIENT_SECRET"), access_token_url='https://accounts.google.com/o/oauth2/token', access_token_params=None, refresh_token_url=None, authorize_url='https://accounts.google.com/o/oauth2/auth', api_base_url='https://www.googleapis.com/oauth2/v1/', client_kwargs={ 'scope': 'https://www.googleapis.com/auth/userinfo.email', 'token_endpoint_auth_method': 'client_secret_basic', 'token_placement': 'header', 'prompt': 'consent' }) gateway = braintree.BraintreeGateway( braintree.Configuration(braintree.Environment.Sandbox, merchant_id=app.config.get("BT_MERCHANT_ID"), public_key=app.config.get("BT_PUBLIC_KEY"), private_key=app.config.get("BT_PRIVATE_KEY"))) s3 = boto3.client("s3", aws_access_key_id=app.config.get("S3_KEY"), aws_secret_access_key=app.config.get("S3_SECRET"))
import jwt from flask import Blueprint, url_for, request, session, redirect from authlib.integrations.flask_client import OAuth from flask import Flask APP_KEY = '...' APP_SECRET = '...' ALLOWED_IDS = ['*****@*****.**'] admin_auth_blueprint = Blueprint('admin_auth', __name__) app = Flask(__name__) oauth = OAuth(app) azure = oauth.register( 'azure', consumer_key=APP_KEY, consumer_secret=APP_SECRET, request_token_params={'scope': 'openid profile email'}, base_url='https://graph.microsoft.com/v1.0/', request_token_url=None, access_token_method='POST', access_token_url= 'https://login.microsoftonline.com/common/oauth2/v2.0/token', authorize_url= 'https://login.microsoftonline.com/common/oauth2/v2.0/authorize') def is_authenticated(): return session.get('admin_authenticated', False)
from flask import url_for, request, g, redirect from flask_restful import Resource, Api from flask_restful.reqparse import RequestParser from app.models import User, PlaylistLink from flask_sqlalchemy import SQLAlchemy import app.spotifyWrapper as abc from authlib.integrations.flask_client import OAuth # from flask_oauthlib.client import OAuth import json import uuid import functools #initialisation # app.config.from_object(Config) oauth = OAuth(app) def fetch_spotify_token(): # if not 'access_token' in fk.session: # return "no token # authorisation = request.headers['Authorization'].split(' ') # if authorisation[0] == 'Bearer': # return authorisation[1] # else: return fk.session['access_token'] spotify = oauth.register( 'spotify', client_id=app.config['CLIENTKEY'],