def _handle_callback(self, auth, get_vars):
data = self.callback(get_vars)
if not data:
abort(401)
error = data.get("error")
if error:
if isinstance(error, str):
code, msg = 401, error
else:
code = error.get("code", 401)
msg = error.get("message", "Unknown error")
abort(code, msg)
if auth.db:
# map returned fields into auth_user fields
user = {}
for key, value in self.maps.items():
value, parts = data, value.split(".")
for part in parts:
value = value[int(part) if part.isdigit() else part]
user[key] = value
user["sso_id"] = "%s:%s" % (self.name, user["sso_id"])
if not "username" in user:
user["username"] = user["sso_id"]
# store or retrieve the user
data = auth.get_or_register_user(user)
else:
# WIP Allow login without DB
if not "id" in data:
data["id"] = data.get("username") or data.get("email")
user_id = data.get("id")
auth.store_user_in_session(user_id)
redirect(URL("index"))
def callback(self, query):
code = query.get("code")
statecheck = query.get("state")
if not code:
return False
if statecheck != passedstate:
return False
data = dict(
code=code,
client_id=self.parameters.get("client_id"),
client_secret=self.parameters.get("client_secret"),
redirect_uri=URL(
self.parameters.get("callback_url"),
scheme=self.parameters.get("scheme"),
),
grant_type="authorization_code",
)
res = requests.post(self.token_url, data=data)
token = res.json().get("access_token")
headers = {"Authorization": "Bearer %s" % token}
# Lets not get the user attributes via the userinfo endpoint
# but lets take the userinfo directly extracted from the token
#res = requests.get(self.userinfo_url, headers=headers)
res = jwt.decode(token, verify=False)
data = res.json()
return data
def callback(self, query):
code = query.get("code")
statecheck = query.get("state")
if not code:
return False
passed_state = self.parameters.get("passed_state")
if passed_state is not None and statecheck != passed_state:
return False
data = dict(
code=code,
client_id=self.parameters.get("client_id"),
client_secret=self.parameters.get("client_secret"),
redirect_uri=URL(
self.parameters.get("callback_url"),
scheme=self.parameters.get("scheme"),
),
grant_type="authorization_code",
)
res = requests.post(self.token_url, data=data)
output = res.json()
token = output.get("id_token")
if token is not None:
# Lets not get the user attributes via the userinfo endpoint
# but lets take the userinfo directly extracted from the token
# res = requests.get(self.userinfo_url, headers=headers)
data = jwt.decode(token, verify=False, algorithms=self.algorithms)
else:
# fallback to old approach if "id_token" is not in the response
token = output.get("access_token")
headers = {"Authorization": "Bearer %s" % token}
res = requests.get(self.userinfo_url, headers=headers)
data = res.json()
return data
def handle_request(self, auth, path, get_vars, post_vars):
if path == "login":
self.next = request.query.get('next') or URL('index')
redirect(self.get_login_url())
elif path == "callback":
self._handle_callback(auth, get_vars)
else:
abort(404)
def handle_request(self, auth, path, get_vars, post_vars):
if path == "login":
auth.session["_next"] = request.query.get("next") or URL("index")
redirect(self.get_login_url())
elif path == "callback":
self._handle_callback(auth, get_vars)
else:
abort(404)
def callback(self, query):
code = query.get('code')
if not code:
return False
data = dict(code=code,
client_id=self.parameters.get('client_id'),
client_secret=self.parameters.get('client_secret'),
redirect_uri=URL(self.parameters.get('callback_url'), scheme=True),
grant_type='authorization_code')
res = requests.post(self.token_url, data=data)
token = res.json().get('access_token')
headers = {'Authorization': 'Bearer %s' % token}
res = requests.get(self.userinfo_url, headers=headers)
data = res.json()
return data
def get_login_url(self, state=None, next=None):
callback_url = self.parameters.get('callback_url')
vars = {}
if next:
vars['next'] = next
data = dict(access_type='offline',
redirect_uri=URL(callback_url, vars=vars, scheme=True),
response_type='code',
client_id=self.parameters.get('client_id'))
scope = self.parameters.get('scope')
if scope:
data['scope'] = scope
data['include_granted_scopes'] = 'true'
if state:
data['state'] = state
return self._build_url(self.login_url, data)
def callback(self, query):
code = query.get("code")
if not code:
return False
data = dict(
code=code,
client_id=self.parameters.get("client_id"),
client_secret=self.parameters.get("client_secret"),
redirect_uri=URL(self.parameters.get("callback_url"), scheme=True),
grant_type="authorization_code",
)
res = requests.post(self.token_url, data=data)
token = res.json().get("access_token")
headers = {"Authorization": "Bearer %s" % token}
res = requests.get(self.userinfo_url, headers=headers)
data = res.json()
return data
def get_login_url(self, state=None, next=None):
callback_url = self.parameters.get("callback_url")
vars = {}
if next:
vars["next"] = next
data = dict(
access_type="offline",
redirect_uri=URL(callback_url, vars=vars, scheme=True),
response_type="code",
client_id=self.parameters.get("client_id"),
)
scope = self.parameters.get("scope")
if scope:
data["scope"] = scope
data["include_granted_scopes"] = "true"
if state:
data["state"] = state
return self._build_url(self.login_url, data)
def _handle_callback(self, auth, get_vars):
data = self.callback(get_vars)
if not data or 'error' in data:
abort(401)
if auth.db:
# map returned fields into auth_user fields
user = {}
for key, value in self.maps.items():
value, parts = data, value.split('.')
for part in parts:
value = value[int(part) if part.isdigit() else part]
user[key] = value
user['sso_id'] = '%s:%s' % (self.name, user['sso_id'])
# store or retrieve the user
data = auth.get_or_register_user(user)
else:
# WIP Allow login without DB
if not 'id' in data:
data['id'] = data.get('username') or data.get('email')
auth.session['user'] = data
redirect(URL('index'))
def _handle_callback(self, auth, get_vars):
data = self.callback(get_vars)
if not data or "error" in data:
abort(401)
if auth.db:
# map returned fields into auth_user fields
user = {}
for key, value in self.maps.items():
value, parts = data, value.split(".")
for part in parts:
value = value[int(part) if part.isdigit() else part]
user[key] = value
user["sso_id"] = "%s:%s" % (self.name, user["sso_id"])
# store or retrieve the user
data = auth.get_or_register_user(user)
else:
# WIP Allow login without DB
if not "id" in data:
data["id"] = data.get("username") or data.get("email")
auth.session["user"] = data
redirect(URL("index"))
def __init__(self, **parameters):
self.parameters = parameters
self.next = URL('index') # Destination after login succeeds