def before_request():
if oidc.user_loggedin:
g.user = oidc.user_getfield('name')
g.role = "employee"
email = oidc.user_getfield('email')
groups = oidc.user_getfield('groups')
print('groups : ', app_config['KEYCLOAK_URL'])
keycloak_admin = KeycloakAdmin(server_url=app_config['KEYCLOAK_URL'],
username=app_config['USERNAME'],
password=app_config['PASSWORD'],
realm_name=app_config['REALM_NAME'],
verify=True)
users = keycloak_admin.get_users({})
#print(users)
for user in users:
print(user)
if (email.strip().lower() == user['email'].strip().lower()):
print(user['attributes']['emp_id'])
print(user['attributes']['role'][0])
g.role = user['attributes']['role'][0]
g.empId = user['attributes']['emp_id'][0]
else:
g.user = None
def decorated_function(*args,**kwargs):
#Lese gültige Rollen für die Berechtigungsgruppe
auth_group = db.session.query(auth_groups).filter_by(name=self.role_required).first() # Find auth_group DB Entry with that name
#Lese die verfügbaren Rollen vom Benutzer
access_token = oidc.get_access_token()
user_permission = oidc.user_getfield('role',access_token)
# Check is access_token still valid and roles are able to export from access_token
if user_permission is None:
#If not, forward to authentication server
return oidc.redirect_to_auth_server(None, request.values)
#If user has role "admin", anything is allowed
if 'admin' in user_permission:
print("oauth role. User has Admin Permission")
#Welcher return Befehl muss hier hin??!!!
for role in auth_group.roles:
if role.name in user_permission:
print("Oauth role. User has required Permission")
return func(*args,**kwargs)
else:
print("Oauth role: User has no Role ")
return render_template("mod_auth/403.html", user=get_userobject())
def logout():
email = oidc.user_getfield('email')
oidc.logout()
redirect_url = request.url_root.strip('/')
keycloak_issuer = oidc.client_secrets.get('issuer')
keycloak_logout_url = '{}/protocol/openid-connect/logout'.format(
keycloak_issuer)
_logger.info('{} logged out'.format(email))
return redirect('{}?redirect_uri={}'.format(keycloak_logout_url,
redirect_url))
def callback(data):
session_state = request.args.get("state")
print("oauth. Start Callback")
try:
access_token = oidc.get_access_token()
#print("oauth callback. accesstoken ", access_token)
#print("oauth callback. id_token: ",g.oidc_id_token)
user_id = oidc.user_getfield('sub',access_token)
session['user_id'] = user_id
user_permission = oidc.user_getfield('role',access_token)
#print("oauth callback. Roles: ", user_permission)
# Manage die Lodur Gruppe in der DB
lodurGroupsToDB(user_permission)
user = User.query.filter_by(open_id=session['user_id']).first()
if user is not None:
# User existiert bereits, aktualisieren
user.username = oidc.user_getfield('user_name',access_token)
user.email = oidc.user_getfield('email',access_token)
else:
# User existiert noch nicht, neu anlegen
user = User(
oidc.user_getfield('user_name',access_token),
oidc.user_getfield('email',access_token),
user_id
)
if user_id in oidc.credentials_store:
db.session.add(user)
db.session.commit()
else:
return "ERROR: User can't find in Credentials Store."
except:
print("oauth. Error found" + sys.exc_info())
return redirect('/')
return redirect('/')
def hr_dashboard():
print(oidc.user_getfield('attributes'))
return render_template('home/hr_dashboard.html', title='Admin Dashboard')
def before_request():
if oidc.user_loggedin:
g.user = okta_client.get_user(oidc.user_getfield("sub"))
else:
g.user = None
def login():
_logger.info('{} logged in successfully'.format(
oidc.user_getfield('email')))
return redirect(url_for('view.index'))
