async def dispatch(self, request, call_next):
authheader = request.headers.get("Authorization")
if authheader and authheader.lower().startswith("bearer "):
_, token_str = authheader.split(" ", 1)
if token_str:
for validator_name, validator in registed_validator.items():
logger.info("Trying to validate token with %s", validator_name)
is_token, id_token = validator.valide_token(token_str)
if not is_token:
break
if is_token and not id_token:
# not valid in this provider, try next
continue
# check aud and iss
aud = id_token.get('aud')
if id_token.get('azp') != validator.client_id and (not aud or validator.client_id not in aud):
logger.info('Token is valid, not expired, but not belonged to this client')
break
logger.info("Validate token with %s success", validator_name)
username = oauth_username_func(id_token)
email = id_token.get('email', '')
access = id_token.get('resource_access', {})
roles = access.get(validator.client_id, {}).get('roles', [])
user = User(username, email, roles, id_token.get('picture', ''))
request.session['user'] = user.to_json()
break
response = await call_next(request)
return response
async def authenticate(self, request):
from helpdesk.models.user import User
from helpdesk.models.provider import get_provider
from helpdesk.config import ENABLED_PROVIDERS, AUTH_UNSUPPORT_PROVIDERS
logger.debug('request.session: %s, user: %s', request.session,
request.session.get('user'))
for provider_type in ENABLED_PROVIDERS:
if provider_type in AUTH_UNSUPPORT_PROVIDERS:
continue
if not all([
request.session.get('user'),
request.session.get(f'{provider_type}_token'),
request.session.get(f'{provider_type}_expiry')
]):
logger.debug(f'{provider_type} auth error, unauth')
return AuthCredentials([]), UnauthenticatedUser()
# check token expiry, e.g. '2019-05-28T10:34:03.240708Z'
expiry = request.session[f'{provider_type}_expiry']
if datetime.strptime(expiry, "%Y-%m-%dT%H:%M:%S.%fZ"
) < datetime.utcnow() + timedelta(minutes=1):
logger.debug('token expiry time is in 1 minute, unauth.')
unauth(request)
return AuthCredentials([]), UnauthenticatedUser()
username = request.session['user']
providers = {
provider_type:
get_provider(provider_type,
token=request.session.get(f'{provider_type}_token'),
user=username)
for provider_type in ENABLED_PROVIDERS
}
user = User(username=username, providers=providers)
return user.auth_credentials, user
async def callback(request):
provider = request.path_params.get('provider', '')
client = oauth_clients[provider]
token = await client.authorize_access_token(request)
id_token = await client.parse_id_token(request, token)
logger.debug("auth succeed %s", id_token)
username = oauth_username_func(id_token)
email = id_token['email']
access = id_token.get('resource_access', {})
roles = access.get(client.client_id, {}).get('roles', [])
user = User(username, email, roles, id_token.get('picture', ''))
request.session['user'] = user.to_json()
return HTMLResponse("<script>window.close()</script>", 200)
async def authenticate(self, request):
from helpdesk.models.user import User
logger.debug('request.session: %s, user: %s', request.session, request.session.get('user'))
userinfo = request.session.get('user')
if not userinfo:
return AuthCredentials([]), UnauthenticatedUser()
try:
user = User.from_json(userinfo)
return user.auth_credentials, user
except Exception:
return AuthCredentials([]), UnauthenticatedUser()