OpenID Connect Authentication

Authentication service with OpenID Connect.

Dependencies

Configuration

Environment variables (single tenant):

Variable	Description	Default value
`ISSUER_URL`	OpenID Connect Issuer URL	-
`CLIENT_ID`	Client ID	-
`CLIENT_SECRET`	Client secret	-

Service config

JSON schema
File location: $CONFIG_PATH/<tenant>/oidcAuthConfig.json

Example:

{
  "$schema": "https://github.com/qwc-services/qwc-oidc-auth/raw/main/schemas/qwc-oidc-auth.json",
  "service": "oidc-auth",
  "config": {
    "issuer_url": "https://qwc2-dev.onelogin.com/oidc/2",
    "client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxx",
    "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  }
}

The service expects authentication service information at $ISSUER_URL/.well-known/openid-configuration

See JSON schema for optional configuration options.

Configure Access Token endpoint

It is possible to authorize connection with a external Access Token in the Authorization Header (endpoint /tokenlogin).

For each token a configuration needs to be add in authorized_api_token.

Example:

{
  "$schema": "https://github.com/qwc-services/qwc-oidc-auth/raw/main/schemas/qwc-oidc-auth.json",
  "service": "oidc-auth",
  "config": {
    "issuer_url": "https://qwc2-dev.onelogin.com/oidc/2",
    "client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxx",
    "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "authorized_api_token": [{
      "keys_url": "https://public_keys_url_to_decode_token",
      "claims_options":{
        "iss": {
            "essential": true,
            "values": ["https://example.com", "https://example.org"]
        },
        "sub": {
            "essential": true,
            "value": "xxxxxxxxxxxxx"
        },
        "aud": {
          "essential": true,
          "value": "api://xxxx-xxxxxxxxx-xxxxx"
        }
      }
    }]
  }
}

claims_options are the token validation parameters which allow fine control over the content of the payload. See https://docs.authlib.org/en/latest/jose/jwt.html#jwt-payload-claims-validation.

Identity provider configuration

CLIENT_ID and CLIENT_SECRET are defined on identity provider side.

The Redirect URI is the public base URL with the endpoint /callback (Example: https://qwc2.sourcepole.ch/oauth/callback).

This redirect URI can be manually configured with redirect_uri.

Usage/Development

Create a virtual environment:

python3 -m venv .venv

Activate virtual environment:

source .venv/bin/activate

Install requirements:

pip install -r requirements.txt

Configure environment:

echo FLASK_ENV=development >.flaskenv

Start local service:

 python src/server.py

Usage

Run standalone application:

python src/server.py

benoitblanc / qwc-oidc-auth Goto Github PK

qwc-oidc-auth's Introduction

OpenID Connect Authentication

Dependencies

Configuration

Service config

Configure Access Token endpoint

Identity provider configuration

Usage/Development

Usage

qwc-oidc-auth's People

Contributors

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent