Menu
With the impending shutdown of Google's support for OpenID 2, anyone using a convenient library like Flask-Googleauth will have to migrate. There is a Flask library for OpenID Connect, called flask-oidc. Unfortunately, there doesn't seem to be any info out there on how to use it. I looked for SO questions tagged flask and openid-connect, but found zero, hence this question.
Here's what I've put together as a proof-of-concept use of flask-oidc. It's based on flask-oidc's app.py file:
"""
Flask app for testing the OpenID Connect extension.
"""
from flask import Flask
from flask.ext.oidc import OpenIDConnect
def index():
return "too many secrets", 200, {
'Content-Type': 'text/plain; charset=utf-8'
}
def create_app(config, oidc_overrides=None):
app = Flask(__name__)
app.config.update(config)
if oidc_overrides is None:
oidc_overrides = {}
oidc = OpenIDConnect(app, **oidc_overrides)
app.route('/')(oidc.check(index))
return app
if __name__ == '__main__':
APP = create_app({
'OIDC_CLIENT_SECRETS': './client_secrets.json',
'SECRET_KEY': 'secret'})
APP.run(host="127.0.0.1", port=8080, debug=True)
After registering my application as described here, this successfully sends the user to Google for authentication, and returns them to http://127.0.0.1:8080/oidc_callback, which then redirects them to https://127.0.0.1:8080/, but that then redirects the user back to Google for authentication, creating a redirect loop.
My question, of course, is simple: how can I get an authenticated user to see that index page?
536
Logging into Spotify with your Facebook account is a good example of how OpenID could be applied: You log into Facebook. Facebook sends your name and e-mail to Spotify. Spotify uses those details to identify you.
Flask-OIDC is an extension to Flask that allows you to add OpenID Connect based authentication to your website in a matter of minutes. It depends on Flask and oauth2client. You can install the requirements from PyPI with easy_install or pip or download them by hand.
The problem is that oidc_callback is correctly creating an authentication cookie (called oidc_id_token) and redirecting to index, but index can't retrieve that cookie because the app is hosted on HTTP, and the cookie has the Secure flag set, so the browser is unwilling to send it back to the app over HTTP.
The solution is (for local development purposes only!) to turn off the Secure flag, by setting the OpenIDConnect config item OIDC_ID_TOKEN_COOKIE_SECURE to False:
if __name__ == '__main__':
APP = create_app({
'OIDC_CLIENT_SECRETS': './client_secrets.json',
'OIDC_ID_TOKEN_COOKIE_SECURE': False,
'SECRET_KEY': 'secret'})
APP.run(host="127.0.0.1", port=8080, debug=True)
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With