Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Basic Flask OpenID Connect example

With the impending shutdown of Google's support for OpenID 2, anyone using a convenient library like Flask-Googleauth will have to migrate. There is a Flask library for OpenID Connect, called flask-oidc. Unfortunately, there doesn't seem to be any info out there on how to use it. I looked for SO questions tagged flask and openid-connect, but found zero, hence this question.

Here's what I've put together as a proof-of-concept use of flask-oidc. It's based on flask-oidc's app.py file:

"""
Flask app for testing the OpenID Connect extension.
"""
from flask import Flask
from flask.ext.oidc import OpenIDConnect

def index():
    return "too many secrets", 200, {
        'Content-Type': 'text/plain; charset=utf-8'
    }

def create_app(config, oidc_overrides=None):
    app = Flask(__name__)
    app.config.update(config)
    if oidc_overrides is None:
        oidc_overrides = {}
    oidc = OpenIDConnect(app, **oidc_overrides)
    app.route('/')(oidc.check(index))
    return app

if __name__ == '__main__':
    APP = create_app({
        'OIDC_CLIENT_SECRETS': './client_secrets.json',
        'SECRET_KEY': 'secret'})
    APP.run(host="127.0.0.1", port=8080, debug=True)

After registering my application as described here, this successfully sends the user to Google for authentication, and returns them to http://127.0.0.1:8080/oidc_callback, which then redirects them to https://127.0.0.1:8080/, but that then redirects the user back to Google for authentication, creating a redirect loop.

My question, of course, is simple: how can I get an authenticated user to see that index page?

like image 536
Range vs. Range Avatar asked Mar 14 '15 08:03

Range vs. Range


People also ask

What is OpenID example?

Logging into Spotify with your Facebook account is a good example of how OpenID could be applied: You log into Facebook. Facebook sends your name and e-mail to Spotify. Spotify uses those details to identify you.

What is Flask-OIDC?

Flask-OIDC is an extension to Flask that allows you to add OpenID Connect based authentication to your website in a matter of minutes. It depends on Flask and oauth2client. You can install the requirements from PyPI with easy_install or pip or download them by hand.


1 Answers

The problem is that oidc_callback is correctly creating an authentication cookie (called oidc_id_token) and redirecting to index, but index can't retrieve that cookie because the app is hosted on HTTP, and the cookie has the Secure flag set, so the browser is unwilling to send it back to the app over HTTP.

The solution is (for local development purposes only!) to turn off the Secure flag, by setting the OpenIDConnect config item OIDC_ID_TOKEN_COOKIE_SECURE to False:

if __name__ == '__main__':
    APP = create_app({
        'OIDC_CLIENT_SECRETS': './client_secrets.json',
        'OIDC_ID_TOKEN_COOKIE_SECURE': False,
        'SECRET_KEY': 'secret'})
    APP.run(host="127.0.0.1", port=8080, debug=True)
like image 166
Range vs. Range Avatar answered Sep 19 '22 12:09

Range vs. Range