From 01d1ac23de762fd249ace070d67a100573e835ef Mon Sep 17 00:00:00 2001 From: Daniel Tsvetkov Date: Sun, 9 May 2021 01:13:57 +0200 Subject: [PATCH] more oidc --- bootstrap/sensitive_dev.py | 2 ++ oshipka/webapp/default_routes.py | 31 +++++++++++++++++++++++++------ 2 files changed, 27 insertions(+), 6 deletions(-) diff --git a/bootstrap/sensitive_dev.py b/bootstrap/sensitive_dev.py index d7a8fc3..85109ed 100644 --- a/bootstrap/sensitive_dev.py +++ b/bootstrap/sensitive_dev.py @@ -1 +1,3 @@ ADMIN_PASSWORD = "password" +SSO_CLIENT_ID = '123456' +SSO_CLIENT_SECRET = 'secret' \ No newline at end of file diff --git a/oshipka/webapp/default_routes.py b/oshipka/webapp/default_routes.py index 61174e3..fde7544 100644 --- a/oshipka/webapp/default_routes.py +++ b/oshipka/webapp/default_routes.py @@ -5,6 +5,7 @@ from flask import send_from_directory, redirect, request, url_for from oshipka.webapp import oshipka_bp from config import MEDIA_DIR, APP_BASE_URL +from sensitive import SSO_CLIENT_ID, SSO_CLIENT_SECRET # TODO: VULNZ - EVERYONE HAS ACCESS TO THIS @@ -18,15 +19,33 @@ SSO_BASE_URL = 'http://localhost:5008' @oshipka_bp.route('/sso') def sso(): - callback_url = APP_BASE_URL + url_for('oshipka_bp.open_id_connect_code') - return redirect(SSO_BASE_URL + '/authenticate?callback={}'.format(urllib.parse.quote(callback_url))) + callback_url = APP_BASE_URL + url_for('oshipka_bp.oidc_code') + return redirect(SSO_BASE_URL + '/authenticate?callback={}&client_id={}'.format( + urllib.parse.quote(callback_url), + SSO_CLIENT_ID, + )) -@oshipka_bp.route('/open_id_connect_code') -def open_id_connect_code(): +@oshipka_bp.route('/oidc/code') +def oidc_code(): code = request.args.get('code') + # TODO : client_id and client_secret are passed in Authorization header + # https://connect2id.com/learn/openid-connect response = requests.get( - SSO_BASE_URL + "/token", - data={'code': code}, + SSO_BASE_URL + "/oidc/token", + params={ + 'code': code, + 'client_id': SSO_CLIENT_ID, + 'client_secret': SSO_CLIENT_SECRET, + }, ) + if response.status_code == 200: + response_json = response.json() + access_token = response_json.get('access_token') + response = requests.get( + SSO_BASE_URL + "/endpoints/user", + headers={ + 'Authorization': "Bearer {}".format(access_token) + }, + ) return 'got response for token: {}'.format(response.status_code)