more oidc

bootstrap/sensitive_dev.py

@@ -1 +1,3 @@
 ADMIN_PASSWORD = "password"
+SSO_CLIENT_ID = '123456'
+SSO_CLIENT_SECRET = 'secret'

oshipka/webapp/default_routes.py

@@ -5,6 +5,7 @@ from flask import send_from_directory, redirect, request, url_for
 
 from oshipka.webapp import oshipka_bp
 from config import MEDIA_DIR, APP_BASE_URL
+from sensitive import SSO_CLIENT_ID, SSO_CLIENT_SECRET
 
 
 # TODO: VULNZ - EVERYONE HAS ACCESS TO THIS
@@ -18,15 +19,33 @@ SSO_BASE_URL = 'http://localhost:5008'
 
 @oshipka_bp.route('/sso')
 def sso():
-    callback_url = APP_BASE_URL + url_for('oshipka_bp.open_id_connect_code')
+    callback_url = APP_BASE_URL + url_for('oshipka_bp.oidc_code')
-    return redirect(SSO_BASE_URL + '/authenticate?callback={}'.format(urllib.parse.quote(callback_url)))
+    return redirect(SSO_BASE_URL + '/authenticate?callback={}&client_id={}'.format(
+        urllib.parse.quote(callback_url),
+        SSO_CLIENT_ID,
+    ))
 
 
-@oshipka_bp.route('/open_id_connect_code')
+@oshipka_bp.route('/oidc/code')
-def open_id_connect_code():
+def oidc_code():
     code = request.args.get('code')
+    # TODO : client_id and client_secret are passed in Authorization header
+    #        https://connect2id.com/learn/openid-connect
     response = requests.get(
-        SSO_BASE_URL + "/token",
+        SSO_BASE_URL + "/oidc/token",
-        data={'code': code},
+        params={
+            'code': code,
+            'client_id': SSO_CLIENT_ID,
+            'client_secret': SSO_CLIENT_SECRET,
+        },
+    )
+    if response.status_code == 200:
+        response_json = response.json()
+        access_token = response_json.get('access_token')
+        response = requests.get(
+            SSO_BASE_URL + "/endpoints/user",
+            headers={
+                'Authorization': "Bearer {}".format(access_token)
+            },
         )
     return 'got response for token: {}'.format(response.status_code)