Commit 3b347d39 authored by Frédéric Mangano-Tarumi's avatar Frédéric Mangano-Tarumi Committed by Lukas Fleischer
Browse files

Crude OpenID Connect client using Authlib



Developers can go to /sso/login to get redirected to the SSO. On
successful login, the ID token is displayed.
Signed-off-by: Lukas Fleischer's avatarLukas Fleischer <lfleischer@archlinux.org>
parent b1300117
......@@ -11,7 +11,8 @@ before_script:
base-devel git gpgme protobuf pyalpm python-mysql-connector
python-pygit2 python-srcinfo python-bleach python-markdown
python-sqlalchemy python-alembic python-pytest python-werkzeug
python-pytest-tap python-fastapi uvicorn nginx
python-pytest-tap python-fastapi uvicorn nginx python-authlib
python-itsdangerous python-httpx
test:
script:
......
......@@ -13,7 +13,8 @@ INSTALL.
# pacman -S --needed php php-sqlite sqlite words fortune-mod \
python python-sqlalchemy python-alembic \
python-fastapi uvicorn nginx
python-fastapi uvicorn nginx \
python-authlib python-itsdangerous python-httpx
Ensure to enable the pdo_sqlite extension in php.ini.
......
from fastapi import FastAPI
from starlette.middleware.sessions import SessionMiddleware
import aurweb.config
from aurweb.routers import sso
app = FastAPI()
session_secret = aurweb.config.get("fastapi", "session_secret")
if not session_secret:
raise Exception("[fastapi] session_secret must not be empty")
app.add_middleware(SessionMiddleware, secret_key=session_secret)
app.include_router(sso.router)
"""
API routers for FastAPI.
See https://fastapi.tiangolo.com/tutorial/bigger-applications/
"""
import fastapi
from authlib.integrations.starlette_client import OAuth
from starlette.requests import Request
import aurweb.config
router = fastapi.APIRouter()
oauth = OAuth()
oauth.register(
name="sso",
server_metadata_url=aurweb.config.get("sso", "openid_configuration"),
client_kwargs={"scope": "openid"},
client_id=aurweb.config.get("sso", "client_id"),
client_secret=aurweb.config.get("sso", "client_secret"),
)
@router.get("/sso/login")
async def login(request: Request):
redirect_uri = aurweb.config.get("options", "aur_location") + "/sso/authenticate"
return await oauth.sso.authorize_redirect(request, redirect_uri, prompt="login")
@router.get("/sso/authenticate")
async def authenticate(request: Request):
token = await oauth.sso.authorize_access_token(request)
user = await oauth.sso.parse_id_token(request, token)
return dict(user)
......@@ -60,6 +60,9 @@ def generate_nginx_config():
location / {{
proxy_pass http://{aurweb.config.get("php", "bind_address")};
}}
location /sso {{
proxy_pass http://{aurweb.config.get("fastapi", "bind_address")};
}}
}}
}}
""")
......
......@@ -68,6 +68,14 @@ username-regex = [a-zA-Z0-9]+[.\-_]?[a-zA-Z0-9]+$
git-serve-cmd = /usr/local/bin/aurweb-git-serve
ssh-options = restrict
[sso]
openid_configuration =
client_id =
client_secret =
[fastapi]
session_secret =
[serve]
repo-path = /srv/http/aurweb/aur.git/
repo-regex = [a-z0-9][a-z0-9.+_-]*$
......
......@@ -20,6 +20,12 @@ aur_location = http://127.0.0.1:8080
disable_http_login = 0
enable-maintenance = 0
; Single sign-on
[sso]
openid_configuration = http://127.0.0.1:8083/auth/realms/aurweb/.well-known/openid-configuration
client_id = aurweb
client_secret =
[php]
; Address PHP should bind when spawned in development mode by aurweb.spawn.
bind_address = 127.0.0.1:8081
......@@ -30,3 +36,6 @@ htmldir = YOUR_AUR_ROOT/web/html
[fastapi]
; Address uvicorn should bind when spawned in development mode by aurweb.spawn.
bind_address = 127.0.0.1:8082
; Passphrase FastAPI uses to sign client-side sessions.
session_secret = secret
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment