Project description

Flask-AppBuilder SecurityManager for OpenIDConnect

PyPI

Wrapper for flask_oidc2 that exposes a SecurityManager for use with any Flask-AppBuilder app.

It will allow your users to login with OpenIDConnect providers such as Auth0, Okta or Google Apps. This version of the code extracts the roles information of OIDC ID token, and allow a request to continue only if the role is available on the application.

This is roughly inspired by the code in this stackoverflow answer. (MIT Licenced © thijsfranck)

Usage

Generic

Just override the default security manager in your Flask Appbuilder app.

from fab_oidc2.security import OIDCSecurityManager

appbuilder = AppBuilder(app, db.session, security_manager_class=OIDCSecurityManager)

Airflow

Airflow provides a hook in the webserver_config.py file where you can specify a security manager class. In webserver_config.py import the OIDCSecurityManager and set

from fab_oidc2.security import AirflowOIDCSecurityManager
...
SECURITY_MANAGER_CLASS = AirflowOIDCSecurityManager

Airflow now requires that your SECURITY_MANAGER_CLASS is a subclass of AirflowSecurityManager. Use the special AirflowOIDCSecurityManager that is only defined if you're using this library alongside Airflow.

Superset

Superset works in a a similar way. Just as in Airflow, SECURITY_MANAGER_CLASS needs to be a subclass of SupersetSecurityManager the config is in a file called superset_config.py and the hook is called CUSTOM_SECURITY_MANAGER. There now exists a special SupersetOIDCSecurityManager that is only defined if you are using this library alongside Superset.

from fab_oidc2.security import SupersetOIDCSecurityManager
...
CUSTOM_SECURITY_MANAGER = SupersetOIDCSecurityManager

Settings

The settings are the same as the [flask_oidc settings][flask_oidc_settings], so look there for a reference.

if you're happy with [flask_oidc]'s defaults the only thing you'll really need is something like:

OIDC_CLIENT_SECRETS = '/path/to/client_secret.json'

see the [flask_oidc manual client registration][flask_oidc_manual_config] docs for how to generate or write one.

OIDC Field configuration

If you like to change the default OIDC field that will be used as a username, first name, last name and granting access via OIDC roles, you can set the following env var in the shell you run your process:

export USERNAME_OIDC_FIELD='preferred_username'
export FIRST_NAME_OIDC_FIELD='given_name'
export LAST_NAME_OIDC_FIELD='family_name'
export ENABLE_ROLE_OIDC_ACCESS='true'
export ROLES_OIDC_FIELD='roles'

Project status

This is a fork of the project [ministryofjustice/fab-oidc]: https://github.com/ministryofjustice/fab-oidc

Project details

These details have not been verified by PyPI

Project links

Development Status
- 3 - Alpha
Environment
- Web Environment
Intended Audience
- Developers
License
- OSI Approved :: MIT License
Operating System
- OS Independent
Programming Language
- Python
- Python :: 3
Topic
- Software Development :: Libraries :: Python Modules

Release history Release notifications | RSS feed

This version

0.0.3

Mar 26, 2021

0.0.2

Oct 22, 2020

0.0.1

Oct 22, 2020

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

fab_oidc2-0.0.3.tar.gz (6.7 kB view hashes)

Uploaded Mar 26, 2021 Source

Built Distribution

fab_oidc2-0.0.3-py3-none-any.whl (6.2 kB view hashes)

Uploaded Mar 26, 2021 Python 3

Hashes for fab_oidc2-0.0.3.tar.gz

Hashes for fab_oidc2-0.0.3.tar.gz
Algorithm	Hash digest
SHA256	`723194565721a68862f529d6f644e52fbf381c9294c4942bf4522de227b62426`
MD5	`3990839db96cad6231c939a2d5c725b9`
BLAKE2b-256	`cb8108f634bc7e4ca548575c9c3e5857acc965985e132e0dc493bbc7f4e94876`

Hashes for fab_oidc2-0.0.3-py3-none-any.whl

Hashes for fab_oidc2-0.0.3-py3-none-any.whl
Algorithm	Hash digest
SHA256	`97916dbffc04e5061febe83e69b6aacc8d69f4d7ff6d9efc26941d94d336b381`
MD5	`118c246f7c43159a78dec5d9918384e2`
BLAKE2b-256	`8e42c083e127c1ca3136ee9eb5cba33acb2866ea327f8e8a2aab22e00decb786`