Keycloak based authentication policy for Pyramid
Project description
Keycloak based authentication policy for Pyramid framework
Authentication policy which uses Keycloak's OpenID API via a client to authenticate the user. It uses cookies to hold the access token and the refresh token.
This package is dependant on the package python-keycloak
.
Usage
from keycloak import KeycloakOpenID
from pyramid.config import Configurator
from keycloak_auth_policy import KeycloakBasedAuthenticationPolicy
def main():
openid_client = KeycloakOpenID(...)
config = Configurator()
config.set_authentication_policy(
KeycloakBasedAuthenticationPolicy(openid_client))
You have to handle the redirect logic in your forbidden view based on your needs:
from pyramid.httpexceptions import HTTPFound, HTTPForbidden
from pyramid.request import Request
from pyramid.view import forbidden_view_config
@forbidden_view_config()
def forbidden_view(request: Request):
if ...: # user has no privileges
raise HTTPForbidden("You don't have permissions for this action")
# Keycloak's URL to redirect to where the user can log in
url = ...
# you can either redirect to the URL or return it if you have a client
# which consumes your API
return HTTPFound(url)
You also need to have a callback endpoint where Keycloak redirects to after a successful login
from keycloak.exceptions import KeycloakError
from pyramid.httpexceptions import HTTPFound
from pyramid.request import Request
from pyramid.view import view_defaults, view_config
@view_defaults(renderer='json')
class AuthApi:
def __init__(self, request: Request) -> None:
self.request = request
self._openid_client = ... # get OpenID client
@view_config(route_name='auth.exchange', request_method='GET',
permission='public')
def exchange(self):
try:
token_response = self._openid_client.exchange(
self.request.GET.get("code"),
self.request.route_url("auth.exchange")) # the redirect URI
except KeycloakError as e:
... # handle exception
access_token = token_response.get("access_token")
refresh_token = token_response.get("refresh_token")
# set the tokens as cookies to the client and return a response
# you can either redirect from here or if your application is consumed
# as an API you can return a successful response
response = HTTPFound(...)
response.set_cookie("refresh_token_cookie_name", refresh_token)
response.set_cookie("access_token_cookie_name", access_token)
return response
You can also implement a logout endpoint if you feel like to
from pyramid.security import forget
...
@view_config(route_name='auth.logout', request_method='GET',
permission='private')
def logout(self):
headers = forget(self.request)
response = self.request.response
response.headerlist.extend(headers)
return response
For more information see the docstrings of each method in the source.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for pyramid_keycloak-0.0.13-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | b5ddb84b61c749f3c36f053545a16a39ebca42ec2bcec9a60274215deae12f79 |
|
MD5 | cfa0c00f7cc1dcbdd8133218e9efbe7e |
|
BLAKE2b-256 | a8f1858c9d6950cdad32ba7dc164e6ea5eb3212b17ac6736538117fc452648a0 |