Add identity providers to your Quart application
Project description
Warning: this project is deprecated and replaced by https://pypi.org/project/Quart-Keycloak/
Quart-Session-OpenID
Adds OpenID Connect support to your Quart application.
Supports the following OAuth2 flows:
- Confidential - Authorization code flow
- Public - Implicit grant (SPA: VueJS, Angular, React, etc)
This extension assumes that the OIDC provider is Keycloak, unless specified otherwise. Known working OIDC providers:
- Keycloak
- Azure AD Connect 2.0
Quick start
$ pipenv install quart-session-openid
$ pip install quart-session-openid
Minimal example to authenticate via an external OIDC provider, Keycloak in this case:
from quart import Quart, url_for, jsonify
from quart_session_openid import OpenID
from quart_session import Session
app = Quart(__name__)
app.config['SESSION_TYPE'] = 'redis'
Session(app)
openid_keycloak_config = {
"client_id": "foobar",
"client_secret": "secret",
"configuration": "https://example.com/auth/realms/master/.well-known/openid-configuration"
}
openid_keycloak = OpenID(app, **openid_keycloak_config)
@openid_keycloak.after_token()
async def handle_user_login(resp: dict):
# incoming token(s) are *NOT* validated, it is *imperative*
# that you validate the signature like this:
access_token_decoded = openid_keycloak.verify_token(resp["access_token"])
# do some database and session stuff here (like add user to the database)
# optionally call the userinfo endpoint
user = await openid_keycloak.user_info(access_token)
return jsonify(user)
@app.route("/")
async def root():
login_url_keycloak = url_for(openid_keycloak.endpoint_name_login)
return f"""
Login via keycloak: <a href="{login_url_keycloak}">Login via Keycloak</href>
"""
app.run("localhost", port=4000, debug=True)
Example 2: Azure AD
Azure AD supports OpenID Connect and as such anyone with a Microsoft Office 365 account (or otherwise an account in Azure AD) could login into your web application.
See examples/azure_ad_v2.py for an example.
Example 3: Implicit grant
For the implicit grant flow (single page applications), Javascript is responsible
for authentication against a OIDC in order to fetch access/refresh tokens
that it presents to the backend (Quart) via a Bearer token. The backend needs to
verify incoming Bearer tokens. See examples/implicit_grant.py for an example.
Custom scopes
For user registration/login you might only need to read the user profile for the username and email. Later in the application you might require more access from the user. For this reason, you may override the scopes to generate a custom login route.
@app.route("/login/custom")
async def login_custom():
scopes = ["Team.ReadBasic.All", "user.read", "openid",
"offline_access", "email", "profile"]
return openid_microsoft.login(scopes=scopes)
This is useful to progressively ask the user for consent throughout the web application.
Multiple OIDC providers
You may create multiple OpenID(app, **settings) instances, allowing for
multiple OIDC providers. Make sure to provide custom route handlers
for the login and auth URL route (route_login and route_auth).
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Hashes for Quart-Session-OpenID-1.0.4.tar.gz
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | d899e9ef1314bacc4501d4bdf618b0c85e41631d645a7b66ed0ec887d57ce241 |
|
| MD5 | 3016b337de206cb8032a4696bffaab1d |
|
| BLAKE2b-256 | f0f97c7ba0755399c701a020f761a8139eaa12b3c746e6aec7e77b043979162e |
