· 7 years ago · Dec 06, 2018, 04:04 PM
1{
2 "web": {
3 "client_id": "xxxxx",
4 "client_secret": "xxxxxxx",
5 "auth_uri": "https://accounts.google.com/o/oauth2/auth",
6 "token_uri": "https://accounts.google.com/o/oauth2/token",
7 "userinfo_uri": "https://www.googleapis.com/oauth2/v1/userinfo?alt=json",
8 "redirect_uris": [
9 "http://127.0.0.1:5000/oidc_callback"
10 ]
11 }
12}
13
14import json
15import logging
16
17from flask import Flask, g
18from flask_oidc import OpenIDConnect
19
20logging.basicConfig(level=logging.DEBUG)
21
22app = Flask(__name__)
23app.config.update({
24 'SECRET_KEY': 'SomethingNotEntirelySecret',
25 'TESTING': True,
26 'DEBUG': True,
27 'OIDC_CLIENT_SECRETS': 'client_secrets.json',
28 'OIDC_INTROSPECTION_AUTH_METHOD': 'client_secret_post',
29 'OIDC_TOKEN_TYPE_HINT': 'access_token',
30 'OIDC_ID_TOKEN_COOKIE_SECURE': False,
31 'OIDC_REQUIRE_VERIFIED_EMAIL': False
32})
33
34
35oidc = OpenIDConnect(app)
36
37@app.route('/')
38def hello_world():
39 if oidc.user_loggedin:
40 return ('Hello, %s, <a href="/private">See private</a> '
41 '<a href="/logout">Log out</a>') %
42 oidc.user_getfield('email')
43 else:
44 return 'Welcome anonymous, <a href="/private">Log in</a>'
45
46
47@app.route('/private')
48@oidc.require_login
49def hello_me():
50 info = oidc.user_getinfo(['email', 'openid_id'])
51 return ('Hello, %s (%s)! <a href="/">Return</a>' %
52 (info.get('email'), info.get('openid_id')))
53
54@app.route('/api')
55@oidc.accept_token(True, ['openid'])
56def hello_api():
57 return json.dumps({'hello': 'Welcome %s' % g.oidc_token_info['sub']})
58
59
60@app.route('/logout')
61def logout():
62 oidc.logout()
63 return 'Hi, you have been logged out! <a href="/">Return</a>'
64
65@app.route('/api')
66@oidc.accept_token(True, ['openid'])
67def hello_api():
68
69{"error": "invalid_token", "error_description": "Token required but invalid"}
70
71accept_token(require_token=False, scopes_required=None, render_errors=True)
72
73 Use this to decorate view functions that should accept OAuth2 tokens, this will most likely apply to API functions.
74
75 Tokens are accepted as part of the query URL (access_token value) or a POST form value (access_token).
76
77 Note that this only works if a token introspection url is configured, as that URL will be queried for the validity and scopes of a token.