Skip to content

qwc-services/qwc-oidc-auth

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

61 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

docker

OpenID Connect Authentication

Authentication service with OpenID Connect.

Dependencies

Configuration

Environment variables (single tenant):

Variable Description Default value
ISSUER_URL OpenID Connect Issuer URL -
CLIENT_ID Client ID -
CLIENT_SECRET Client secret -

Service config

  • JSON schema
  • File location: $CONFIG_PATH/<tenant>/oidcAuthConfig.json

Example:

{
  "$schema": "https://github.com/qwc-services/qwc-oidc-auth/raw/main/schemas/qwc-oidc-auth.json",
  "service": "oidc-auth",
  "config": {
    "issuer_url": "https://qwc2-dev.onelogin.com/oidc/2",
    "client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxx",
    "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  }
}

The service expects authentication service information at $ISSUER_URL/.well-known/openid-configuration

See JSON schema for optional configuration options.

Configure Access Token endpoint

It is possible to authorize connection with a external Access Token in the Authorization Header (endpoint /tokenlogin).

For each token a configuration needs to be add in authorized_api_token.

Example:

{
  "$schema": "https://github.com/qwc-services/qwc-oidc-auth/raw/main/schemas/qwc-oidc-auth.json",
  "service": "oidc-auth",
  "config": {
    "issuer_url": "https://qwc2-dev.onelogin.com/oidc/2",
    "client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxx",
    "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "authorized_api_token": [{
      "keys_url": "https://public_keys_url_to_decode_token",
      "claims_options":{
        "iss": {
            "essential": true,
            "values": ["https://example.com", "https://example.org"]
        },
        "sub": {
            "essential": true,
            "value": "xxxxxxxxxxxxx"
        },
        "aud": {
          "essential": true,
          "value": "api://xxxx-xxxxxxxxx-xxxxx"
        }
      }
    }]
  }
}

claims_options are the token validation parameters which allow fine control over the content of the payload. See https://docs.authlib.org/en/latest/jose/jwt.html#jwt-payload-claims-validation.

Identity provider configuration

CLIENT_ID and CLIENT_SECRET are defined on identity provider side.

The Redirect URI is the public base URL with the endpoint /callback (Example: https://qwc2.sourcepole.ch/oauth/callback).

This redirect URI can be manually configured with redirect_uri.

Usage/Development

Create a virtual environment:

python3 -m venv .venv

Activate virtual environment:

source .venv/bin/activate

Install requirements:

pip install -r requirements.txt

Configure environment:

echo FLASK_ENV=development >.flaskenv

Start local service:

 python src/server.py

Usage

Run standalone application:

python src/server.py

Login: http://127.0.0.1:5017/login

About

QWC authentication service with OpenID Connect (OIDC)

Resources

License

Stars

Watchers

Forks

Packages

No packages published