Skip to content

qwc-services/qwc-oidc-auth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

58 Commits
.github/workflows
.github/workflows
 
 
schemas
schemas
 
 
src
src
 
 
.gitignore
.gitignore
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

docker

OpenID Connect Authentication

Authentication service with OpenID Connect.

Dependencies

Configuration

Environment variables (single tenant):

Variable Description Default value
ISSUER_URL OpenID Connect Issuer URL -
CLIENT_ID Client ID -
CLIENT_SECRET Client secret -

Service config

  • JSON schema
  • File location: $CONFIG_PATH/<tenant>/oidcAuthConfig.json

Example:

{
  "$schema": "https://github.com/qwc-services/qwc-oidc-auth/raw/main/schemas/qwc-oidc-auth.json",
  "service": "oidc-auth",
  "config": {
    "issuer_url": "https://qwc2-dev.onelogin.com/oidc/2",
    "client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxx",
    "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  }
}

The service expects authentication service information at $ISSUER_URL/.well-known/openid-configuration

See JSON schema for optional configuration options.

Configure Access Token endpoint

It is possible to authorize connection with a external Access Token in the Authorization Header (endpoint /tokenlogin).

For each token a configuration needs to be add in authorized_api_token.

Example:

{
  "$schema": "https://github.com/qwc-services/qwc-oidc-auth/raw/main/schemas/qwc-oidc-auth.json",
  "service": "oidc-auth",
  "config": {
    "issuer_url": "https://qwc2-dev.onelogin.com/oidc/2",
    "client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxx",
    "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "authorized_api_token": [{
      "keys_url": "https://public_keys_url_to_decode_token",
      "claims_options":{
        "iss": {
            "essential": true,
            "values": ["https://example.com", "https://example.org"]
        },
        "sub": {
            "essential": true,
            "value": "xxxxxxxxxxxxx"
        },
        "aud": {
          "essential": true,
          "value": "api://xxxx-xxxxxxxxx-xxxxx"
        }
      }
    }]
  }
}

claims_options are the token validation parameters which allow fine control over the content of the payload. See https://docs.authlib.org/en/latest/jose/jwt.html#jwt-payload-claims-validation.

Identity provider configuration

CLIENT_ID and CLIENT_SECRET are defined on identity provider side.

The Redirect URI is the public base URL with the endpoint /callback (Example: https://qwc2.sourcepole.ch/oauth/callback).

This redirect URI can be manually configured with redirect_uri.

Usage/Development

Create a virtual environment:

python3 -m venv .venv

Activate virtual environment:

source .venv/bin/activate

Install requirements:

pip install -r requirements.txt

Configure environment:

echo FLASK_ENV=development >.flaskenv

Start local service:

 python src/server.py

Usage

Run standalone application:

python src/server.py

Login: http://127.0.0.1:5017/login

About

QWC authentication service with OpenID Connect (OIDC)

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

4 forks
Report repository

Releases

18 tags

Packages

No packages published

Contributors 7

Languages