Decorator for validating token
Closed this issue · 9 comments
Hello,
I would like to know if there is a separate decorator for validating the token?
or is the use of @auth.oidc_auth dual purpose?
Login and logout with browser works perfectly however, I am not able to test the API using Postman.
Steps
Logged in (using browser), received the token
Copied the token to Postman 'Auth' to be used as a 'Bearer'
Called a resource (API) with '@auth.oidc_auth(default)' decorator - Postman returned the HTML page as it requires the login process again (probably discarded the access token)
Please let me know.
Thank you.
Currently this framework doesn't support token authorization.
It only deals with user authentication using OpenID Connect, resulting in a session cookie. To recognize the user as logged in, it requires that cookie and not the token.
Passing an access token to an API endpoint is more related to authorization (and OAuth). It would require using a provider which supports token introspection, but could be added to this lib fairly easy I think.
Please do! And let me know if you need any help.
Closing this due to inactivity, please re-open if the use case is still applicable.
I'm in the same situation right now. I've REST API endpoints that I've decorated with @auth.oidc_auth('default') using Authorization Code Flow. But another microservice cannot access the endpoints because it redirects them with 302 to Identity Provider Authorization Endpoint.
Now this all looks good when you are accessing the endpoints using browser in which the user can simply sign in to Identity Provider but microservices won't understand that.
Is there a way to streamline this process without browser. Identity Providers like Keycloak allows sign in using API also. So instead of visiting URL in browser, it takes client_id, response_type, username, password, scope, redirect_uri, state and optionally nonce in the API call and returns the authorization code.
@infohash That sounds like the resource owner password flow which is not recommended in general deployments (see for example here), hence it's not supported in this extension.
If you really need to use it I recommend you implement it outside this extension.
However, you could potentially use some of the non-public methods from this extension to help you:
auth.init_app(app) # OIDCAuthentication must be initialised before
# client_id and client_secret is automatically injected
token_req = {
'grant_type': 'password',
'username': username,
'password': password,
'scope': scope
}
token_response = auth.clients['default']._token_request(token_request)or use the undelrying library pyoidc directly.
I'm using Authorization Code Flow which is a default flow in Keycloak and flask-pyoidc.
Is it possible to get authorization_code in OAuth 2.0 without web browser
As you are using authorization code flow, the client requires a user agent (i.e browser or mobile app) to get the authorization code from the authorization server.
While reading about ROPC, I come to know about Client Credentials Flow which is browserless but this is more of an oauth2 authorization than oidc implementation. Is it possible to use flask-pyoidc with some other flows?
@infohash If you're using the standard Authorization Code Flow, then as your quote says, you will need to have a user agent involved.
The client credentials flow is only for API access between services.
This extension currently doesn't support that and only deals with user authentication.