Changeset View
Changeset View
Standalone View
Standalone View
swh/auth/keycloak.py
# Copyright (C) 2020-2021 The Software Heritage developers | # Copyright (C) 2020-2022 The Software Heritage developers | ||||
# See the AUTHORS file at the top-level directory of this distribution | # See the AUTHORS file at the top-level directory of this distribution | ||||
# License: GNU Affero General Public License version 3, or any later version | # License: GNU Affero General Public License version 3, or any later version | ||||
# See top-level LICENSE file for more information | # See top-level LICENSE file for more information | ||||
import json | import json | ||||
from typing import Any, Dict, Optional | from typing import Any, Dict, Optional | ||||
from urllib.parse import urlencode | from urllib.parse import parse_qs, urlencode, urlparse, urlunparse | ||||
# add ExpiredSignatureError alias to avoid leaking jose import | # add ExpiredSignatureError alias to avoid leaking jose import | ||||
# in swh-auth client code | # in swh-auth client code | ||||
from jose.jwt import ExpiredSignatureError # noqa | from jose.jwt import ExpiredSignatureError # noqa | ||||
from keycloak import KeycloakOpenID | from keycloak import KeycloakOpenID | ||||
# add KeycloakError alias to avoid leaking keycloak import | # add KeycloakError alias to avoid leaking keycloak import | ||||
# in swh-auth client code | # in swh-auth client code | ||||
▲ Show 20 Lines • Show All 65 Lines • ▼ Show 20 Lines | def authorization_url(self, redirect_uri: str, **extra_params: str) -> str: | ||||
Get OpenID Connect authorization URL to authenticate users. | Get OpenID Connect authorization URL to authenticate users. | ||||
Args: | Args: | ||||
redirect_uri: URI to redirect to once a user is authenticated | redirect_uri: URI to redirect to once a user is authenticated | ||||
extra_params: Extra query parameters to add to the | extra_params: Extra query parameters to add to the | ||||
authorization URL | authorization URL | ||||
""" | """ | ||||
auth_url = self._keycloak.auth_url(redirect_uri) | auth_url = self._keycloak.auth_url(redirect_uri) | ||||
if extra_params: | # scope and state query parameters are now handled by auth_url method | ||||
auth_url += "&%s" % urlencode(extra_params) | # since python-keycloak 1.8.1, | ||||
# code below ensures those will be overridden if provided in extra_params | |||||
# TODO: remove that code and pass scope and state params to auth_url method | |||||
# once we use python-keycloak >= 1.8.1 in production | |||||
parsed_auth_url = urlparse(auth_url) | |||||
auth_url_qs = parse_qs(parsed_auth_url.query) | |||||
auth_url_qs.update({k: [v] for k, v in extra_params.items()}) | |||||
auth_url = urlunparse( | |||||
parsed_auth_url._replace(query=urlencode(auth_url_qs, doseq=True)) | |||||
) | |||||
return auth_url | return auth_url | ||||
vlorentz: slightly simpler IMO | |||||
Done Inline Actionsright, thanks ! anlambert: right, thanks ! | |||||
def authorization_code( | def authorization_code( | ||||
self, code: str, redirect_uri: str, **extra_params: str | self, code: str, redirect_uri: str, **extra_params: str | ||||
) -> Dict[str, Any]: | ) -> Dict[str, Any]: | ||||
""" | """ | ||||
Get OpenID Connect authentication tokens using Authorization | Get OpenID Connect authentication tokens using Authorization | ||||
Code flow. | Code flow. | ||||
▲ Show 20 Lines • Show All 150 Lines • Show Last 20 Lines |
slightly simpler IMO