|
|
|
@ -24,14 +24,14 @@ from flask import (
|
|
|
|
session,
|
|
|
|
session,
|
|
|
|
url_for,
|
|
|
|
url_for,
|
|
|
|
)
|
|
|
|
)
|
|
|
|
from flask.ext.login import (
|
|
|
|
# from flask.ext.login import (
|
|
|
|
LoginManager,
|
|
|
|
# LoginManager,
|
|
|
|
UserMixin,
|
|
|
|
# UserMixin,
|
|
|
|
current_user,
|
|
|
|
# current_user,
|
|
|
|
login_required,
|
|
|
|
# login_required,
|
|
|
|
login_user,
|
|
|
|
# login_user,
|
|
|
|
logout_user,
|
|
|
|
# logout_user,
|
|
|
|
)
|
|
|
|
# )
|
|
|
|
from flask_bootstrap import Bootstrap
|
|
|
|
from flask_bootstrap import Bootstrap
|
|
|
|
from saml2 import (
|
|
|
|
from saml2 import (
|
|
|
|
BINDING_HTTP_POST,
|
|
|
|
BINDING_HTTP_POST,
|
|
|
|
@ -52,6 +52,7 @@ import requests
|
|
|
|
metadata_url_for = {
|
|
|
|
metadata_url_for = {
|
|
|
|
# For testing with http://saml.oktadev.com use the following:
|
|
|
|
# For testing with http://saml.oktadev.com use the following:
|
|
|
|
# 'test': 'http://idp.oktadev.com/metadata',
|
|
|
|
# 'test': 'http://idp.oktadev.com/metadata',
|
|
|
|
|
|
|
|
'keycloak': 'https://auth.labcode.de/auth/realms/test/protocol/saml/descriptor'
|
|
|
|
# WARNING WARNING WARNING
|
|
|
|
# WARNING WARNING WARNING
|
|
|
|
# You MUST remove the testing IdP from a production system,
|
|
|
|
# You MUST remove the testing IdP from a production system,
|
|
|
|
# as the testing IdP will allow ANYBODY to log in as ANY USER!
|
|
|
|
# as the testing IdP will allow ANYBODY to log in as ANY USER!
|
|
|
|
@ -61,8 +62,8 @@ metadata_url_for = {
|
|
|
|
app = Flask(__name__)
|
|
|
|
app = Flask(__name__)
|
|
|
|
Bootstrap(app)
|
|
|
|
Bootstrap(app)
|
|
|
|
app.secret_key = str(uuid.uuid4()) # Replace with your secret key
|
|
|
|
app.secret_key = str(uuid.uuid4()) # Replace with your secret key
|
|
|
|
login_manager = LoginManager()
|
|
|
|
# login_manager = LoginManager()
|
|
|
|
login_manager.setup_app(app)
|
|
|
|
# login_manager.setup_app(app)
|
|
|
|
logging.basicConfig(level=logging.DEBUG)
|
|
|
|
logging.basicConfig(level=logging.DEBUG)
|
|
|
|
# NOTE:
|
|
|
|
# NOTE:
|
|
|
|
# This is implemented as a dictionary for DEMONSTRATION PURPOSES ONLY.
|
|
|
|
# This is implemented as a dictionary for DEMONSTRATION PURPOSES ONLY.
|
|
|
|
@ -94,6 +95,7 @@ def saml_client_for(idp_name=None):
|
|
|
|
rv = requests.get(metadata_url_for[idp_name])
|
|
|
|
rv = requests.get(metadata_url_for[idp_name])
|
|
|
|
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
settings = {
|
|
|
|
|
|
|
|
'entityid': 'pysaml',
|
|
|
|
'metadata': {
|
|
|
|
'metadata': {
|
|
|
|
'inline': [rv.text],
|
|
|
|
'inline': [rv.text],
|
|
|
|
},
|
|
|
|
},
|
|
|
|
@ -126,7 +128,7 @@ def saml_client_for(idp_name=None):
|
|
|
|
return saml_client
|
|
|
|
return saml_client
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class User(UserMixin):
|
|
|
|
class User():
|
|
|
|
def __init__(self, user_id):
|
|
|
|
def __init__(self, user_id):
|
|
|
|
user = {}
|
|
|
|
user = {}
|
|
|
|
self.id = None
|
|
|
|
self.id = None
|
|
|
|
@ -140,10 +142,10 @@ class User(UserMixin):
|
|
|
|
except:
|
|
|
|
except:
|
|
|
|
pass
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
@login_manager.user_loader
|
|
|
|
# @login_manager.user_loader
|
|
|
|
def load_user(user_id):
|
|
|
|
# def load_user(user_id):
|
|
|
|
return User(user_id)
|
|
|
|
# return User(user_id)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@app.route("/")
|
|
|
|
@app.route("/")
|
|
|
|
@ -160,18 +162,25 @@ def idp_initiated(idp_name):
|
|
|
|
authn_response.get_identity()
|
|
|
|
authn_response.get_identity()
|
|
|
|
user_info = authn_response.get_subject()
|
|
|
|
user_info = authn_response.get_subject()
|
|
|
|
username = user_info.text
|
|
|
|
username = user_info.text
|
|
|
|
|
|
|
|
print('#'*30)
|
|
|
|
|
|
|
|
print('uinfou', user_info)
|
|
|
|
|
|
|
|
print('username', username)
|
|
|
|
|
|
|
|
print('#'*30)
|
|
|
|
|
|
|
|
print('authn',authn_response)
|
|
|
|
|
|
|
|
|
|
|
|
# This is what as known as "Just In Time (JIT) provisioning".
|
|
|
|
# This is what as known as "Just In Time (JIT) provisioning".
|
|
|
|
# What that means is that, if a user in a SAML assertion
|
|
|
|
# What that means is that, if a user in a SAML assertion
|
|
|
|
# isn't in the user store, we create that user first, then log them in
|
|
|
|
# isn't in the user store, we create that user first, then log them in
|
|
|
|
if username not in user_store:
|
|
|
|
if username not in user_store:
|
|
|
|
|
|
|
|
print('#'*30)
|
|
|
|
|
|
|
|
print('AVA',authn_response.ava)
|
|
|
|
user_store[username] = {
|
|
|
|
user_store[username] = {
|
|
|
|
'first_name': authn_response.ava['FirstName'][0],
|
|
|
|
'first_name': authn_response.ava.get('FirstName',[''])[0],
|
|
|
|
'last_name': authn_response.ava['LastName'][0],
|
|
|
|
'last_name': authn_response.ava.get('LastName',[''])[0],
|
|
|
|
}
|
|
|
|
}
|
|
|
|
user = User(username)
|
|
|
|
user = User(username)
|
|
|
|
session['saml_attributes'] = authn_response.ava
|
|
|
|
session['saml_attributes'] = authn_response.ava
|
|
|
|
login_user(user)
|
|
|
|
# login_user(user)
|
|
|
|
url = url_for('user')
|
|
|
|
url = url_for('user')
|
|
|
|
# NOTE:
|
|
|
|
# NOTE:
|
|
|
|
# On a production system, the RelayState MUST be checked
|
|
|
|
# On a production system, the RelayState MUST be checked
|
|
|
|
@ -205,9 +214,10 @@ def sp_initiated(idp_name):
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@app.route("/user")
|
|
|
|
@app.route("/user")
|
|
|
|
@login_required
|
|
|
|
# @login_required
|
|
|
|
def user():
|
|
|
|
def user():
|
|
|
|
return render_template('user.html', session=session)
|
|
|
|
pass
|
|
|
|
|
|
|
|
# return render_template('main_page.html', session=session)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@app.errorhandler(401)
|
|
|
|
@app.errorhandler(401)
|
|
|
|
@ -216,7 +226,7 @@ def error_unauthorized(error):
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
@app.route("/logout")
|
|
|
|
@app.route("/logout")
|
|
|
|
@login_required
|
|
|
|
# @login_required
|
|
|
|
def logout():
|
|
|
|
def logout():
|
|
|
|
logout_user()
|
|
|
|
logout_user()
|
|
|
|
return redirect(url_for("main_page"))
|
|
|
|
return redirect(url_for("main_page"))
|
|
|
|
|
