Open macmule opened 4 years ago
And.. I’m holding it wrong.
Moving to a simple app showed that the issue is in my @app.before_request as I need to be somewhat selective.
Nothing to do with this fine module that has served me well for years.
Sorry, me again.. below is a little example:
from datetime import datetime
from flask import Flask, g, redirect, session, url_for
from flask_admin import Admin
from flask_admin.base import MenuLink
from flask_oidc import OpenIDConnect
from okta import UsersClient
app = Flask(__name__)
app.config['OIDC_CLIENT_SECRETS'] = 'client_secrets.json'
app.config['OIDC_COOKIE_SECURE'] = False
app.config['OIDC_CALLBACK_ROUTE'] = '/oidc/callback'
app.config['OIDC_SCOPES'] = ['openid', 'email', 'profile']
app.config['SECRET_KEY'] = SOME_KEY
oidc = OpenIDConnect(app)
okta_client = UsersClient(ORG URL, AUTH_TOKEN)
admin = Admin(app, name='flask-okta', template_mode='bootstrap3')
#@admin.before_request
@app.before_request
def before_request():
g.user = None
if oidc.user_loggedin:
print(oidc)
g.user = okta_client.get_user(oidc.user_getfield('email'))
print(g.user)
print(oidc.get_access_token())
else:
g.user = None
@app.route('/')
@app.route('/admin')
@app.route('/admin/')
@oidc.require_login
def index():
return 'Welcome'
@app.route('/greet')
@oidc.require_login
def greet():
time = datetime.now().hour
if time >= 0 and time < 12:
return 'Good Morning!'
elif time >= 12 and time < 16:
return 'Good Afternoon!'
else:
return 'Good Evening!'
@oidc.require_login
def login():
return redirect(url_for('.greet'))
@app.route('/logout')
def logout():
oidc.logout()
return redirect(url_for('.index'))
The @app.before_request is what I want to add for Admin, but @admin.before_request doesn't work.. any pointers?
If this still the best method? https://github.com/flask-admin/flask-admin/pull/237#issuecomment-18726857
I had to do quite the same thing very recently, so I provided an example in #1998 . It takes a radically different approach than what your blog post suggests, but it benefits from flask-security/flask-login built-in features, which I believe is much better than what pyoidc offers.
@guillp thanks!
So I can likely drop all the db parts right? I'll try that anyways
No luck so far, had to add requests
& LoginManager
to flask_login
so far
Must be doing something wrong, now hitting:
RecursionError: maximum recursion depth exceeded
Ok, trashed it & progress.. thanks again @guillp.. will report back
@guillp thanks!
So I can likely drop all the db parts right? I'll try that anyways
Depending on your requirements regarding authorization in your app, you might need the DB to store at least Roles anyway. If you don't need to have fine-grained permissions you can probably use Flask-Login only instead of Flask-Security, and you don't have to store anything user related in DB; you can rely only on informations provided by the OIDC provider instead.
My example should work pretty much OOTB, all required modules are listed in examples/auth-authlib-oidc/requirements.txt
, you only need to set the client_id, client_secret and OIDC metadata url. If it doesn't, then let me know, I'll fix it.
In the end, got this working with flask-dance.
But thanks for the help @guillp.
Hit this once more, sadly.
Looks like @oidc.require_login
doesn't seem to work with the routes such as @app.route('/admin')
and @app.route('/admin/')
But does work for '/'
, so when folks navigate to '/'
they are prompted to auth, but not an /admin/
route
Hi folks,
Looking to add Okta auth to an app as per: https://www.fullstackpython.com/blog/add-user-authentication-flask-apps-okta.html
But the Admin routes seem to be bypassing the
before_request
, any ideas? (example below)Really want the whole site behind Okta auth.