密钥掩蔽的flask-OIDC-oidc_callback默认回调不起作用

2022-03-27 00:00:00 python flask keycloak flask-oauthlib

问题描述

我正在尝试在一个简单的烧瓶应用程序中使用flask-oidc,以便通过密钥罩添加身份验证。

但是,一旦我使用有效凭据登录,它就会返回到不存在的/oidc_callback。

烧瓶日志显示多次重定向尝试,结果代码为302:

127.0.0.1 - - [26/Nov/2018 10:56:54] "GET /oidc_callback?state=eyJjc3JmX3Rva2VuIjogIlluRDc0UUVLVGhRRkw5TGtuRU9RZGprNTBheVk1cERkIiwgImRlc3RpbmF0aW9uIjogImV5SmhiR2NpT2lKSVV6STFOaUo5LkltaDBkSEE2THk5c2IyTmhiR2h2YzNRNk5UQXdNUzlzYjJkcGJpSS50MVVCRUszbFBxSmZRSzkzMHB5UktBNUZibmNtU0h6TElLblgweXgtTElJIn0%3D&session_state=96eb0bd8-a4a3-49a5-a00c-f4d621cd68e0&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..T5U8hwYX2ot7Llzo39-cyw.4r-lLPZ1So1j4jPqfVwW5zKgtFjMR_f38ls71SwyqrwLVnE-OfZIi0O74pgzNLQEhxFu2nT-o-7_iNuqv5EIHuaIk_mp-xAY7TlaCViM9NvEDvs78iTTmLwPHsDI20SWuPS08K1wING9CXjhZLudLsBAoWRomFHGfDI_Xyd90lb0wWa73vgcMoeatlt1sEbJTo7XxuDBg-JvyzGfqclvuh5bk848q-07tkDsTKETIK-0wLxb-vUaoqkYmqRVQ3-p.PP0YzjGpjvIqCTNCk3IZTQ HTTP/1.1" 302 -
127.0.0.1 - - [26/Nov/2018 10:56:54] "GET /login HTTP/1.1" 302 -
127.0.0.1 - - [26/Nov/2018 10:56:54] "GET /oidc_callback?state=eyJjc3JmX3Rva2VuIjogIlluRDc0UUVLVGhRRkw5TGtuRU9RZGprNTBheVk1cERkIiwgImRlc3RpbmF0aW9uIjogImV5SmhiR2NpT2lKSVV6STFOaUo5LkltaDBkSEE2THk5c2IyTmhiR2h2YzNRNk5UQXdNUzlzYjJkcGJpSS50MVVCRUszbFBxSmZRSzkzMHB5UktBNUZibmNtU0h6TElLblgweXgtTElJIn0%3D&session_state=96eb0bd8-a4a3-49a5-a00c-f4d621cd68e0&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..JpVESxYMF7ApS07y_cOxmA.FRX0kTvi_YvRTYnA8OVmkuEHDrVr8cf9Xa9zk2KfXovb4f9vpz6oIcuqjM-EYVfC5PVLYObhVQWW9HZW4Omcewpp-t9M2z7YRZqMAuyeYAsN7_uctScoh6Q634YDSlXiyXnQ81zg3VwVC_C3pWjVnlm8ZLKb5mRAnMDe4li3FXj9OYWlzJu3Ti18TOw2ig2eB0H0D-jdMcMS4Y8CtLOX_IEKQs6f6IXgl6jpo7uDYvKnwQ11zVaX-Bvw8oan79M2.ZwuIdSCc4QYv2imcbp2Tig HTTP/1.1" 302 -
127.0.0.1 - - [26/Nov/2018 10:56:54] "GET /login HTTP/1.1" 302 -
127.0.0.1 - - [26/Nov/2018 10:56:54] "GET /oidc_callback?state=eyJjc3JmX3Rva2VuIjogIlluRDc0UUVLVGhRRkw5TGtuRU9RZGprNTBheVk1cERkIiwgImRlc3RpbmF0aW9uIjogImV5SmhiR2NpT2lKSVV6STFOaUo5LkltaDBkSEE2THk5c2IyTmhiR2h2YzNRNk5UQXdNUzlzYjJkcGJpSS50MVVCRUszbFBxSmZRSzkzMHB5UktBNUZibmNtU0h6TElLblgweXgtTElJIn0%3D&session_state=96eb0bd8-a4a3-49a5-a00c-f4d621cd68e0&code=eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0..4SU_gWqEUykjTc78z47zYg.TzPRPlLCmJ7Ofzp5wHMwJam4pmc21_qo0p8bIpULbDE8Q39IESxSO2Sxqvxi67xnNXL90CqbG5uRt3k_2oDPzFUCjoNw0EDibiqSPlnuMNgizGSCXAyVV8DafMJqTGhnbHUUpGVqLzMosIlfwM14jhjXFick0GaC10TPFFdiGZdfVFZlSH95XtrGQ-e9dfgpvi5ioPhlQ1S9Eo9kqSh9WwhOCfGRZe9GNLNFtUT9YCPHHmLirRNLc5NiOdm-kH3L.2Mmopk3YJ0_AiCjk2ArKwQ HTTP/1.1" 302 -
...

尝试一段时间后,我在控制台中也出现此错误:

oauth2client.client.FlowExchangeError
oauth2client.client.FlowExchangeError: invalid_grantCode not valid

这是我的烧瓶应用代码:

import json
from flask import Flask, g
from flask_oidc import OpenIDConnect

app = Flask(__name__)

app.config.from_mapping(
        SECRET_KEY='b3d6a4b1-7f8d-4499-a1ae-6faa053d5b67',
        OIDC_CLIENT_SECRETS='./keycloak.json',
        OIDC_VALID_ISSUERS=['http://localhost:8090/auth/realms/myrealm'],
        OIDC_INTROSPECTION_AUTH_METHOD='client_secret_post',
        OIDC_TOKEN_TYPE_HINT='access_token',
    )

oidc = OpenIDConnect(app)


@app.route("/")
def hello():
    if oidc.user_loggedin:
        return 'Welcome %s' % oidc.user_getfield('email')
    else:
        return 'Not logged in'


@app.route('/login')
@oidc.require_login
def login():
    return 'Welcome %s' % oidc.user_getfield('email')


@app.route('/api')
@oidc.accept_token(require_token=True)
def my_api():
    return json.dumps('Welcome %s' % g.oidc_token_info['sub'])

这是我的keycloak.json:

{
  "web":
   {
     "client_id": "MyClient",
     "client_secret": "b3d6a4b1-7f8d-4499-a1ae-6faa053d5b67",
     "auth_uri": "http://localhost:8090/auth/realms/myrealm/protocol/openid-connect/auth",
     "token_uri": "http://localhost:8090/auth/realms/myrealm/protocol/openid-connect/token",
     "token_introspection_uri": "http://localhost:8090/auth/realms/myrealm/protocol/openid-connect/token/introspect",
     "realm": "myrealm",
     "ssl-required": "none",
     "resource": "MyClient"
   }
}

在我的Keycloak管理控制台中,我已经设置了我的客户端,据我所知,它能正确显示Keyloak登录屏幕是因为它按预期进行了配置,但是一旦执行登录,我就无法使应用程序工作。

我还尝试覆盖默认回调(顺便说一下,我不清楚是否必须实现它):

为此我添加了这个(取自文档):

OVERWRITE_REDIRECT_URI='http://localhost:5001/custom_callback'

@app.route('/custom_callback')
@oidc.custom_callback
def callback(data):
    return 'Hello. You submitted %s' % data

这是我的keycloak.json:

     "redirect_uris": [
         "http://localhost:5001/custom_callback"
     ],

但未能成功识别登录用户。虽然我在查询字符串中看到了状态变量..我应该怎么处理它?

我错过了什么?

我是否应该实现自定义回调?在这种情况下,有没有人能举个例子,说明如何让我的Fask应用程序识别登录的用户?

提前感谢!


解决方案

问题在于IAT检查。如果发布时间(必须小于到期时间)大于当前时间,则此检查将允许连接;否则,此检查将返回FALSE并显示错误。因此,若要解决此问题,您需要设置""OIDC_CLOCK_SKEW""并创建访问者作用域Keyloak Side。

这里是代码的一部分:

# step 10: check iat
    if id_token['iat'] < (time.time() -
                          current_app.config['OIDC_CLOCK_SKEW']):
        logger.error('Token issued in the past')
        return False

我不知道这是好方法还是服务器/包问题,但它对我有效。因为不可能有发布时间>=CURRENT_TIME,对吗?

我的配置:

app.config.update({
    'DEBUG': True,
    'TESTING': True,
    'SECRET_KEY': 'testest',
    'OIDC_CLIENT_SECRETS': 'client_secrets.json',
    'OIDC_ID_TOKEN_COOKIE_SECURE': False,
    'OIDC_REQUIRE_VERIFIED_EMAIL': False,
    'OIDC_USER_INFO_ENABLED': True,
    'OIDC_OPENID_REALM': 'fake_realm',
    'OIDC_SCOPES': ['openid', 'email', 'profile'],
    'OIDC_INTROSPECTION_AUTH_METHOD': 'client_secret_post',
    'OIDC_RESOURCE_CHECK_AUD': True, #Audience
    'OIDC_CLOCK_SKEW': 560 #iat must be > time.time() - OIDC_CLOCK_SKEW
}) 

我放在这里是为了帮助其他人解决:)

编辑:

在您的示例中,另外您还需要将"redirect_uri"添加到您的json中,如下所示:(它必须与keyloak端的URI相同)

{
    "web": {
        "issuer": "https://{server_name}/auth/realms/fake_realm",
        "auth_uri": "https://{server_name}/auth/realms/fake_realm/protocol/openid-connect/auth",
        "client_id": "fake_realm",
        "client_secret": "ac981e95-f97b-******-*******-*****",
        "redirect_uris": [
            "http://localhost:5000/oidc_callback"
        ],
        "userinfo_uri": "https://{server_name}/auth/realms/fake_realm/protocol/openid-connect/userinfo",
        "token_uri": "https://{server_name}/auth/realms/fake_realm/protocol/openid-connect/token",
        "token_introspection_uri": "https://{server_name}/auth/realms/fake_realm/protocol/openid-connect/token/introspect"
    }
}

相关文章