keycloak-collective-portal/keycloak_collective_portal.py

"""Community Keycloak SSO user management."""

from os import environ

from authlib.integrations.starlette_client import OAuth, OAuthError
from fastapi import FastAPI, Request
from fastapi.responses import HTMLResponse, RedirectResponse
from fastapi.templating import Jinja2Templates
from httpx import get
from starlette.middleware.sessions import SessionMiddleware

APP_SECRET_KEY = environ.get("APP_SECRET_KEY")
KEYCLOAK_CLIENT_ID = environ.get("KEYCLOAK_CLIENT_ID")
KEYCLOAK_CLIENT_SECRET = environ.get("KEYCLOAK_CLIENT_SECRET")
KEYCLOAK_DOMAIN = environ.get("KEYCLOAK_DOMAIN")
KEYCLOAK_REALM = environ.get("KEYCLOAK_REALM")

app = FastAPI()
app.add_middleware(SessionMiddleware, secret_key=APP_SECRET_KEY)
templates = Jinja2Templates(directory="templates")

BASE_URL = f"https://{KEYCLOAK_DOMAIN}/auth/realms/{KEYCLOAK_REALM}/protocol/openid-connect"

oauth = OAuth()
oauth.register(
    name="keycloak",
    client_kwargs={"scope": "openid profile email"},
    client_id=KEYCLOAK_CLIENT_ID,
    client_secret=KEYCLOAK_CLIENT_SECRET,
    authorize_url=f"{BASE_URL}/auth",
    access_token_url=f"{BASE_URL}/token",
    jwks_uri=f"{BASE_URL}/certs",
)


@app.get("/", response_class=HTMLResponse)
async def home(request: Request):
    user = request.session.get("user")
    if user:
        return templates.TemplateResponse(
            "admin.html", context={"request": request, "user": user}
        )
    return RedirectResponse(request.url_for("login"))


@app.get("/login", response_class=HTMLResponse)
async def login(request: Request):
    return templates.TemplateResponse(
        "login.html", context={"request": request}
    )


@app.get("/login/keycloak")
async def login_keycloak(request: Request):
    redirect_uri = request.url_for("auth_keycloak")
    return await oauth.keycloak.authorize_redirect(request, redirect_uri)


@app.get("/auth/keycloak")
async def auth_keycloak(request: Request):
    try:
        token = await oauth.keycloak.authorize_access_token(request)
        user = await oauth.keycloak.parse_id_token(request, token)
        request.session["user"] = dict(user)
        return RedirectResponse(request.url_for("home"))
    except Exception as exception:
        return HTMLResponse(f"<h1>{str(exception)}</h1>")


@app.route("/logout")
async def logout(request: Request):
    request.session.pop("user", None)
    get(f"{BASE_URL}/logout")
    return RedirectResponse(request.url_for("login"))
Init this thing 2021-06-11 11:32:41 +00:00			`"""Community Keycloak SSO user management."""`

First run at the keycloak login 2021-06-11 13:58:28 +00:00			`from os import environ`

			`from authlib.integrations.starlette_client import OAuth, OAuthError`
Templates support 2021-06-11 12:14:04 +00:00			`from fastapi import FastAPI, Request`
Basic login redirect 2021-06-11 12:23:13 +00:00			`from fastapi.responses import HTMLResponse, RedirectResponse`
Templates support 2021-06-11 12:14:04 +00:00			`from fastapi.templating import Jinja2Templates`
Support logging in and out 2021-06-11 20:28:43 +00:00			`from httpx import get`
Basic login redirect 2021-06-11 12:23:13 +00:00			`from starlette.middleware.sessions import SessionMiddleware`
Init this thing 2021-06-11 11:32:41 +00:00
First run at the keycloak login 2021-06-11 13:58:28 +00:00			`APP_SECRET_KEY = environ.get("APP_SECRET_KEY")`
			`KEYCLOAK_CLIENT_ID = environ.get("KEYCLOAK_CLIENT_ID")`
			`KEYCLOAK_CLIENT_SECRET = environ.get("KEYCLOAK_CLIENT_SECRET")`
Fixup URL handling 2021-06-11 14:39:22 +00:00			`KEYCLOAK_DOMAIN = environ.get("KEYCLOAK_DOMAIN")`
			`KEYCLOAK_REALM = environ.get("KEYCLOAK_REALM")`
First run at the keycloak login 2021-06-11 13:58:28 +00:00
Init this thing 2021-06-11 11:32:41 +00:00			`app = FastAPI()`
First run at the keycloak login 2021-06-11 13:58:28 +00:00			`app.add_middleware(SessionMiddleware, secret_key=APP_SECRET_KEY)`
Templates support 2021-06-11 12:14:04 +00:00			`templates = Jinja2Templates(directory="templates")`
Init this thing 2021-06-11 11:32:41 +00:00
Support logging in and out 2021-06-11 20:28:43 +00:00			`BASE_URL = f"https://{KEYCLOAK_DOMAIN}/auth/realms/{KEYCLOAK_REALM}/protocol/openid-connect"`

First run at the keycloak login 2021-06-11 13:58:28 +00:00			`oauth = OAuth()`
			`oauth.register(`
			`name="keycloak",`
Get rid of that 2021-06-11 16:30:03 +00:00			`client_kwargs={"scope": "openid profile email"},`
First run at the keycloak login 2021-06-11 13:58:28 +00:00			`client_id=KEYCLOAK_CLIENT_ID,`
			`client_secret=KEYCLOAK_CLIENT_SECRET,`
Support logging in and out 2021-06-11 20:28:43 +00:00			`authorize_url=f"{BASE_URL}/auth",`
			`access_token_url=f"{BASE_URL}/token",`
			`jwks_uri=f"{BASE_URL}/certs",`
First run at the keycloak login 2021-06-11 13:58:28 +00:00			`)`

Init this thing 2021-06-11 11:32:41 +00:00
Templates support 2021-06-11 12:14:04 +00:00			`@app.get("/", response_class=HTMLResponse)`
			`async def home(request: Request):`
Basic login redirect 2021-06-11 12:23:13 +00:00			`user = request.session.get("user")`
			`if user:`
			`return templates.TemplateResponse(`
Support logging in and out 2021-06-11 20:28:43 +00:00			`"admin.html", context={"request": request, "user": user}`
Basic login redirect 2021-06-11 12:23:13 +00:00			`)`
Support logging in and out 2021-06-11 20:28:43 +00:00			`return RedirectResponse(request.url_for("login"))`


			`@app.get("/login", response_class=HTMLResponse)`
			`async def login(request: Request):`
			`return templates.TemplateResponse(`
			`"login.html", context={"request": request}`
			`)`
First run at the keycloak login 2021-06-11 13:58:28 +00:00

			`@app.get("/login/keycloak")`
			`async def login_keycloak(request: Request):`
Revert "Attempt to rework url_for" This reverts commit 3ad0cef90ffb2a614fca02d865b1ec92cf2ae53b. 2021-06-11 17:44:19 +00:00			`redirect_uri = request.url_for("auth_keycloak")`
First run at the keycloak login 2021-06-11 13:58:28 +00:00			`return await oauth.keycloak.authorize_redirect(request, redirect_uri)`


Use more specific URL for keycloak 2021-06-11 16:14:34 +00:00			`@app.get("/auth/keycloak")`
Use matching identifiers 2021-06-11 16:15:50 +00:00			`async def auth_keycloak(request: Request):`
First run at the keycloak login 2021-06-11 13:58:28 +00:00			`try:`
Use request again and catch all errors 2021-06-11 15:28:37 +00:00			`token = await oauth.keycloak.authorize_access_token(request)`
			`user = await oauth.keycloak.parse_id_token(request, token)`
			`request.session["user"] = dict(user)`
Revert "Attempt to rework url_for" This reverts commit 3ad0cef90ffb2a614fca02d865b1ec92cf2ae53b. 2021-06-11 17:44:19 +00:00			`return RedirectResponse(request.url_for("home"))`
Use request again and catch all errors 2021-06-11 15:28:37 +00:00			`except Exception as exception:`
			`return HTMLResponse(f"<h1>{str(exception)}</h1>")`
Basic login redirect 2021-06-11 12:23:13 +00:00

First run at the keycloak login 2021-06-11 13:58:28 +00:00			`@app.route("/logout")`
			`async def logout(request: Request):`
			`request.session.pop("user", None)`
Support logging in and out 2021-06-11 20:28:43 +00:00			`get(f"{BASE_URL}/logout")`
			`return RedirectResponse(request.url_for("login"))`