improve oidc compatibility

This commit is contained in:
TuxCoder 2020-05-30 19:00:08 +02:00
parent 5826517111
commit 5e61029259
3 changed files with 11 additions and 37 deletions

View file

@ -1,35 +0,0 @@
from flask_sqlalchemy import SQLAlchemy, orm
from datetime import datetime
import uuid
import pyotp
db = SQLAlchemy() # type: SQLAlchemy
def generate_uuid():
return str(uuid.uuid4())
class User(db.Model):
id = db.Column(
db.String(length=36), primary_key=True, default=generate_uuid)
username = db.Column(
db.String, unique=True)
totps = db.relationship('Totp', back_populates='user')
class Totp(object):
id = db.Column(db.Integer, primary_key=True)
secret = db.Column(db.String, nullable=False)
name = db.Column(db.String, nullable=False)
created_at = db.Column(db.DateTime, default=datetime.now, nullable=False)
user_id = db.Column(
db.Integer,
db.ForeignKey(User.id), nullable=False)
user = db.relationship(User)
def verify(self, token: str):
totp = pyotp.TOTP(self._secret)
return totp.verify(token)

View file

@ -33,8 +33,10 @@ def consent():
consent_request = current_app.hydra_api.get_consent_request(
request.args['consent_challenge'])
requested_scope = consent_request.requested_scope
requested_audiences = consent_request.requested_access_token_audience
user = User.query.get(consent_request.subject)
if form.validate_on_submit() or consent_request.skip:
resp = current_app.hydra_api.accept_consent_request(
@ -43,6 +45,12 @@ def consent():
'grant_access_token_audience': requested_audiences,
'remember': form.data['remember'],
'remember_for': remember_for,
'session': {
'access_token': {},
'id_token': {
'preferd_username': user.username
}
}
})
return redirect(resp.redirect_to)
return render_template(
@ -105,7 +113,8 @@ def login_auth():
resp = current_app.hydra_api.accept_login_request(
login_challenge, body={
'subject': subject,
'remember': remember_me})
'remember': remember_me,
})
return redirect(resp.redirect_to)
return render_template('auth/login_auth.html.j2', forms=auth_forms)

View file

@ -26,7 +26,7 @@ logger = logging.getLogger(__name__)
def before_request():
try:
resp = current_app.oauth.session.get('/userinfo')
if not current_user.is_authenticated:
if not current_user.is_authenticated or resp.status_code is not 200:
return redirect(url_for('oauth.login'))
except TokenExpiredError:
return redirect(url_for('oauth.login'))