如何在 Flask-Appbuilder 中为 OAuth2.0 使用自定义提供程序 [keycloak]?
How do I use a Custom Provider [keycloak] for OAuth2.0 in Flask-Appbuilder?
我正在尝试将 keycloak 实施为 OAuth2.0 提供商。我拥有所有必要的 OAUTH_PROVIDER 信息,并且我已经声明了 AUTH_TYPE、AUTH_USER_REGISTRATION、AUTH_USER_REGISTRATION_ROLE (参见下面的代码)
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Public"
OAUTH_PROVIDERS = [
{
‘name’: ‘provider_name’,
‘icon’: ‘fa-icon’,
’token_key’: ‘access_token’,
‘remote_app’: {
‘base_url’: ‘https://www.base_url.com‘,
‘request_token_params’: {
‘scope’: ‘email profile’
},
‘request_token_url’: None,
‘access_token_url’: ‘https://www.access_token_url.com’,
‘authorize_url': ‘https://www.authorize_url.com',
‘consumer_key’: ‘PROVIDER_OAUTH_KEY’,
‘consumer_secret’: ‘PROVIDER_OAUTH_SECRET’
}
}
]
因为这是一个自定义提供程序(除了通常的 google、facebook、... 提供程序之外),在我的安全管理器中我已经覆盖了 get_oauth_user_info 在 flask-appbuilder manager.py
中声明的函数
def get_oauth_user_info(self, provider, response=None):
logging.debug("Oauth2 provider: {0}.".format(provider))
me = self.appbuilder.sm.oauth_remotes[provider].get("user")
logging.error(me)
return {
"preferred_username": me.data.get("preferred_username",""),
"first_name": me.data.get("given_name", ""),
"last_name": me.data.get("family_name", ""),
"email": me.data.get("email", "")
我希望将应用程序重定向到 keycloak 登录页面,但是 post 请求会引发以下错误:
DEBUG:flask_oauthlib:Request 'https://...' with 'POST' method
ERROR:flask_appbuilder.security.manager:User info does not have username or email {}
[2019-05-23 12:52:10,130] ERROR in app: Exception on /oauth-authorized/login [GET]
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.6/site-packages/flask/_compat.py", line 33, in reraise
raise value
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/local/lib/python3.6/site-packages/flask_appbuilder/security/views.py", line 519, in oauth_authorized
resp = self.appbuilder.sm.oauth_remotes[provider].authorized_response()
如果有人指出我做错了什么,请你帮助我。
您应该像文档中那样向 get_oauth_user_info 函数添加注释 @appbuilder.sm.oauth_user_info_getter https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-oauth
也改
me = self.appbuilder.sm.oauth_remotes[provider].get("user")
到
me = self.appbuilder.sm.oauth_remotes[provider].get("userinfo")
如果 base_url 类似于 https://{keycloak-domain}/auth/realms/{realm}/protocol/openid-connect/
我正在尝试将 keycloak 实施为 OAuth2.0 提供商。我拥有所有必要的 OAUTH_PROVIDER 信息,并且我已经声明了 AUTH_TYPE、AUTH_USER_REGISTRATION、AUTH_USER_REGISTRATION_ROLE (参见下面的代码)
AUTH_TYPE = AUTH_OAUTH
AUTH_USER_REGISTRATION = True
AUTH_USER_REGISTRATION_ROLE = "Public"
OAUTH_PROVIDERS = [
{
‘name’: ‘provider_name’,
‘icon’: ‘fa-icon’,
’token_key’: ‘access_token’,
‘remote_app’: {
‘base_url’: ‘https://www.base_url.com‘,
‘request_token_params’: {
‘scope’: ‘email profile’
},
‘request_token_url’: None,
‘access_token_url’: ‘https://www.access_token_url.com’,
‘authorize_url': ‘https://www.authorize_url.com',
‘consumer_key’: ‘PROVIDER_OAUTH_KEY’,
‘consumer_secret’: ‘PROVIDER_OAUTH_SECRET’
}
}
]
因为这是一个自定义提供程序(除了通常的 google、facebook、... 提供程序之外),在我的安全管理器中我已经覆盖了 get_oauth_user_info 在 flask-appbuilder manager.py
中声明的函数 def get_oauth_user_info(self, provider, response=None):
logging.debug("Oauth2 provider: {0}.".format(provider))
me = self.appbuilder.sm.oauth_remotes[provider].get("user")
logging.error(me)
return {
"preferred_username": me.data.get("preferred_username",""),
"first_name": me.data.get("given_name", ""),
"last_name": me.data.get("family_name", ""),
"email": me.data.get("email", "")
我希望将应用程序重定向到 keycloak 登录页面,但是 post 请求会引发以下错误:
DEBUG:flask_oauthlib:Request 'https://...' with 'POST' method
ERROR:flask_appbuilder.security.manager:User info does not have username or email {}
[2019-05-23 12:52:10,130] ERROR in app: Exception on /oauth-authorized/login [GET]
Traceback (most recent call last):
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1982, in wsgi_app
response = self.full_dispatch_request()
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1614, in full_dispatch_request
rv = self.handle_user_exception(e)
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1517, in handle_user_exception
reraise(exc_type, exc_value, tb)
File "/usr/local/lib/python3.6/site-packages/flask/_compat.py", line 33, in reraise
raise value
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1612, in full_dispatch_request
rv = self.dispatch_request()
File "/usr/local/lib/python3.6/site-packages/flask/app.py", line 1598, in dispatch_request
return self.view_functions[rule.endpoint](**req.view_args)
File "/usr/local/lib/python3.6/site-packages/flask_appbuilder/security/views.py", line 519, in oauth_authorized
resp = self.appbuilder.sm.oauth_remotes[provider].authorized_response()
如果有人指出我做错了什么,请你帮助我。
您应该像文档中那样向 get_oauth_user_info 函数添加注释 @appbuilder.sm.oauth_user_info_getter https://flask-appbuilder.readthedocs.io/en/latest/security.html#authentication-oauth
也改
me = self.appbuilder.sm.oauth_remotes[provider].get("user")
到
me = self.appbuilder.sm.oauth_remotes[provider].get("userinfo")
如果 base_url 类似于 https://{keycloak-domain}/auth/realms/{realm}/protocol/openid-connect/