Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow OAuth login #355

Open
DavidMStraub opened this issue Apr 4, 2023 · 6 comments
Open

Allow OAuth login #355

DavidMStraub opened this issue Apr 4, 2023 · 6 comments

Comments

@DavidMStraub
Copy link
Member

https://flask-dance.readthedocs.io/en/latest/

@cdhorn
Copy link
Collaborator

cdhorn commented Aug 24, 2023

May want to consider https://python-social-auth.readthedocs.io/en/latest/intro.html#features as well. Ansible Tower uses it.

@cypherkey
Copy link

Hello.

I've begun working a little bit on this. Unfortunately all my experience is with backend work and I have little to no experience on SPA or front-end Javascript.

Using this site, I created API endpoints (login and callback) for Google. The callback endpoint then creates a JWT just like the token endpoint does. The code can be found here. NOTE: The code is rough and could be cleaned up. There is also duplication of code from token.py.

The issue I have is how to tie this to the front-end. Do you have any thoughts on how you would want this implemented? The alternative that I can look in to implementing SSO in the JS front end.

@DavidMStraub
Copy link
Member Author

Thanks for looking into this, but I suggest to first think about architectural issues before starting to code. When I looked into this myself, I stopped at some point because it was getting too complicated for me. There are many issues to solve, like where to store user assocation between the internal users and the SSO providers, and how toi handle signup; see https://flask-dance.readthedocs.io/en/latest/multi-user.html for some discussion (whether we use Flask-Dance or not).

In your code, only emails are compared, but is this enough? If the user changes the email address associated with the SSO provider, they will completely loose access. (Probably this is unlikely for Google, but not for other providers.)

@PovilasID
Copy link

I suggest looking into https://pypi.org/project/oic/ it is supported by things like Keycloak which has the widest compatibility. https://flask-pyoidc.readthedocs.io/en/stable/quickstart.html looks like a good option too. Keycloak can plug other providers like Google into it or use it directly because most have OIDC integration but mostly Keycloak makes sense for development because it will throw errors on "provider" side that you can check.
I think providers Google; facebook etc. will define what prams are needed (email, id, etc) for things like Keycloak you can define required and minimal prams.
Here is something that may be useful: https://gist.github.com/thomasdarimont/145dc9aa857b831ff2eff221b79d179a
Users using 3rd party services often include 'openid' as and additional user ID. This permits using local and 3rd party logins in parallel.

@AquaWolf
Copy link

Does someone already started with this issue? I would like to help somehow. I'm more a frontend developer. If you already considered a framework I could dig a bit deeper.

@DavidMStraub
Copy link
Member Author

Hi, no, nobody is working on it right now - unfortunately, I think it is mostly a backend challenge.

@DavidMStraub DavidMStraub removed the enhancement New feature or request label Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants