-
Notifications
You must be signed in to change notification settings - Fork 46
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow OAuth login #355
Comments
May want to consider https://python-social-auth.readthedocs.io/en/latest/intro.html#features as well. Ansible Tower uses it. |
Hello. I've begun working a little bit on this. Unfortunately all my experience is with backend work and I have little to no experience on SPA or front-end Javascript. Using this site, I created API endpoints (login and callback) for Google. The callback endpoint then creates a JWT just like the token endpoint does. The code can be found here. NOTE: The code is rough and could be cleaned up. There is also duplication of code from token.py. The issue I have is how to tie this to the front-end. Do you have any thoughts on how you would want this implemented? The alternative that I can look in to implementing SSO in the JS front end. |
Thanks for looking into this, but I suggest to first think about architectural issues before starting to code. When I looked into this myself, I stopped at some point because it was getting too complicated for me. There are many issues to solve, like where to store user assocation between the internal users and the SSO providers, and how toi handle signup; see https://flask-dance.readthedocs.io/en/latest/multi-user.html for some discussion (whether we use Flask-Dance or not). In your code, only emails are compared, but is this enough? If the user changes the email address associated with the SSO provider, they will completely loose access. (Probably this is unlikely for Google, but not for other providers.) |
I suggest looking into https://pypi.org/project/oic/ it is supported by things like Keycloak which has the widest compatibility. https://flask-pyoidc.readthedocs.io/en/stable/quickstart.html looks like a good option too. Keycloak can plug other providers like Google into it or use it directly because most have OIDC integration but mostly Keycloak makes sense for development because it will throw errors on "provider" side that you can check. |
Does someone already started with this issue? I would like to help somehow. I'm more a frontend developer. If you already considered a framework I could dig a bit deeper. |
Hi, no, nobody is working on it right now - unfortunately, I think it is mostly a backend challenge. |
https://flask-dance.readthedocs.io/en/latest/
The text was updated successfully, but these errors were encountered: