This package provides the keycloak
authentication and identity providers for Flask-Multipass.
KeycloakAuthProvider
This provider is a simple wrapper around AuthlibAuthProvider
, since Keycloak works well with the standard authlib
provider in flask-multipass
.
KeycloakIdentityProvider
This provider gives access to group information and members via Keycloak REST API.
pip install flask-multipass-keycloak
The configuration follows the standard Flask-Multipass way and the Keycloak specific part placed into the keycloak_args
section.
MULTIPASS_AUTH_PROVIDERS = {
'keycloak': {
'type': 'keycloak',
'title': 'Keycloak Auth Provider',
'authlib_args': {...}
}
}
MULTIPASS_IDENTITY_PROVIDERS = {
'keycloak': {
'type': 'keycloak',
'title': 'Keycloak Identity Provider',
'identifier_field': 'email',
'keycloak_args': {
'grant_type': 'client_credentials',
'client_id': '<client_id>',
'client_secret': '<client_secret>',
'access_token_url': '<access-token-url>',
'realm_api_url': '<realm-api-url>'
}
}
}
The configuration values are following:
-
grant_type
Default value is
client_credentials
. In Keycloak, "Service accounts roles" must be enabled in client config (Client details/Settings/Capability).password
is also supported. In Keycloak, "Direct access grants" must be enabled in client config (Client details/Settings/Capability). In this case 2 additional fields must be added:username
andpassword
. -
client_id
In Keycloak, Client details/Setting/Client ID field.
-
client_secret
In Keycloak, Client details/Credentials/Client Secret field.
-
access_token_url
In Keycloak, Realm settings/General/Endpoints/OpenID Endpoint Configuration/"token_endpoint".
-
realm_api_url
The URL format is
<base url>/admin/realms/<realm name>
, where the realm is where the users and user groups are configured.
The library needs to get an API access token from Keycloak which typically takes 200-300ms. Set the cache
key of the multipass identity provider configuration to the import path of a Flask-Caching instance or a function returning such an instance, or the instance itself to enable caching of tokens (until they expire) and group data (30 minutes).
In order to develop flask-multipass-keycloak
, install the project and its dependencies in a virtualenv. This guide assumes that you have the following tools installed and available in your path:
git
(available in most systems)make
(available in most systems)poetry
(installation guide)pyenv
(installation guide)
First, clone the repository locally with:
git clone https://github.com/unconventionaldotdev/flask-multipass-keycloak
cd flask-multipass-keycloak
Before creating the virtualenv, make sure to be using the same version of Python that the development of the project is targeting. This is the first version specified in the .python-version
file and you can install it with pyenv
:
pyenv install
You may now create the virtualenv and install the project with its dependencies in it with poetry
:
poetry install
This project uses GitHub Actions to run the tests and linter on every pull request. You are still encouraged to run the tests and linter locally before pushing your changes.
Run linter checks with:
poetry run -- make lint
Run tests with:
poetry run -- make test
Run tests against all supported Python versions with:
tox