This is a demo application to explain how the OpenID Connect code flow is implemented.
$ python app.py
Flask will start a web server listening on all interfaces that can be used for demo purposes. The webserver will use HTTPS with a certificate for localhost. Browse to https://localhost:5443 to see the app.
python 2.x (tested with python 2.7.10)
OpenSSL 1.0 to be able to do modern TLS versions. Python together with 0.9.x has a bug that makes it impossible to select protocol in the handshake, so it cannot connect to servers that have disabled SSLv2.
Python dependencies can be installed by using PIP: pip install -r requirements.txt
Settings.json is used as a configuration file for the example app. Change the values to match your system.
Name | Type | Default | Description |
---|---|---|---|
issuer |
string | The ID of the token issuer. This is used for both OpenID Connect Discovery, and validating a ID Token. Mandatory for discovery | |
client_id |
string | The ID for the client. Used to authenticate the client against the authorization server endpoint. | |
client_secret |
string | The shared secret to use for authentication against the token endpoint. | |
dcr_client_id |
string | The client ID of the client for to use for registration. | |
dcr_client_secret |
string | The client secret of the client for to use for registration. | |
scope |
string | openid |
The scopes to ask for. |
verify_ssl_server |
boolean | true |
Set to false to disable certificate checks. |
debug |
boolean | false |
If set to true, Flask will be in debug mode and write stacktraces if an error occurs. Some extra logging is also printed. |
port |
number | 5443 |
The port that the Flask server should listen to |
disable_https |
boolean | false |
Set to true to run on http |
logout_endpoint |
string | The URL to the logout endpoint at the authentication service. If set, the user will be redirected here after a logout has been made in the application. | |
base_url |
string | base url to be added to internal redirects. If this is not configured, the base url will be extracted from the first request to the index page | |
send_parameters_via |
string | query_string |
How request parameters should be sent to the authorization endpoint. Valid values are query_string , request_object or request_uri . |
request_object_keys |
JSON object | The JSON Web Key (JWK) used to sign JWTs used when sending authorization request parameters by-value in a request object or by reference in a request URI. For example:{ "kty":"RSA", "n":"0vx7agoebGcQSuuPiLJXZptN9nndrQmbXEps2aiAFbWhM78LhWx4cbbfAAtVT86zwu1RK7aPFFxuhDR1L6tSoc_BJECPebWKRXjBZCiFV4n3oknjhMstn64tZ_2W-5JsGY4Hc5n9yBXArwl93lqt7_RN5w6Cf0h4QyQ5v-65YGjQR0_FDW2QvzqY368QQMicAtaSqzs8KJZgnYb9c7d0zgdAZHzu6qMQvRL5hajrn1n91CbOpbISD08qNLyrdkt-bFTWhAI4vMQFh6WeZu0fM4lFd2NcRwr3XPksINHaQ-G_xBniIqbw0Ls1jF44-csFCur-kEgU8awapJzKnqDKgw", "e":"AQAB", "d":"X4cTteJY_gn4FYPsXB8rdXix5vwsg1FLN5E3EaG6RJoVH-HLLKD9M7dx5oo7GURknchnrRweUkC7hT5fJLM0WbFAKNLWY2vv7B6NqXSzUvxT0_YSfqijwp3RTzlBaCxWp4doFk5N2o8Gy_nHNKroADIkJ46pRUohsXywbReAdYaMwFs9tv8d_cPVY3i07a3t8MN6TNwm0dSawm9v47UiCl3Sk5ZiG7xojPLu4sbg1U2jx4IBTNBznbJSzFHK66jT8bgkuqsk0GjskDJk19Z4qwjwbsnn4j2WBii3RL-Us2lGVkY8fkFzme1z0HbIkfz0Y6mqnOYtqc0X4jfcKoAC8Q", "p":"83i-7IvMGXoMXCskv73TKr8637FiO7Z27zv8oj6pbWUQyLPQBQxtPVnwD20R-60eTDmD2ujnMt5PoqMrm8RfmNhVWDtjjMmCMjOpSXicFHj7XOuVIYQyqVWlWEh6dN36GVZYk93N8Bc9vY41xy8B9RzzOGVQzXvNEvn7O0nVbfs", "q":"3dfOR9cuYq-0S-mkFLzgItgMEfFzB2q3hWehMuG0oCuqnb3vobLyumqjVZQO1dIrdwgTnCdpYzBcOfW5r370AFXjiWft_NGEiovonizhKpo9VVS78TzFgxkIdrecRezsZ-1kYd_s1qDbxtkDEgfAITAG9LUnADun4vIcb6yelxk", "dp":"G4sPXkc6Ya9y8oJW9_ILj4xuppu0lzi_H7VTkS8xj5SdX3coE0oimYwxIi2emTAue0UOa5dpgFGyBJ4c8tQ2VF402XRugKDTP8akYhFo5tAA77Qe_NmtuYZc3C3m3I24G2GvR5sSDxUyAN2zq8Lfn9EUms6rY3Ob8YeiKkTiBj0", "dq":"s9lAH9fggBsoFR8Oac2R_E2gw282rT2kGOAhvIllETE1efrA6huUUvMfBcMpn8lqeW6vzznYY5SSQF7pMdC_agI3nG8Ibp1BUb0JUiraRNqUfLhcQb_d9GF4Dh7e74WbRsobRonujTYN1xCaP6TO61jvWrX-L18txXw494Q_cgk", "qi":"GyM_p6JrXySiz1toFgKbWV-JdI3jQ4ypu9rbMWx3rQJBfmt0FoYzgUIZEVFEcOqwemRN81zoDAaa-Bk0KWNGDjJHZDdDmFhW3AN7lI-puxk_mHZGJ11rxyR8O55XLSe3SPmRfKwZI6yU24ZxvQKFYItdldUKGzO6Ia6zTKhAVRU", "alg":"RS256", "kid":"2011-04-29" } |
Name | Type | Description |
---|---|---|
jwks_uri |
URL | The URL that points to the JWK set. Mandatory if the openid scope is requested. |
authorization_endpoint |
The URL to the authorization endpoint. | |
token_endpoint |
URL | The URL to the token endpoint. |
registration_endpoint |
URL | The URL to the registration endpoint. |
To run the example in a Docker container, build an image and run a container like this.:
$ docker build -t curityio/openid-python-example
$ docker run -ti curityio/openid-python-example
All setting can be set using an environment variable with uppercase letters. Example:
$ docker build -t curityio/openid-python-example
$ docker run -e DEBUG=true -e ISSUER=se.curity -ti curityio/openid-python-example
In the root of the repository, there is a docker-compose.yml
. Customize the settings using environment variables with uppercase letters.
$ docker-compose up
For questions and support, contact Curity AB:
Curity AB
Copyright (C) 2016 Curity AB.