diff --git a/spiffworkflow-backend/bin/get_token b/spiffworkflow-backend/bin/get_token index dc26e7696..c9e7bb0be 100755 --- a/spiffworkflow-backend/bin/get_token +++ b/spiffworkflow-backend/bin/get_token @@ -20,10 +20,10 @@ set -o errtrace -o errexit -o nounset -o pipefail # ./bin/get_token repeat_form_user_1 repeat_form_user_1 # actually has permissions to the resource in this script # ./bin/get_token ciadmin1 ciadmin1 '%2Fprocess-models' -# KEYCLOAK_BASE_URL=http://localhost:7002 -KEYCLOAK_BASE_URL=https://keycloak.dev.spiffworkflow.org -# BACKEND_BASE_URL=http://localhost:7000 -BACKEND_BASE_URL=https://api.dev.spiffworkflow.org +KEYCLOAK_BASE_URL=http://localhost:7002 +# KEYCLOAK_BASE_URL=https://keycloak.dev.spiffworkflow.org +BACKEND_BASE_URL=http://localhost:7000 +# BACKEND_BASE_URL=https://api.dev.spiffworkflow.org REALM_NAME=spiffworkflow USERNAME=${1-fin} PASSWORD=${2-fin} @@ -36,12 +36,12 @@ SECURE=false BACKEND_BASIC_AUTH=$(echo -n "${BACKEND_CLIENT_ID}:${BACKEND_CLIENT_SECRET}" | base64) KEYCLOAK_URL=$KEYCLOAK_BASE_URL/realms/$REALM_NAME/protocol/openid-connect/token -echo "Using Keycloak: $KEYCLOAK_URL" -echo "realm: $REALM_NAME" -echo "client-id: $FRONTEND_CLIENT_ID" -echo "username: $USERNAME" -echo "password: $PASSWORD" -echo "secure: $SECURE" +>&2 echo "Using Keycloak: $KEYCLOAK_URL" +>&2 echo "realm: $REALM_NAME" +>&2 echo "client-id: $FRONTEND_CLIENT_ID" +>&2 echo "username: $USERNAME" +>&2 echo "password: $PASSWORD" +>&2 echo "secure: $SECURE" if [[ $SECURE = 'y' ]]; then @@ -61,8 +61,9 @@ result=$(curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \ -d "client_id=$BACKEND_CLIENT_ID" \ ) backend_token=$(jq -r '.access_token' <<< "$result") -echo "testing hitting backend with token: $backend_token" -curl --fail -v "${BACKEND_BASE_URL}/v1.0/process-groups?per_page=1" -H "Authorization: Bearer $backend_token" +echo "$backend_token" +# curl --fail -v "${BACKEND_BASE_URL}/v1.0/process-groups?per_page=1" -H "Authorization: Bearer $backend_token" +# curl -v -X POST "${BACKEND_BASE_URL}/v1.0/login_with_access_token?access_token=${backend_token}" -H "Authorization: Bearer $backend_token" ### Get with frontend and exchange with backend - not configured to work in keycloak atm diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/api.yml b/spiffworkflow-backend/src/spiffworkflow_backend/api.yml index 326d55b6e..842491c24 100755 --- a/spiffworkflow-backend/src/spiffworkflow_backend/api.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/api.yml @@ -79,6 +79,26 @@ paths: "200": description: Logout Authenticated User + /login_with_access_token: + parameters: + - name: access_token + in: query + required: true + schema: + type: string + post: + operationId: spiffworkflow_backend.routes.user.login_with_access_token + summary: Authenticate user for API access with an openid token already posessed. + tags: + - Authentication + responses: + "200": + description: "Returns ok: true if user successfully logged in." + content: + application/json: + schema: + $ref: "#/components/schemas/OkTrue" + /login_api: get: operationId: spiffworkflow_backend.routes.user.login_api diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py index 6fd7d39c6..a86e48bea 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/routes/user.py @@ -1,5 +1,7 @@ """User.""" import ast +from flask import make_response +from flask import jsonify import base64 import json import re @@ -261,13 +263,11 @@ def parse_id_token(token: str) -> Any: def login_return(code: str, state: str, session_state: str = "") -> Optional[Response]: - """Login_return.""" state_dict = ast.literal_eval(base64.b64decode(state).decode("utf-8")) state_redirect_url = state_dict["redirect_url"] auth_token_object = AuthenticationService().get_auth_token_object(code) if "id_token" in auth_token_object: id_token = auth_token_object["id_token"] - user_info = parse_id_token(id_token) if AuthenticationService.validate_id_or_access_token(id_token): @@ -299,6 +299,23 @@ def login_return(code: str, state: str, session_state: str = "") -> Optional[Res ) +# FIXME: share more code with login_return and maybe attempt to get a refresh token +def login_with_access_token(access_token: str) -> Response: + user_info = parse_id_token(access_token) + + if AuthenticationService.validate_id_or_access_token(access_token): + if user_info and "error" not in user_info: + AuthorizationService.create_user_from_sign_in(user_info) + else: + raise ApiError( + error_code="invalid_login", + message="Login failed. Please try again", + status_code=401, + ) + + return make_response(jsonify({"ok": True})) + + def login_api() -> Response: """Login_api.""" redirect_url = "/v1.0/login_api_return"