docker

OpenID Connect Authentication

Authentication service with OpenID Connect.

Dependencies

Configuration

Environment variables (single tenant):

Variable Description Default value
ISSUER_URL OpenID Connect Issuer URL -
CLIENT_ID Client ID -
CLIENT_SECRET Client secret -

Service config

  • JSON schema
  • File location: $CONFIG_PATH/<tenant>/oidcAuthConfig.json

Example:

{
  "$schema": "https://github.com/qwc-services/qwc-oidc-auth/raw/main/schemas/qwc-oidc-auth.json",
  "service": "oidc-auth",
  "config": {
    "issuer_url": "https://qwc2-dev.onelogin.com/oidc/2",
    "client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxx",
    "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
  }
}

The service expects authentication service information at $ISSUER_URL/.well-known/openid-configuration

See JSON schema for optional configuration options.

Configure Access Token endpoint

It is possible to authorize connection with a external Access Token in the Authorization Header (endpoint /tokenlogin).

For each token a configuration needs to be add in authorized_api_token.

Example:

{
  "$schema": "https://github.com/qwc-services/qwc-oidc-auth/raw/main/schemas/qwc-oidc-auth.json",
  "service": "oidc-auth",
  "config": {
    "issuer_url": "https://qwc2-dev.onelogin.com/oidc/2",
    "client_id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxxxxxxxx",
    "client_secret": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "authorized_api_token": [{
      "keys_url": "https://public_keys_url_to_decode_token",
      "claims_options":{
        "iss": {
            "essential": true,
            "values": ["https://example.com", "https://example.org"]
        },
        "sub": {
            "essential": true,
            "value": "xxxxxxxxxxxxx"
        },
        "aud": {
          "essential": true,
          "value": "api://xxxx-xxxxxxxxx-xxxxx"
        }
      }
    }]
  }
}

claims_options are the token validation parameters which allow fine control over the content of the payload. See https://docs.authlib.org/en/latest/jose/jwt.html#jwt-payload-claims-validation.

Identity provider configuration

CLIENT_ID and CLIENT_SECRET are defined on identity provider side.

The Redirect URI is the public base URL with the endpoint /callback (Example: https://qwc2.sourcepole.ch/oauth/callback).

This redirect URI can be manually configured with redirect_uri.

Usage/Development

Configure environment:

echo FLASK_ENV=development >.flaskenv

Install dependencies and run service:

uv run src/server.py

Login: http://127.0.0.1:5017/login