一个flask应用程序,用一个话语sso提供程序接口包装一个openid connect颁发者。
discourse-sso-oidc-bridge-consideratio的Python项目详细描述
话语sso oidc bridge-一个python pypi包和一个docker图像
这个python包包含一个flask应用程序,在部署时可以使用 当设置为SSO时作为话语的终点。它将能够 包装一个oidc提供程序并避免各种limitations 不会被设置为话语SSO提供者。
Flask应用程序可以使用Docker映像进行部署,Docker映像也位于
此回购协议作为
consideratio/discourse-sso-oidc-bridge
。
这次回购是站在巨人的肩膀上进行的,他们在最初 工作。谢谢你@fmarco76和 @stevenmirabito对于有价值的工作 你成功了!
由于 @greut很好Medium article。
安装
注意,这只安装包含flask应用程序的python包,
必须使用gunicorn
或其他与wsgi兼容的web服务器来承载它,并且
设置TLS等。
pip install --upgrade discourse-sso-oidc-bridge-consideratio
要在预构建的Docker映像中启动烧瓶应用程序,请执行以下操作。
docker run --rm -p 8080:8080 consideratio/discourse-sso-oidc-bridge
要实际使用它,您应该使它以可访问的方式部署
对于话语和它的用户,它可以重定向到想要
登录到它。为此,请访问话语设置并搜索sso
。
NOTE: When you do this setup, you want to check and fill in
enable sso
,sso url
, andsso secret
. What you write in yoursso secret
should be repeated in your bridge configuration.
网桥配置
这些是常见的配置选项,但是您可以在default.py中找到一些更奇特的配置选项。
要配置这些,您有两个选项。
您可以提供一个基于python的配置文件,并设置允许应用程序定位它的
CONFIG_LOCATION
环境变量。######################## Flask Configuration ########################DEBUG=True# NOTE: Your OIDC provider needs to have "Login redirect URIs" setup to the following# endpoint managed by flask-pyoidc:# https://discourse-sso.example.com/redirect_uriPREFERRED_URL_SCHEME='https'SERVER_NAME='discourse-sso.example.com'SECRET_KEY='my-secret-key-that-i-came-up-with-myself'# NOTE: Relates to OIDC_SESSION_PERMANENT as well.# http://flask.pocoo.org/docs/1.0/config/#PERMANENT_SESSION_LIFETIME# NOTE: You may want to learn about the "maximum session age" setting in discourse# as well.# PERMANENT_SESSION_LIFETIME = 2678400################################# OpenID Connect Configuration ################################## NOTE: Relates to PERMANENT_SESSION_LIFETIME as well.# https://github.com/zamzterz/Flask-pyoidc#flask-configuration# OIDC_SESSION_PERMANENT = True# NOTE: If you add /.well-known/openid-configuration to your OIDC_ISSUER, you should get a bunch of JSON details back if you got it right.OIDC_ISSUER='https://my-oidc-provider.com'OIDC_CLIENT_ID='my-client-id-from-my-oidc-provider'OIDC_CLIENT_SECRET='my-secret-key-from-my-oidc-provider'OIDC_SCOPE='openid profile email offline_access'############################ Discourse Configuration ############################DISCOURSE_URL='https://discourse.example.com'DISCOURSE_SECRET_KEY='my-other-secret-that-i-came-up-with-myself'
可以使用与配置选项相同的名称设置环境变量。 默认的python配置将在这些环境变量中查找并使用 如果有的话。
Config / ENV name | Description |
---|---|
^{ | Very useful while setting this up as you get lots of additional logs, but also sensitive information. Defaults to ^{ |
^{ | Will influence the generated redirect_uri, defaults to ^{ |
^{ | The domain where you host this app, example: ^{ |
^{ | A secret for Flask, just generate one with ^{ |
^{ | An URL to the OIDC issuer. To verify you get this right you can try appending ^{ |
^{ | A preregistered ^{ |
^{ | The provided secret for the the preregistered ^{ |
^{ | Comma or space seperated OIDC scopes, defaults to ^{ |
^{ | Valid JSON object in a string containing key/values for additional parameters to be sent along with the initial request to the OIDC provider, defaults to ^{ |
^{ | The URL of your Discourse deployment, example ^{ |
^{ | A shared secret between the bridge and Discourse, generate one with ^{ |
^{ | Valid JSON object in a string mapping OIDC userinfo attribute names to to Discourse SSO attribute names. |
^{ | Valid JSON object in a string mapping Discourse SSO attributes to default values. By default ^{ |
^{ | The path to a Python file to be loaded as config where ^{ |
OIDC提供程序配置
您必须具有来自您的oidc发行者的client_id
和client_secret
。这个
颁发者还必须接受重定向回
<PREFERRED_URL_SCHEME>://<bridge_url>/redirect_uri
,例如
https://discourse-sso.example.com/redirect_uri
。
开发说明
进行更改和测试
复制回购协议
使用
pip
安装pipenv
。pip install pipenv
设置虚拟开发环境
pipenv install --dev # Optionally enter the environment pipenv shell
运行测试
pipenv run pytest
构建并上传一个pypi版本
测试、生成和上载包
# Make sure you are up to date with what you have declared to require pipenv install --dev # Update changelog, fix requirements, etc. pipenv lock -r > requirements.txt # Run tests pipenv run pytest # Commit and tag to influence the PyPI version# PBR will look for the latest tag and then append development# versions based on your git commits since the latest tag. git add . git commit TAG=$(pipenv run python -c 'from pbr.version import VersionInfo; print(VersionInfo("discourse_sso_oidc_bridge").version_string())') git tag -a $TAG -m "Release $TAG"# Build the package pipenv run python setup.py bdist_wheel # Upload the package to PyPI pipenv run twine upload --skip-existing --username consideratio dist/*
生成、运行和推送Docker图像
# Build and run docker build -t consideratio/discourse-sso-oidc-bridge:$TAG . docker run --rm -p 8080:8080 consideratio/discourse-sso-oidc-bridge:$TAG# Build and push docker build -t consideratio/discourse-sso-oidc-bridge:$TAG -t consideratio/discourse-sso-oidc-bridge:latest . docker push consideratio/discourse-sso-oidc-bridge:$TAG
部署说明
我使用了一个更简单的未发布的头盔图来部署它。我很高兴为一个完整的解决方案开放源码。但是为了避免工作过度,我很感激你通过给我发邮件或是开一个问题或类似的方式表现出对工作的兴趣。