oauthsub 0.2.1

目的

oauthsub的目标是通过 将身份验证推迟到oauth2提供程序（如google、github、 微软等）。

请参阅the documentation中的示例，了解如何最好地使用它。

安装

通过PIP安装：

pip install oauthsub

或者参见the documentation了解更多选项。

用法

usage: oauthsub [-h] [--dump-config] [-v] [-l {debug,info,warning,error}]
                [-c CONFIG_FILE] [-s {flask,gevent,twisted}]
                [--rooturl ROOTURL] [--flask-debug [FLASK_DEBUG]]
                [--flask-privkey FLASK_PRIVKEY]
                [--response-header RESPONSE_HEADER]
                [--allowed-domains [ALLOWED_DOMAINS [ALLOWED_DOMAINS ...]]]
                [--host HOST] [--port PORT] [--logdir LOGDIR]
                [--route-prefix ROUTE_PREFIX]
                [--session-key-prefix SESSION_KEY_PREFIX]
                [--bypass-key BYPASS_KEY] [--custom-template CUSTOM_TEMPLATE]
                [--enable-forbidden [ENABLE_FORBIDDEN]]

This lightweight web service performs authentication. All requests that reach
this service should be proxied through nginx. See:
https://developers.google.com/api-client-library/python/auth/web-app

optional arguments:
  -h, --help            show this help message and exit
  --dump-config         Dump configuration and exit
  -v, --version         show program's version number and exit
  -l {debug,info,warning,error}, --log-level {debug,info,warning,error}
                        Increase log level to include info/debug
  -c CONFIG_FILE, --config-file CONFIG_FILE
                        use a configuration file
  -s {flask,gevent,twisted}, --server {flask,gevent,twisted}
                        Which WGSI server to use
  --rooturl ROOTURL     The root URL for browser redirects
  --flask-debug [FLASK_DEBUG]
                        Enable flask debugging for testing
  --flask-privkey FLASK_PRIVKEY
                        Secret key used to sign cookies
  --response-header RESPONSE_HEADER
                        If specified, the authenticated user's ``username``
                        will be passed as a response header with this key.
  --allowed-domains [ALLOWED_DOMAINS [ALLOWED_DOMAINS ...]]
                        List of domains that we allow in the `hd` field of
                        thegoogle response. Set this to your company gsuite
                        domains.
  --host HOST           The address to listening on
  --port PORT           The port to listen on
  --logdir LOGDIR       Directory where we store resource files
  --route-prefix ROUTE_PREFIX
                        All flask routes (endpoints) are prefixed with this
  --session-key-prefix SESSION_KEY_PREFIX
                        All session keys are prefixed with this
  --bypass-key BYPASS_KEY
                        Secret string which can be used to bypass
                        authorization if provided in an HTTP header
                        `X-OAuthSub-Bypass`
  --custom-template CUSTOM_TEMPLATE
                        Path to custom jinja template
  --enable-forbidden [ENABLE_FORBIDDEN]
                        If true, enables the /forbidden endpoint, to which you
                        can redirect 401 errors from your reverse proxy. This
                        page is a simple message with active template but
                        includes login links that will redirect back to the
                        forbidden page after a successful auth.

配置

oauthsub可以通过python中的配置文件（文件 是exec``ed). Each configuration variable can also be specified on the command line (use ``oauthsub --help以查看选项列表）。如果你愿意 要转储包含默认值的配置文件，请使用：

oauthsub --dump-config

输出如下内容：

.. dynamic: config-begin

# The root URL for browser redirectsrooturl='http://localhost'# Enable flask debugging for testingflask_debug=False# Secret key used to sign cookiesflask_privkey='KALJE0Unas2dd8ao3p/T55htwbL5RrKX'# If specified, the authenticated user's ``username`` will be passed as a# response header with this key.response_header=None# List of domains that we allow in the `hd` field of thegoogle response. Set# this to your company gsuite domains.allowed_domains=['gmail.com']# The address to listening onhost='0.0.0.0'# The port to listen onport=8081# Directory where we store resource fileslogdir='/tmp/oauthsub/logs'# Flask configuration options. Set session config here.flaskopt={"PERMANENT_SESSION_LIFETIME":864000,"SESSION_FILE_DIR":"/tmp/oauthsub/session_data","SESSION_TYPE":"filesystem"}# All flask routes (endpoints) are prefixed with thisroute_prefix='/auth'# All session keys are prefixed with thissession_key_prefix='oauthsub-'# Secret string which can be used to bypass authorization if provided in an HTTP# header `X-OAuthSub-Bypass`bypass_key=None# Dictionary mapping oauth privider names to the client secrets for that# provider.client_secrets={}# Path to custom jinja templatecustom_template=None# If true, enables the /forbidden endpoint, to which you can redirect 401 errors# from your reverse proxy. This page is a simple message  with active template# but includes login links that will redirect back to the forbidden page after a# successful auth.enable_forbidden=True# Which WGSI server to use (flask, gevent, twisted)server='flask'# This is not used internally, but is used to implement our user lookup# callback below_user_map={"alice@example.com":"alice","bob@example.com":"bob"}# This is a callback used to lookup the user identity based on the credentials# provided by the authenticator.defuser_lookup(authenticator,parsed_response):ifauthenticator.type=="GOOGLE":# Could also use `id` to lookup based on google user idreturn_user_map.get(parsed_response.get("email"))returnNone

测试服务

直接在本地主机上测试服务，将客户机机密放在 配置文件和（假设已启用 http://lvh.me:8081/auth/callback作为谷歌上的授权重定向） 使用：

oauthsub --flask-debug \
         --config /path/to/your/config.py

然后从浏览器导航到http://localhost:8081/auth。

有关更详细的测试说明，包括如何 用nginx测试。