Trying out OpenID Connect support

bkolobara · November 28, 2019, 11:44am

I saw that OIDC support has landed in flask-mutlipass. That’s great news and I would like to try it with one of the sites, but am not sure how to install and configure it.

If I run pip install --upgrade flask-multipass==0.3-dev I get an error about a conflict with indico, but it looks like it’s still installed:

ERROR: indico 2.2.4 has requirement Flask-Multipass<0.3-dev,>=0.2, but you'll have flask-multipass 0.3.dev0 which is incompatible.
Installing collected packages: flask-multipass
  Found existing installation: Flask-Multipass 0.2.2
    Uninstalling Flask-Multipass-0.2.2:
      Successfully uninstalled Flask-Multipass-0.2.2
Successfully installed flask-multipass-0.3.dev0

Only the server fails to start with the following error:

...
   File "/opt/indico/env/lib/python2.7/site-packages/indico/modules/users/models/users.py", line 21, in <module>
     from indico.core.auth import multipass
   File "/opt/indico/env/lib/python2.7/site-packages/indico/core/auth.py", line 14, in <module>
     from flask_multipass.providers.oauth import OAuthInvalidSessionState
   File "/opt/indico/env/lib/python2.7/site-packages/flask_multipass/providers/oauth.py", line 9, in <module>
     from authlib.common.errors import AuthlibBaseError
 ImportError: No module named authlib.common.errors

Not sure why authlib is not pulled in automatically.

Also, how would the configuration structure look for OIDC?

ThiefMaster · November 28, 2019, 11:46am

pip install --pre 'flask-multipass[oidc]' to make sure the oidc dependencies (ie authlib) gets installed.

And yes, installing the prerelease of multipass will break the version check for the indico package (ie the indico CLI won’t work); you can fix that by editing the indico.egg-info metadata in your virtualenv and remove (or loosen) the flask-multipass requirement in there.

bkolobara · November 28, 2019, 12:09pm

This worked great. Thanks!
But it looks like there are still dependencies missing:

...
   File "/opt/indico/env/lib/python2.7/site-packages/indico/modules/users/models/users.py", line 21, in <module>
     from indico.core.auth import multipass
   File "/opt/indico/env/lib/python2.7/site-packages/indico/core/auth.py", line 14, in <module>
     from flask_multipass.providers.oauth import OAuthInvalidSessionState
   File "/opt/indico/env/lib/python2.7/site-packages/flask_multipass/providers/oauth.py", line 10, in <module>
     from authlib.flask.client.oauth import RemoteApp
 ImportError: No module named oauth

ThiefMaster · November 28, 2019, 12:29pm

Try with Authlib==0.12.1; i haven’t tested with 0.13 yet (they moved around some stuff in that version)