Almost-working example using the mock-oidc-server for test and develo…

…pment purposes.
bluesky · Jan 13, 2025 · 9aadf96 · 9aadf96
1 parent 97331ff
commit 9aadf96
Show file tree

Hide file tree

Showing 9 changed files with 123 additions and 205 deletions.
diff --git a/example_configs/mock-oidc-server.yml b/example_configs/mock-oidc-server.yml
@@ -0,0 +1,15 @@
+authentication:
+  providers:
+  - provider: localhost
+    authenticator: tiled.authenticators:OIDCAuthenticator
+    args:
+      audience: tiled  # something unique to ensure received headers are for you
+      # These values come from https://console.cloud.google.com/apis/credential
+      client_id: tiled
+      client_secret: secret
+      well_known_uri: http://localhost:8080/.well-known/openid-configuration
+trees:
+ # Just some arbitrary example data...
+ # The point of this example is the authenticaiton above.
+ - tree: tiled.examples.generated_minimal:tree
+   path: /
diff --git a/oidc/clients-config.json b/oidc/clients-config.json
@@ -0,0 +1,28 @@
+[
+    {
+      "ClientId": "tiled",
+      "ClientSecrets": ["secret"],
+      "Description": "Tiled web interface login",
+      "AllowedGrantTypes": ["implicit"],
+      "AllowedScopes": ["tiled", "openid", "profile", "email"],
+      "RedirectUris": ["localhost:4000/*"],
+      "AllowAccessTokensViaBrowser": true,
+      "AccessTokenLifetime": 3600,
+      "IdentityTokenLifetime": 3600
+    },
+    {
+      "ClientId": "blueapi",
+      "ClientSecrets": ["secret"],
+      "Description": "Blueapi CLI login",
+      "AllowedGrantTypes": ["urn:ietf:params:oauth:grant-type:device_code"],
+      "AllowedScopes": ["blueapi", "openid", "profile", "email", "offline_access"],
+      "AccessTokenLifetime": 3600,
+      "IdentityTokenLifetime": 3600,
+      "AllowOfflineAccess": true,
+      "Claims": [{
+        "Type": "aud",
+        "Value": "blueapi",
+        "ValueType": "string"
+      }]
+    }
+  ]
diff --git a/oidc/oidc-docker-compose.yaml b/oidc/oidc-docker-compose.yaml
@@ -0,0 +1,69 @@
+services:
+  oidc-server-mock:
+    container_name: oidc-server-mock
+    image: ghcr.io/soluto/oidc-server-mock:latest
+    ports:
+      - 8080:80
+    environment:
+      ASPNETCORE_ENVIRONMENT: Development
+      ASPNETCORE_URLS: http://+:80
+      # ASPNETCORE_Kestrel__Certificates__Default__Password: <password for pfx file>
+      # ASPNETCORE_Kestrel__Certificates__Default__Path: /path/to/pfx/file
+      SERVER_OPTIONS_INLINE: |
+        {
+          "AccessTokenJwtType": "JWT",
+          "Discovery": {
+            "ShowKeySet": true
+          },
+          "Authentication": {
+            "CookieSameSiteMode": "Lax",
+            "CheckSessionCookieSameSiteMode": "Lax"
+          }
+        }
+      LOGIN_OPTIONS_INLINE: |
+        {
+          "AllowRememberLogin": false,
+          "AllowOfflineAccess": true
+        }
+      LOGOUT_OPTIONS_INLINE: |
+        {
+          "AutomaticRedirectAfterSignOut": true
+        }
+      API_SCOPES_INLINE: |
+        - Name: blueapi
+        - Name: tiled
+      API_RESOURCES_INLINE: |
+        - Name: app
+          Scopes:
+            - blueapi
+            - tiled
+      USERS_CONFIGURATION_INLINE: |
+        [
+          {
+            "SubjectId":"1",
+            "Username":"user",
+            "Password":"password",
+            "Claims": [
+              {
+                "Type": "name",
+                "Value": "Joe Bloggs",
+                "ValueType": "string"
+              },
+              {
+                "Type": "email",
+                "Value": "joe.bloggs@diamond.ac.uk",
+                "ValueType": "string"
+              }
+            ]
+          }
+        ]
+      CLIENTS_CONFIGURATION_PATH: /tmp/config/clients-config.json
+      ASPNET_SERVICES_OPTIONS_INLINE: |
+        {
+          "BasePath": "/foo",
+          "ForwardedHeadersOptions": {
+            "ForwardedHeaders" : "All"
+          }
+        }
+    volumes:
+      - .:/tmp/config:ro
diff --git a/tiled/commandline/_serve.py b/tiled/commandline/_serve.py
@@ -98,7 +98,7 @@ def serve_directory(
             "example: --host `'::'`."
         ),
     ),
-    port: int = typer.Option(8000, help="Bind to a socket with this port."),
+    port: int = typer.Option(4000, help="Bind to a socket with this port."),
     log_config: Optional[str] = typer.Option(
         None, help="Custom uvicorn logging configuration file"
     ),
@@ -335,7 +335,7 @@ def serve_catalog(
             "example: --host `'::'`."
         ),
     ),
-    port: int = typer.Option(8000, help="Bind to a socket with this port."),
+    port: int = typer.Option(4000, help="Bind to a socket with this port."),
     scalable: bool = typer.Option(
         False,
         "--scalable",
@@ -499,7 +499,7 @@ def serve_pyobject(
             "example: --host `'::'`."
         ),
     ),
-    port: int = typer.Option(8000, help="Bind to a socket with this port."),
+    port: int = typer.Option(4000, help="Bind to a socket with this port."),
     scalable: bool = typer.Option(
         False,
         "--scalable",
@@ -547,7 +547,7 @@ def serve_demo(
             "example: --host `'::'`."
         ),
     ),
-    port: int = typer.Option(8000, help="Bind to a socket with this port."),
+    port: int = typer.Option(4000, help="Bind to a socket with this port."),
 ):
     "Start a public server with example data."
     from ..server.app import build_app, print_admin_api_key_if_generated
@@ -650,7 +650,7 @@ def serve_config(
     uvicorn_kwargs = parsed_config.pop("uvicorn", {})
     # If --host is given, it overrides host in config. Same for --port and --log-config.
     uvicorn_kwargs["host"] = host or uvicorn_kwargs.get("host", "127.0.0.1")
-    uvicorn_kwargs["port"] = port or uvicorn_kwargs.get("port", 8000)
+    uvicorn_kwargs["port"] = port or uvicorn_kwargs.get("port", 4000)
     uvicorn_kwargs["log_config"] = _setup_log_config(
         log_config or uvicorn_kwargs.get("log_config"),
         log_timestamps,

diff --git a/tiled/server/app.py b/tiled/server/app.py
@@ -42,7 +42,6 @@
 from ..utils import SHARE_TILED_PATH, Conflicts, SpecialUsers, UnsupportedQueryType
 from ..validation_registration import validation_registry as default_validation_registry
 from . import schemas
-from .authentication import get_current_principal
 from .compression import CompressionMiddleware
 from .dependencies import (
     get_query_registry,
@@ -267,7 +266,6 @@ async def index(
             request: Request,
             # This dependency is here because it runs the code that moves
             # API key from the query parameter to a cookie (if it is valid).
-            principal=Security(get_current_principal, scopes=[]),
         ):
             return templates.TemplateResponse(
                 "index.html",
@@ -368,14 +366,8 @@ async def unhandled_exception_handler(
             build_device_code_user_code_form_route,
             build_device_code_user_code_submit_route,
             build_handle_credentials_route,
-            oauth2_scheme,
-        )
-
-        # For the OpenAPI schema, inject a OAuth2PasswordBearer URL.
-        first_provider = authentication["providers"][0]["provider"]
-        oauth2_scheme.model.flows.password.tokenUrl = (
-            f"/api/v1/auth/provider/{first_provider}/token"
         )
+
         # Authenticators provide Router(s) for their particular flow.
         # Collect them in the authentication_router.
         authentication_router = APIRouter()