A Flask app, wrapping a single OpenID Connect issuer with a Discourse SSO provider interface.
Project description
Discourse SSO OIDC Bridge - A Python PyPI package and a Docker image
This Python package contains a Flask application that when deployed can be used as and endpoint for Discourse when setting up it's SSO. It will then be able to wrap a OIDC provider and avoid various limitations of not being setup as a Discourse SSO provider.
The Flask application can be deployed using a Docker image that is also within
this repo and published to docker hub as
consideratio/discourse-sso-oidc-bridge
.
This repo was made standing on the shoulders giants who made most of the initial work. Thank you @fmarco76 and @stevenmirabito for the valuable work you have made!
I also did some Dockerfile refinements thanks to @greut's excellent Medium article.
Installation
Note that this only installs a Python package containing a Flask application,
you must use gunicorn
or another WSGI compatible webserver to host it and
setup TLS etc.
pip install --upgrade discourse-sso-oidc-bridge-consideratio
To startup a the Flask app within a prebuilt Docker image, do the following.
docker run --rm -p 8080:8080 consideratio/discourse-sso-oidc-bridge
To actually use it, you should make it deployed in a way that it is accessible
for discourse and its users, so it can redirect arriving users who wants to
login to it. To do this, visit the discourse settings and search for sso
.
NOTE: When you do this setup, you want to check and fill in
enable sso
,sso url
, andsso secret
. What you write in yoursso secret
should be repeated in your bridge configuration.
Bridge Configuration
These are common configuration options, but you can find some more exotic ones within default.py.
To configure these, you have two options.
-
You can provide provide a Python based config file and set the
CONFIG_LOCATION
environment variable allowing the application to locate it.####################### # Flask Configuration # ####################### DEBUG = True # NOTE: Your OIDC provider needs to have "Login redirect URIs" setup to the following # endpoint managed by flask-pyoidc: # https://discourse-sso.example.com/redirect_uri PREFERRED_URL_SCHEME = 'https' SERVER_NAME = 'discourse-sso.example.com' SECRET_KEY = 'my-secret-key-that-i-came-up-with-myself' # NOTE: Relates to OIDC_SESSION_PERMANENT as well. # http://flask.pocoo.org/docs/1.0/config/#PERMANENT_SESSION_LIFETIME # NOTE: You may want to learn about the "maximum session age" setting in discourse # as well. # PERMANENT_SESSION_LIFETIME = 2678400 ################################ # OpenID Connect Configuration # ################################ # NOTE: Relates to PERMANENT_SESSION_LIFETIME as well. # https://github.com/zamzterz/Flask-pyoidc#flask-configuration # OIDC_SESSION_PERMANENT = True # NOTE: If you add /.well-known/openid-configuration to your OIDC_ISSUER, you should get a bunch of JSON details back if you got it right. OIDC_ISSUER = 'https://my-oidc-provider.com' OIDC_CLIENT_ID = 'my-client-id-from-my-oidc-provider' OIDC_CLIENT_SECRET = 'my-secret-key-from-my-oidc-provider' OIDC_SCOPE = 'openid profile email offline_access' ########################### # Discourse Configuration # ########################### DISCOURSE_URL = 'https://discourse.example.com' DISCOURSE_SECRET_KEY = 'my-other-secret-that-i-came-up-with-myself'
-
You can set environment variables with the same name as the config options. The default python config will look in these environment variables and use them if available.
Config / ENV name | Description |
---|---|
DEBUG |
Very useful while setting this up as you get lots of additional logs, but also sensitive information. Defaults to False . |
PREFERRED_URL_SCHEME |
Will influence the generated redirect_uri, defaults to "https" . |
SERVER_NAME |
The domain where you host this app, example: "discourse-sso.example.com" . |
SECRET_KEY |
A secret for Flask, just generate one with openssl rand -hex 32 . |
OIDC_ISSUER |
An URL to the OIDC issuer. To verify you get this right you can try appending /.well-known/openid-configuration to it and see if you get various JSON details rather than a 404. |
OIDC_CLIENT_ID |
A preregistered client_id on your OIDC issuer. |
OIDC_CLIENT_SECRET |
The provided secret for the the preregistered OIDC_CLIENT_ID . |
OIDC_SCOPE |
Comma or space seperated OIDC scopes, defaults to "openid profile" . |
OIDC_EXTRA_AUTH_REQUEST_PARAMS |
Valid JSON object in a string containing key/values for additional parameters to be sent along with the initial request to the OIDC provider, defaults to "{}" . |
DISCOURSE_URL |
The URL of your Discourse deployment, example "https://discourse.example.com" . |
DISCOURSE_SECRET_KEY |
A shared secret between the bridge and Discourse, generate one with openssl rand -hex 32 . |
USERINFO_SSO_MAP |
Valid JSON object in a string mapping OIDC userinfo attribute names to to Discourse SSO attribute names. |
DEFAULT_SSO_ATTRIBUTES |
Valid JSON object in a string mapping Discourse SSO attributes to default values. By default sub is mapped to external_id and preferred_username to username . |
CONFIG_LOCATION |
The path to a Python file to be loaded as config where OIDC_ISSUER etc. could be set. |
OIDC Provider Configuration
You must have a client_id
and client_secret
from your OIDC issuer. The
issuer must also accept redirecting back to
<PREFERRED_URL_SCHEME>://<bridge_url>/redirect_uri
, which for example could be
https://discourse-sso.example.com/redirect_uri
.
Development Notes
To make changes and test them
-
Clone the repo
-
Install
pipenv
usingpip
.pip install pipenv
-
Setup a virtual development environment
pipenv install --dev # Optionally enter the environment pipenv shell
-
Run tests
pipenv run pytest
Build and upload a PyPI release
-
Test, build and upload the package
# Make sure you are up to date with what you have declared to require pipenv install --dev # Update changelog, fix requirements, etc. pipenv lock -r > requirements.txt # Run tests pipenv run pytest # Verify that the Dockerfile can build and start docker build --tag discourse-sso-oidc-bridge:local . && docker run --rm discourse-sso-oidc-bridge:local # Let PBR update the ChangeLog # FIXME: Can I update the ChangeLog in a more minimalistic way? pipenv run python setup.py install # Commit and tag to influence the PyPI version # PBR will look for the latest tag and then append development # versions based on your git commits since the latest tag. git add . git commit TAG=$(pipenv run python -c 'from pbr.version import VersionInfo; print(VersionInfo("discourse_sso_oidc_bridge").version_string())') git tag -a $TAG -m "Release $TAG" # Build the package pipenv run python setup.py sdist bdist_wheel # Upload the package to PyPI pipenv run twine upload --skip-existing --username consideratio dist/*
-
Push git commits and tags
git push git push --tags
-
Build, run, and push a Docker image
# Build and run docker build -t consideratio/discourse-sso-oidc-bridge:$TAG . docker run --rm -p 8080:8080 consideratio/discourse-sso-oidc-bridge:$TAG # Build and push docker build -t consideratio/discourse-sso-oidc-bridge:$TAG -t consideratio/discourse-sso-oidc-bridge:latest . docker push consideratio/discourse-sso-oidc-bridge:$TAG
Deployment notes
I have deployed this using a simpler not published Helm chart. I'm happy to open source this as well for a complete solution. But to avoid overworking something that few has interest for it in I'd appreciate if you showed interest in this by emailing me or opening an issue or similar.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file discourse-sso-oidc-bridge-consideratio-0.2.0.tar.gz
.
File metadata
- Download URL: discourse-sso-oidc-bridge-consideratio-0.2.0.tar.gz
- Upload date:
- Size: 116.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.40.0 CPython/3.6.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 7018549d84411e5d6eb1740a56095aed741e6b88dd8b33e2f9cc4578626df72e |
|
MD5 | 2b9ec4aef9fed3b48b6bf3959f372111 |
|
BLAKE2b-256 | bdfb1f8495a9918007c5e7258316bdf5ad1d20360865ca0983f559e11093a511 |
File details
Details for the file discourse_sso_oidc_bridge_consideratio-0.2.0-py3-none-any.whl
.
File metadata
- Download URL: discourse_sso_oidc_bridge_consideratio-0.2.0-py3-none-any.whl
- Upload date:
- Size: 21.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.1.1 pkginfo/1.5.0.1 requests/2.22.0 setuptools/40.8.0 requests-toolbelt/0.9.1 tqdm/4.40.0 CPython/3.6.7
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | eca61e3442800f15d380037729a5e52d4443005f4ce7089f3e2eefd155a7957d |
|
MD5 | 2f1eb8ecdac763c31e93ea506be5cc9d |
|
BLAKE2b-256 | 64106a10cf9f5ccdb0ff9c2b1f6d8f9b588e00f4f03174fcf80a7a34fb488fdd |