How-tos

Securing your Python app with OpenID Connect (OIDC)

Share this post:

Some weeks back I introduced to a tutorial on how to analyse GitHub traffic. The tutorial combines serverless technology and Cloud Foundry to automatically retrieve statistics and store them in Db2. The data can then be accessed and analyzed using a Python Flask app. Today, I am going to show you how the web site is protected using OpenID Connect and IBM Cloud App ID.

Overview

For the GitHub Traffic Analytics app, the statistics are fetched automatically and stored in Db2. Users access the data via a Python app based on the Flask microframework. Visualization is based on Cognos Dashboard Embedded. User management (authentication and authorization) is realized through the following combination:

Architecture – Traffic Analytics

  • IBM Cloud App ID provides the authentication service. It provides a wrap around identity providers, ranging from social logins (Facebook, Goggle) over Cloud Directory to SAML-based enterprise user directories.
  • The module Flask-pyoidc is an OpenID Connect (OIDC) client for Python and the Flask framework. It interacts with App ID for the authentication.
  • User roles and provileges are stored in Db2 Warehouse on Cloud along the statistics. The user information provided in the authentication token determines the accessible data sets and related privileges.

Configure OpenID Connect client

Assuming the Python app is deployed on Cloud Foundry, the credentials for the App ID service can be obtained the following way:


if 'VCAP_SERVICES' in os.environ:
vcapEnv=json.loads(os.environ['VCAP_SERVICES'])

# Obtain configuration for
appIDInfo = vcapEnv['AppID'][0]['credentials']

The metadata in “appIDInfo” serves as input for the configuration of the OIDC client:


<pre># Configure access to App ID service for the OpenID Connect client
provider_config={
"issuer": "appid-oauth.ng.bluemix.net",
"authorization_endpoint": appIDInfo['oauthServerUrl']+"/authorization",
"token_endpoint": appIDInfo['oauthServerUrl']+"/token",
"userinfo_endpoint": appIDInfo['profilesUrl']+"/api/v1/attributes",
"jwks_uri": appIDInfo['oauthServerUrl']+"/publickeys"
}
client_info={
"client_id": appIDInfo['clientId'],
"client_secret": appIDInfo['secret']
}</pre>

With the configuration in place the OIDC client is initialized:


<pre># Initialize OpenID Connect client
auth = OIDCAuthentication(app, provider_configuration_info=provider_config, client_registration_info=client_info,userinfo_endpoint_method=None)</pre>

Protect web routes

After the configuration, the OpenID Client can be used to protect individual pages or sections (“routes”) of the web app. This is done by attaching an additional decorator to the route definition:


<pre># Show a user profile
@app.route('/user/profile')
@auth.oidc_auth
def profile():
return render_template('profile.html',id=flask.session['id_token'], role=flask.session['userrole'])</pre>

The code “@auth.oidc_auth” is the decorator. It makes sure that the code is only executed for authenticated users. In the code snippet above you see that information from an “id_token” and a “userrole” are passed for processing. I will discuss the role-based privileges and the user managed realized with Db2 in a follow-up blog post.

Conclusions

Using IBM Cloud App ID together with an OpenID Connect client, it is fairly simple to protect routes (web pages) in a Python Flask app. The two combined allow to use social identity providers such as Facebook and Google, the Cloud Directory provided by App ID, or even enterprise user directories based on the SAML protocol.

For details read the full tutorial and deploy the code provided in this GitHub repository.

If you have feedback, suggestions, or questions about this post, please reach out to me on Twitter (@data_henrik) or LinkedIn.

Technical Offering Manager / Developer Advocate

More How-tos stories
May 6, 2019

Use IBM Cloud Certificate Manager to Obtain Let’s Encrypt TLS Certificates for Your Public Domains

IBM Cloud Certificate Manager now lets you obtain TLS certificates signed by Let’s Encrypt. Let’s Encrypt is an automated, ACME-protocol-based CA that issues free certificates valid for 90 days.

Continue reading

May 2, 2019

Seamless Integration: Istio and External Services

By defining our own MCP server, we allow users to move to the Istio service mesh without any code and deployment model changes. This means we can easily use Istio to control, observe, connect, and secure services running outside Kubernetes clusters.

Continue reading

April 26, 2019

Help Shape the Future of Cloud Foundry

Are you a Cloud Foundry user? If so, here's your opportunity to influence the future of Cloud Foundry with the 2019 user survey.

Continue reading