[web2py] QuicknDirty How-To for SSO between web2py and py4web with KeyCloak

[Kevin Keller]

In web2py put this in your db.py:

# Define oauth application id and secret.
Kcloak_CLIENT_ID=''
Kcloak_CLIENT_SECRET="X"

## import required modules
try:
import json
except ImportError:
from gluon.contrib import simplejson as json
from gluon.contrib.login_methods.oauth20_account import OAuthAccount

## extend the OAUthAccount class
class KCloakAccount(OAuthAccount):
#"""OAuth impl for KeyCloak"""

AUTH_URL="http(s)://KEYCLOAKIPANDPORT/auth/realms/master/protocol/openid-connect/auth"

TOKEN_URL="http(s)://KEYCLOAKIPANDPORT/auth/realms/master/protocol/openid-connect/token"

def __init__(self):
   OAuthAccount.__init__(self, None, Kcloak_CLIENT_ID,
Kcloak_CLIENT_SECRET,
  self.AUTH_URL, self.TOKEN_URL,
  scope='openid profile email',
  state="klcoak",
  display='popup')


def get_user(self):

if not self.accessToken():
return None
   #global token
token= None
token=self.accessToken()
print (token)
#from okta_jwt.jwt import validate_token
issuer="http(s)://KEYCLOAKIPANDPORT/auth/realms/master"
audience="http(s)://YOURWEB2PYPAGEURL"
import jwt
profile=jwt.decode(token,verify=False)
if profile['sub']:
 username = profile['email']
 email = profile['email']
 first_name = profile['given_name']
 last_name = profile['family_name']
 return dict(username = username,
first_name=first_name,last_name=last_name,email = '%s' %(email))


else:
  self.session.token = None

and put this in your

gluon/contrib/login_methods/oauth20_account.py

replace whatever you have under the logout function with:

del current.session.token
del current.session.auth
current.session.token = None
current.session.auth = None

redirect('http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/logout?redirect_uri=*ENCODEDURLTOREDIRECTAFTERLOGOUT"
')


End Web2py part.


For py4web:

Create oauth2keycloak.py file in py4web/utils/auth_plugins/ and put in this:


from . import OAuth2


class OAuth2Keycloak(OAuth2):
name = "oauth2keycloak"
login_url =
"http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/auth"
token_url =
"http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/token"
userinfo_url =
"http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/userinfo"
revoke_url =
"http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/logout"
default_scope = "openid profile"
maps = {
"username": "email",
"email":"email",
"sso_id": "email",
"first_name": "given_name",
"last_name": "family_name",
}


In your app (probably based on scaffold) go to your
static/components/auth.html and add a button for KeyCloak:

Login with
KeyCloak

Also in your scaffoled app add the plugin to the auth.html file under
templates:


  


Finally for single logout add this line to your logout function in
py4web/utils/auth.py

526 elif path == "logout":

527 self.session.clear()

528 redirect
('http(s)://KEYCLOAKIPPORT/auth/realms/master/protocol/openid-connect/logout?redirect_uri=*ENCODEDREDIRECTURIAFTERLOGOUT*

Of course you need to install keycloak and create 2 openid clients with
secrets.

Thats it in a nutshell.

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/CADHCKLRPF27RunUJmWJWauFPMZses%2BHb3Vvsk%2Bap8Ktw0xYMrQ%40mail.gmail.com.

Re: [web2py] Re: Administration disable communication is insecure

[Kevin Keller]

You can either comment out the https requirement in the web2py framework

https://sites.google.com/site/tabot99/home/web2py-disable-https-admin-access

You will also comment out the same lines of code in the appadmin
application.

or

setup web2py and nginx with letsencrypt certificates on your linux server.

Here is the last email that I wrote how to do it with ubuntu 20.04:


Kevin Keller 
Do., 20. Aug., 15:45 (vor 11 Tagen)
an web2py-users
Hey everyone,

I struggled last night to setup web2py on my VPS Linux server which uses
ubuntu 20.04.

I had to update the script with multiple edits.

Most of them around new pip syntax, updated requirements of nginx for
self-signed certs and updated package names.

I will create a pull request on github soon, but meanwhile, feel free to
get it from here:

https://drive.google.com/drive/folders/1gxP9nSvv_wUxQcxLfOrGnrb30Jtf46I2?usp=sharing

And while we are at it of course I ran into troubles with the self-signed
cert, so I used one from letsecnrypt, but I fount letsencrypt a major pain
to use so this website helped me:

https://punchsalad.com/ssl-certificate-generator/

While I have seen plenty of scripts on github to get web2py play nice with
serving the static challenger file in .well-known/acme-challenge, I found
that too much fiddling for now so
I just opted for using the DNS check:

If you use godaddy here are some tipps:

When you add a DNS verfiy TXT record for letsencrypt drop the domain from
the TXT recrod displayed so it says :

_acme-challenge

instead of

_acme-challenge.yourdomain.com

because godaddy adds "yourdomain.com" automatically.

[image: image.png]

Also do not use the function to "route to another IP with masking" in
Godaddy if you want a working web2py,nginx, letsencrypt ssl hosting to
work, as it introduces another bounce inbetween.

You can download the key and cert bundle and then just replace and
web2py.cert and web2py.key file with the ones from letsencrypt and restart
nginx.

Instead deactivated any re-routing offered by godaddy and just remove the
current
A @ someip entry

and add

A @ yourserverip

instead.

Now the routing to your Linux host will work.

Last tipp that I find useful:

Oralce gives you 2 Linux VPS servers for free forever and 2 hosted Oracle
databases free forever:

https://www.oracle.com/cloud/free/

I am using it and I am pleased so far.
Another tipp:

Enable at least 4GB swap right away.
It does not have swap per default and only 1GB ram. So usually that leads
to problems without swap.
I also put swappiness = 10.

I had some struggles with IPtables and the Oracle firewall at the
beginning, but if you have troubles opening ports just let me know.

For example for opening port 443 you have to first enable an ingress rule
in Oracle Cloud to let the TCP traffic hit your VM and then within your
ubuntu VM you also need to open the port like so:

sudo iptables -I INPUT 2 -p tcp --dport 443 -j ACCEPT

So your HTTPS traffic comes through.


Am Mo., 31. Aug. 2020 um 17:23 Uhr schrieb Jim S :

> I believe it means that you're running http vs https and you're client is
> not running on the server (on a development machine for instance)
>
> To run Administration from a client other than the server host, you must
> use secure https protocol.
>
> Can someone please jump in if what I'm saying isn't correct?
>
> -Jim
>
> On Monday, August 31, 2020 at 10:13:06 AM UTC-5, Andrea Fae' wrote:
>>
>> Often when I try to modify a record through application it happens this
>> error:
>>
>> "amministrazione disabilitata: comunicazione non sicura"
>>
>> in english
>>
>> administration disabled: communication is insecure
>>
>> What does it means? What I have to do?
>> thank you
>>
> --
> Resources:
> - http://web2py.com
> - http://web2py.com/book (Documentation)
> - http://github.com/web2py/web2py (Source code)
> - https://code.google.com/p/web2py/issues/list (Report Issues)
> ---
> You received this message because you are subscribed to the Google Groups
> "web2py-users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to web2py+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/web2py/bf4ac138-743b-490f-a9a3-2e38dc0390c9o%40googlegroups.com
> 
> .
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/CADHCKLSgho0JCquWWvsGOCvyiaARn%3DY-UZuioEiTSRbd%2BDDoPg%40mail.gmail.com.

[web2py] Re: Administration disable communication is insecure

[Jim S]

I believe it means that you're running http vs https and you're client is 
not running on the server (on a development machine for instance)

To run Administration from a client other than the server host, you must 
use secure https protocol.

Can someone please jump in if what I'm saying isn't correct?

-Jim

On Monday, August 31, 2020 at 10:13:06 AM UTC-5, Andrea Fae' wrote:
>
> Often when I try to modify a record through application it happens this 
> error:
>
> "amministrazione disabilitata: comunicazione non sicura"
>
> in english
>
> administration disabled: communication is insecure
>
> What does it means? What I have to do?
> thank you
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/bf4ac138-743b-490f-a9a3-2e38dc0390c9o%40googlegroups.com.

[web2py] Administration disable communication is insecure

[Andrea Fae']

Often when I try to modify a record through application it happens this 
error:

"amministrazione disabilitata: comunicazione non sicura"

in english

administration disabled: communication is insecure

What does it means? What I have to do?
thank you

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/e1f947da-6b8b-4bd2-b641-10bcde21f531o%40googlegroups.com.

[web2py] Re: login validation

[Paco Bernal]

Hi,
I don't know about an "is_active" field in auth_user table, only regarding 
Record 
versioning, but I don't use it.
Regards

El lunes, 31 de agosto de 2020 a las 13:05:35 UTC+2, and...@gmail.com 
escribió:

> I noted in the manual. But for your opinion what is the meaning about 
> is_active in auth_user?
> Why is it useful?
> Thank you
>
>
> Il giorno lunedì 31 agosto 2020 08:46:15 UTC+2, Paco Bernal ha scritto:
>>
>> I meant registration_key :)
>>
>> http://web2py.com/books/default/chapter/29/09/access-control?search=blocked#Access-Control
>>
>> El lunes, 31 de agosto de 2020 a las 0:08:32 UTC+2, Paco Bernal escribió:
>>
>>> Hi
>>> If you set at anytime key_registration='blocked' in auth_user table that 
>>> user will not be able to loging. 
>>> That's the way I would do it
>>> Regards
>>>
>>> El domingo, 30 de agosto de 2020 a las 14:11:08 UTC+2, and...@gmail.com 
>>> escribió:
>>>
 Hello, maybe it's easy but I don't know exactly if it's possible.
 I want that a user can login ONLY if its rescord has is_valid=True. I 
 dont' want he logins if is_valid=False in the auth_user table...
 Is it possible? In which way? thank you

>>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/63e215a9-2997-4f9e-9f02-a3b0edc75fecn%40googlegroups.com.

[web2py] Re: login validation

[Andrea Fae']

I noted in the manual. But for your opinion what is the meaning about 
is_active in auth_user?
Why is it useful?
Thank you

Il giorno lunedì 31 agosto 2020 08:46:15 UTC+2, Paco Bernal ha scritto:
>
> I meant registration_key :)
>
> http://web2py.com/books/default/chapter/29/09/access-control?search=blocked#Access-Control
>
> El lunes, 31 de agosto de 2020 a las 0:08:32 UTC+2, Paco Bernal escribió:
>
>> Hi
>> If you set at anytime key_registration='blocked' in auth_user table that 
>> user will not be able to loging. 
>> That's the way I would do it
>> Regards
>>
>> El domingo, 30 de agosto de 2020 a las 14:11:08 UTC+2, and...@gmail.com 
>> escribió:
>>
>>> Hello, maybe it's easy but I don't know exactly if it's possible.
>>> I want that a user can login ONLY if its rescord has is_valid=True. I 
>>> dont' want he logins if is_valid=False in the auth_user table...
>>> Is it possible? In which way? thank you
>>>
>>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/476a08bd-dd5f-4f46-86e4-bde366b36933o%40googlegroups.com.

[web2py] Re: About putting values into database

[Andrea Fae']

thank you for your suggestions. I will try, and eventually. I will inform.
thanks

Il giorno sabato 29 agosto 2020 10:55:42 UTC+2, Dave S ha scritto:
>
>
>
> On Friday, August 21, 2020 at 7:33:54 AM UTC-7, Andrea Fae' wrote:
>  
>
>> [...]
>> What is wrong? How to correct?
>> Thank  you
>>
>
>  I don't know.  I don't use crud(), which seems to never have been more 
> than experimental and has been deprecated for several years.  I use FORM() 
> and SQLFORM().  I'm not sure there are many here with crud() experience, so 
> I'm not sure who to tell you to turn to.
>
> I take it the line illustrating the wrong results is from appadmin.  Can 
> you fill out a new entry using appadmin's "New" button?  Does that get the 
> created_on and created_by fields correct?  When you display your form, does 
> it show the correct defaults in each field?
>
> /dps
>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/b126fefe-cbe8-436d-bac3-b9b5e54bca05o%40googlegroups.com.

Re: [web2py] Re: fake_migrate=True is not working

[Andrea Fae']

Now I understand. thank you so much

Il giorno venerdì 28 agosto 2020 12:08:25 UTC+2, Jose C ha scritto:
>
> thank you Jim, but I don't understand...
>>
>> If I set 
>> migrate=False
>> fake_migrate= True
>>
>> it means that web2py create the .table files without touching the db, 
>> isn'it?
>>
>> If I set
>> migrate=True
>> fake_migrate=True
>>
>> It means what exactly?
>>
>
> migrate=True tells web2py to do the table migration procedure (i.e. make 
> any changes to your db based on your models and update the .table control 
> files) .   
> fake_migrate=True tells web2py to *not* actually create/modify the tables 
> in the db itself but to just create the .table files (without any db action 
> at all).
>
> If migrate=False then web2py does nothing, regardless of the fake_migrate 
> setting.
>
> For more info, see: 
> http://web2py.com/books/default/chapter/29/06/the-database-abstraction-layer?search=fake_migrate#table_migrations
>
> HTH,
>
>>  
>>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/1259b4e8-7103-4efc-b1d9-e499743e2725o%40googlegroups.com.

[web2py] Re: login validation

[Paco Bernal]

I meant registration_key :)
http://web2py.com/books/default/chapter/29/09/access-control?search=blocked#Access-Control

El lunes, 31 de agosto de 2020 a las 0:08:32 UTC+2, Paco Bernal escribió:

> Hi
> If you set at anytime key_registration='blocked' in auth_user table that 
> user will not be able to loging. 
> That's the way I would do it
> Regards
>
> El domingo, 30 de agosto de 2020 a las 14:11:08 UTC+2, and...@gmail.com 
> escribió:
>
>> Hello, maybe it's easy but I don't know exactly if it's possible.
>> I want that a user can login ONLY if its rescord has is_valid=True. I 
>> dont' want he logins if is_valid=False in the auth_user table...
>> Is it possible? In which way? thank you
>>
>

-- 
Resources:
- http://web2py.com
- http://web2py.com/book (Documentation)
- http://github.com/web2py/web2py (Source code)
- https://code.google.com/p/web2py/issues/list (Report Issues)
--- 
You received this message because you are subscribed to the Google Groups 
"web2py-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to web2py+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/web2py/3ffd2de3-2eca-4613-a467-6c9018de5082n%40googlegroups.com.