Auth

examples/config.py

+# Import as needed
+from onelogin.saml2.idp_metadata_parser import (
+    OneLogin_Saml2_IdPMetadataParser as IdPMetadataParser,
+)
+from deepmerge import always_merger
+from pathlib import Path
+
+
 SQLALCHEMY_DATABASE_URI = "postgresql+psycopg:///schilder2000"
 # To generate a secret key:
 #   % python -c 'import secrets; print(secrets.token_hex())'
@@ -11,3 +19,107 @@ PRINTERS = {
     "Office": "ipps://printserver.example.com:443/printers/Office",
     "Kitchen": "ipp://kitchenprinter.local:631/ipp/print",
 }
+
+REQUIRE_LOGIN = True
+
+
+# See upstream documentation for reference:
+# https://flask-multipass.readthedocs.io
+
+_ldap_config = {
+    "uri": "ldaps://dc.example.org:636",
+    "bind_dn": "CN=schilder2000,CN=Service Accounts,CN=Users,DC=example,DC=org",
+    "bind_password": "hunter2",
+    "timeout": 30,
+    "verify_cert": True,
+    # optional: if not present, uses certifi's CA bundle (if installed)
+    # "cert_file": "path/to/server/cert",
+    "starttls": False,
+    "page_size": 1000,
+    "uid": "sAMAccountName",
+    "user_base": "CN=Users,DC=example,DC=org",
+    "user_filter": "(objectCategory=person)",
+}
+
+_saml_config = always_merger.merge(
+    IdPMetadataParser.parse_remote(
+        "https://idp.example.org/realms/owca/protocol/saml/descriptor"
+    ),
+    {
+        "debug": False,
+        "sp": {
+            "entityId": "https://schilder2000.example.org/multipass/saml/fsmpi-saml/metadata",
+            "x509cert": (Path(__file__).parent / "saml-cert.pem").read_text(),
+            "privateKey": (Path(__file__).parent / "saml-key.pem").read_text(),
+            # We don’t use the name anyway
+            "NameIDFormat": "urn:oasis:names:tc:SAML:2.0:nameid-format:transient",
+        },
+        "security": {
+            # Keycloak wants this, even though it doesn’t say so
+            "logoutRequestSigned": True,
+        },
+    },
+)
+
+_oidc_config = {
+    "client_id": "schilder2000",
+    "client_secret": "hunter2",
+    "server_metadata_url": "https://idp.example.org/realms/owca/.well-known/openid-configuration",
+    "client_kwargs": {
+        "scope": "openid",
+    },
+}
+
+MULTIPASS_AUTH_PROVIDERS = {
+    "test_auth_provider": {
+        "type": "static",
+        "title": "Insecure dummy auth",
+        "identities": {
+            "gustav": "hunter2",
+        },
+    },
+    "fsmpi-ldap": {
+        "type": "ldap",
+        "title": "O.W.C.A. LDAP",
+        "ldap": _ldap_config,
+    },
+    "fsmpi-saml": {
+        "type": "saml",
+        "title": "O.W.C.A. SAML",
+        "saml_config": _saml_config,
+    },
+    "fsmpi-oidc": {
+        "type": "authlib",
+        "title": "O.W.C.A. OIDC",
+        "authlib_args": _oidc_config,
+    },
+}
+
+MULTIPASS_IDENTITY_PROVIDERS = {
+    "test_identity_provider": {
+        "type": "static",
+        "identities": {
+            "gustav": {},
+        },
+    },
+    "ldap": {
+        "type": "ldap",
+        "ldap": _ldap_config,
+    },
+    "saml": {
+        "type": "saml",
+    },
+    "oidc": {
+        "type": "authlib",
+        "title": "OIDC",
+    },
+}
+
+MULTIPASS_PROVIDER_MAP = {
+    "test_auth_provider": "test_identity_provider",
+    "ldap": "ldap",
+    "saml": "saml",
+    "oidc": "oidc",
+}
+
+MULTIPASS_IDENTITY_INFO_KEYS = []