pythonauthenticationibm-cloudopenid-connectibm-appid

How to use Python OpenID Connect module with IBM Cloud App ID?


I signed up for IBM Cloud App ID to protect access to my cloud application. There is a sample that shows that the service can be used with Python. However, I want to use one of the (standard) OpenID Connect modules. How can I configure, e.g., Flask-pyoidc to work with App ID? It requires a couple of parameters and I am unsure how they relate to what App ID provides.

provider_config = {
    'issuer': 'https://op.example.com',
    'authorization_endpoint': 'https://op.example.com/authorize',
    'token_endpoint': 'https://op.example.com/token',
    'userinfo_endpoint': 'https://op.example.com/userinfo'
}
auth = OIDCAuthentication(provider_configuration_info=provider_config)

Solution

  • Here is how the provider_config can be configured.

    provider_config={
         "issuer": "appid-oauth.ng.bluemix.net",
         "authorization_endpoint": appIDInfo['oauthServerUrl']+"/authorization",
         "token_endpoint": appIDInfo['oauthServerUrl']+"/token",
         "userinfo_endpoint": appIDInfo['profilesUrl']+"/api/v1/attributes",
         "jwks_uri": appIDInfo['oauthServerUrl']+"/publickeys"
    }
    

    appIDInfo is either obtained from the Cloud Foundry environment on IBM Cloud or can be configured manually with a structure like the following:

    "AppID": {
         "clientId": "your App ID client Id",
         "managementUrl": "https://appid-management.ng.bluemix.net/management/v4/-----tenantID----",
         "oauthServerUrl": "https://appid-oauth.ng.bluemix.net/oauth/v3/-----tenantID----",
         "profilesUrl": "https://appid-profiles.ng.bluemix.net",
         "secret": "the App ID secret",
         "tenantId": "-----tenantID----",
         "version": 3
    }
    

    The clientId and secret would then be used to populate the client_info object required by Flask-pyoidc. I have sample code using Flask-pyoidc with App ID in a GitHub repository. It shows all the steps from the configuration to using the decorators to protect the app routes in Flask.