1

Simply saying, I am developing an app using Flask. For this app I am trying to implement a Single Sign-On, so a user never needs to enter credentials, e.g. username and password.

The authentication and authorization in this case will go through Kerberos together with LDAPS. The Kerberos part is not done yet, however, Kerberos is intended to get a "username" via a middleware currently logged into a system (Windows), when requesting an app's link. Afterwards this variable i.e. "username" will be proceeded with LDAPS, to check whether a user belongs to Active Directory or not. If yes - provide access and permission to a web site, if no - forbid.

However, since my user wont type anything, I do not understand whether I need to use either the Flask Form (flask-wtf) or the Flask Login (flask-login e.g. UserMixin) as well as how shall I provide an access to my user?

I was able to set up the FlaskLDAP3Login in 'config.py' and than run the '__init__.py'

from flask import Flask
from config import Config
from flask_login import LoginManager
from flask_ldap3_login import LDAP3LoginManager

app = Flask(__name__)
app.config.from_object(Config)

login_manager = LoginManager(app)              # Setup a Flask-Login Manager
ldap_manager = LDAP3LoginManager(app)          # Setup a LDAP3 Login Manager

from app import routes

than I got the following exception:

Exception: Missing user_loader or request_loader. Refer to http://flask-login.readthedocs.io/#how-it-works for more info.

than I found this answer, but using this decorator @login_manager.user_loader is probably not enough, is not it?

My assumption is to create a decorator, similar to this one that will allow/forbid an access to a user:

import getpass
from flask import Flask, request, make_response
from functools import wraps 

def auth_required(f):
    @wraps(f)
    def decorated(*args, **kwargs):
        current_user = getpass.getuser() # current_user will be later acquired via Kerberos
        auth = ldap_manager.get_user_info_for_username(current_user)
        if auth:
            return f(*args, **kwargs)
   
        return make_response('Could not verify your login!', 401, {'WWW-Authenticate': 'Basic realm="You are not our user!"'})

    return decorated

Also, I cannot find a similar or even related thread e.g.

Taras
  • 266
  • 6
  • 23
  • If you're saying the middleware will handle Kerberos, it feels like really isn't your app's job to be sending WWW-Authenticate -- it's the middleware's job. (And after all, the user _has_ authenticated successfully via Kerberos at this point. If they're not _authorized_ that's a 403.) – user1686 Apr 09 '21 at 12:06

0 Answers0