I'm trying to get my Pyramid application to use a Keycloak authentication server. Keycloak supports OAuth2 with OpenID Connect. I don't need authorization: just authenticating the user and retrieving their roles and metadata and maybe the refresh feature. I've looked through several Oauth2, OpenID, and OpenID Connect libraries and there seem to be a range of issues with all of them. So which one is most supported and people here are using, which class should I use, and how do I plug in my client ID, auth server URL, and secret? Some of them use strange terminology and I'm not sure if I have what they need under a different name.
pyramid_oauth2_client, oauth2demo, and yasso (a Python OAuth2 provider) The easiest to understand, but it hasn't been updated since 2012. I had to make it compatible with Python 3 and Pyramid 1.9.2. I got the demo to sometimes log in to yasso but when it came back to the site it got an invalid state error (akin to a CSRF token mismatch) -- it predates Pyramid's CSRF token support too. pyramid_oauthlib, oauthlib, and requests-oauthlib -- This looks the best supported and most actively developed, but I can't tell which parts I need as a client; much of it is for building an Oauth2 server. The OAuth2 terminology is new to me so that makes it harder. 'requests-oauthlib' is a wrapper for the 'requests' library to send Oauth2 requests; I can't tell from the example whether I can use it for authentication and if so how. authomatic -- This is easier to understand than oauthlib and recently updated (2017) but I'm not sure how to configure my provider. The built-in classes are for Facebook et al. For other providers it steers you to the OpenID class. I may be able to use the base class or make a subclass like the provided Yahoo and Google ones, but its arguments don't match my server parameters so I'm not sure how to configure it. It delegates to the 'openid' package, which below. openid -- There are several openid packages on PyPI: python-openid 2.25 (2010 [last download file]), python-openid2 (2018), python-openid3 (2013), python3-openid (2017). All of these have similarly-worded descriptions as if they're by the same team. 'python-openid2' has the most detailed description and is recent (2018), but authomatic says it depends on 'openid' which I assume is 'python-openid'. Still, the authomatic doc may be old and 'python-openid2' may be compatible, but is it? Now, can I just use OpenID or OpenID Connect and forget about the Oauth2 packages since I don't need authorization? Going back to 'python-openid2', it says it's easy to use as a consumer, but the example has its own BaseHTTPServer and strange method names and how would I use it from Pyramid? For OpenID Connect, the Keycloak docs suggest 'oic' (2019). Ah, recent. But the docs say, "Unfortunately, the documentation has been largely left unmaintained and there are various issues.... the current examples included in this repository are unmaintained and there are many issues." Great, recent code but out-of-date examples. And again hard to figure out how to use. Other OpenID Connect packages on PyPI are 'openid-connect' (2019): "This is a low-level Python library for authentication against OpenID Providers (e.g. Google). For high-level libraries see the Aiakos project." Aiakos is a "Passwordless authentication gateway." And 'oidc' (2014). I think 'oidc' was suggested in one of the previous ones. There's also a repoze.who plugin and something about Venusian but those sound old. So what are people using now, and is there an example of configuring it for a non-Big-Name provider or specifically Keycloak? -- Mike Orr <[email protected]> -- You received this message because you are subscribed to the Google Groups "pylons-discuss" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/pylons-discuss/CAH9f%3DuqvnNdEEowGt%3DWhqi4Y3TXdiTqoF0r%2Bo9JeewaLUxJ5iA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
