Form login example

[giicoo]

There is a post-request that processes the authorization form and redirects to the main page

@post('/sing')
async def login(self, requst: Request):
        data = await requst.form()
        #check passwod ...
        return self.redirect('/')

Inherited from APIController

@get('/')
async def index(self, request: Request, user: Optional[Identity]):
        auth_user = None
        if user:
            auth_user = user
        return self.view('forums', {'user': auth_user})

I connect authorization as per the documentation in the application configuration

class ExampleAuthHandler(AuthenticationHandler):
    def __init__(self):
        pass

    async def authenticate(self, context: Request) -> Optional[Identity]:
        header_value = context.get_first_header(b"Authorization")

        if header_value:
           
            context.identity = Identity({"name": "Jan Kowalski"}, "MOCK")
        else:
            context.identity = None
        return context.identity


def configure_authentication(app):
    app.use_authentication().add(ExampleAuthHandler())

I do not understand how to tune authorization correctly or how to send new headers with redirect
Maybe there is some project where i can find an example of the same functionality?

[RobertoPrevato]

Hi @Inott-git
There are several ways to implement a strategy to authenticate users. Implementing a full authentication and authorization strategy by yourself can be a good exercise to learn, but also challenging.

First I try to answer to your questions, then later I give you a recommendation.

One option could be:

1. inside your login request handler, you set a cookie, protected using something like itsdangerous - you can see an example here
2. your Authentication Handler tries to read and validates, if present, the value of the same Cookie. Its content must give you information about the user who is signed in. BlackSheep includes out of the box a CookieAuthenticationHandler class - see it here.
3. you configure authorization in BlackSheep - the simplest example is requiring an authenticated user. BlackSheep supports defining different rules for different endpoints. This is described here in the documentation. You can see an example in the Torino demo project, here.

⚠️ you need to consider Cross Site Request Forgery and Anti-Forgery measures when you use Cookie based authentication. BlackSheep has built-in features to handle anti-forgery tokens.

---

An alternative option could be:

1. inside your login request handler, after you validate the user, you create a JSON Web Token (JWT) holding information about the user (you can read about creating JWTs in Python in a blog post I wrote some time ago), and return it to the client.
2. Your client code stores the access token, for example in the local storage, and sends it to the server in request headers: Authorization: Bearer ***access_token***
3. you use JWT Bearer tokens to authenticate the user (this reads and validates the JWTs received from the client). BlackSheep includes out of the box an authentication handler that can read and validate JWT Bearer tokens, see it here
4. you use authorization in the same way as described above (authorization in BlackSheep is abstracted and not concerned with how users are authenticated.

---

This being said, my best recommendation is to consider adopting an Identity Provider that adheres to OAuth / OpenID Connect standards: this way you get a whole set of useful features and you don´t need to worry about coding or maintaining them by yourself. Example: handling of access tokens, multi-factor authentication, password reset flows, sign-in pages, sign-up, etc. BlackSheep supports OpenID Connect out of the box - for example to configure user sign-in using an application from Auth0 is as simple as:

from blacksheep import Application
from blacksheep.server.authentication.oidc import (
    OpenIDSettings,
    use_openid_connect,
    CookiesTokensStore,
)

app = Application()


# basic Auth0 integration that handles only an id_token
use_openid_connect(
    app,
    OpenIDSettings(
        authority="https://YOUR_AUTH0_ACCOUNT.eu.auth0.com",
        client_id="YOUR_APP_ID",
        callback_path="/signin-oidc",
    ),
    tokens_store=CookiesTokensStore(),
)

A full example in this case could be:

from textwrap import dedent

import jwt
import uvicorn
from blacksheep.messages import Request
from blacksheep.server.application import Application
from blacksheep.server.authentication.oidc import (
    CookiesTokensStore,
    OpenIDSettings,
    use_openid_connect,
)
from blacksheep.server.authorization import allow_anonymous
from blacksheep.server.responses import html
from essentials.json import dumps
from guardpost.authentication import Identity


def _render_access_token(user: Identity) -> str:
    if not user.access_token:
        return ""

    # parse without validating the access token
    # (the id_token was validated upon sign-in!)
    claims = jwt.decode(user.access_token, options={"verify_signature": False})

    return dedent(
        f"""
        <h3>You also have an access token for an API</h3>
        <p>These are the claims, from your <strong>access_token</strong>:</p>
        <pre>{dumps(claims, indent=4)}</pre>
        """
    )


def register_routes(app: Application) -> None:
    @allow_anonymous()
    @app.route("/sign-in-error")
    async def error_handler(request: Request, error: str):
        if error == "access_denied":
            # the user declined consents to the app
            return html("<h1>OK, but you won't be able to use our wonderful app.</h1>")
        return html(f"<h1>Oh, no! {error}</h1>")

    @app.route("/")
    async def home(user: Identity):
        if user.is_authenticated():
            id_claims = dumps(user.claims, indent=4)

            return html(
                dedent(
                    f"""
                    <!DOCTYPE html>
                    <html>
                    <head>
                    <style>
                    pre {{
                        border: 1px dotted darkred;
                        padding: 1rem;
                    }}
                    </style>
                    </head>
                    <body>
                        <h1>Welcome!</h1>
                        <p>These are your claims, from your <strong>id_token</strong>:</p>
                        <pre>{id_claims}</pre>
                        {_render_access_token(user)}
                    </body>
                    </html>
                """
                )
            )

        return html(
            dedent(
                f"""
                <!DOCTYPE html>
                <html>
                <head>
                </head>
                <body>
                    <h1>You are not authenticated!</h1>
                    <a href='/sign-in'>Sign in here.</a><br/>
                </body>
                </html>
            """
            )
        )


app = Application(show_error_details=True)


use_openid_connect(
    app,
    OpenIDSettings(
        authority="https://YOUR_AUTH0_ACCOUNT.eu.auth0.com",
        client_id="YOUR_APP_ID",
        callback_path="/signin-oidc",
    ),
    tokens_store=CookiesTokensStore(),
)

register_routes(app)


if __name__ == "__main__":
    uvicorn.run(app, host="127.0.0.1", port=5000, log_level="debug")

Then you would get a sign-in page from Auth0, like this one:

[giicoo]

Thanks a lot for your reply, blacksheep is a great project, keep developing it, it's really cool

[RobertoPrevato]

Thank You for your kind words! Sure, I am working on new features, also dedicating a good deal of time thinking about to do certain things. If you decide to try OAuth / OIDC, I can share some full working examples also for Azure Active Directory and Okta, in addition to Auth0. I mean with proper settings and working integrations :)

[giicoo]

Yes, if you can, then share, I will be grateful

[RobertoPrevato]

I wrote some documentation and published examples for OIDC integrations here https://github.com/Neoteroi/BlackSheep-Examples/tree/main/oidc.
I hope you find these useful.

[giicoo]

Thanks you