CKAN OIDC authenticator with PKCE flow
Project description
ckanext-oidc-pkce
OpenID connect with PKCE flow implementation for CKAN.
Warning Developed for Okta and not tested with other providers. PRs or feature-requests are welcome
The plugin adds an extra route to CKAN allowing login through an external
application. This route available at /user/login/oidc-pkce(oid_pkce.login
endpoint). Original authentication system from CKAN is unchanged and it's up to
you(or another extension) to hide original login page if only SSO accounts are
allowed on the portal.
Requirements
Compatibility with core CKAN versions:
| CKAN version | Compatible? |
|---|---|
| 2.9 | yes |
| 2.10 | not yet |
Installation
-
Install the package
pip install ckanext-oidc-pkce
-
Add
oidc_pkceto theckan.pluginssetting in your CKAN config file -
Add SSO settings(refer config settings section for details)
Config settings
# URL of SSO application
ckanext.oidc_pkce.base_url = https://12345.example.okta.com
# ClientID of SSO application
ckanext.oidc_pkce.client_id = clientid
# Path to the authorization endpont inside SSO application
# (optional, default: /oauth2/default/v1/authorize)
ckanext.oidc_pkce.auth_path = /auth
# Path to the token endpont inside SSO application
# (optional, default: /oauth2/default/v1/token)
ckanext.oidc_pkce.token_path = /token
# Path to the userinfo endpont inside SSO application
# (optional, default: /oauth2/default/v1/userinfo)
ckanext.oidc_pkce.userinfo_path = /userinfo
# Path to the authentication response handler inside CKAN application
# (optional, default: /user/login/oidc-pkce/callback)
ckanext.oidc_pkce.redirect_path = /local/oidc/handler
# URL to redirect user in case of failed login attempt. When empty(default)
# redirects to `came_from` URL parameter if availabe or to CKAN login page
# otherwise.
# (optional, default: )
ckanext.oidc_pkce.error_redirect = /user/register
# Scope of the authorization token. The plugin expects at least `sub`,
# `email` and `name` attributes.
# (optional, default: openid email profile)
ckanext.oidc_pkce.scope = email
# For newly created CKAN users use the same ID as one from SSO application
# (optional, default: false)
ckanext.oidc_pkce.use_same_id = true
# When connecting to an existing(non-sso) account, override user's password
# so that it becomes impossible to login using CKAN authentication system.
# Enable this flag if you want to force SSO-logins for all users that once
# used SSO-login.
# (optional, default: false)
ckanext.oidc_pkce.munge_password = true
License
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file ckanext-oidc-pkce-0.2.0.tar.gz.
File metadata
- Download URL: ckanext-oidc-pkce-0.2.0.tar.gz
- Upload date:
- Size: 22.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 8594965647e496e1e4d54a0dd17d7ddffca29230ac6d67a491abcb738b0fa847 |
|
| MD5 | 638c36b951711b08370a0167783aa2d3 |
|
| BLAKE2b-256 | 5d934596c27bed7a0309f12be049f4587bb2b9941478d483dc3d4724fe148c59 |
File details
Details for the file ckanext_oidc_pkce-0.2.0-py3-none-any.whl.
File metadata
- Download URL: ckanext_oidc_pkce-0.2.0-py3-none-any.whl
- Upload date:
- Size: 23.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6af37dd1ec7bb1b0308fc04cecd0f962ca97eec69153f604cacd7df17a170dfa |
|
| MD5 | fb0ae8b3af242d3a4d01aec2ae5d9a12 |
|
| BLAKE2b-256 | 2ab820638dcc5efaad4ad3ca6d26dbe46a712550668e92c02b180da66f76393f |
