CKAN OIDC authenticator with PKCE flow

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for DataShades from gravatar.com DataShades Avatar for smotornyuk from gravatar.com smotornyuk

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU Affero General Public License v3 or later (AGPLv3+) (AGPL)
  • Author: Sergey Motornyuk
  • Tags CKAN, Okta, oidc, pkce, authentication
Classifiers

Project description

Tests

ckanext-oidc-pkce

OpenID connect with PKCE flow authenticator for CKAN.

Warning Developed for Okta and not tested with other providers. PRs or feature-requests are welcome

The plugin adds an extra route to CKAN allowing login through an external application. This route available at /user/login/oidc-pkce(oid_pkce.login endpoint). Original authentication system from CKAN is unchanged and it's up to you(or another extension) to hide original login page if only SSO accounts are allowed on the portal.

Requirements

Compatibility with core CKAN versions:

CKAN version Compatible?
2.9 yes
2.10 yes

Installation

  1. Install the package

    pip install ckanext-oidc-pkce

  2. Add oidc_pkce to the ckan.plugins setting in your CKAN config file

  3. Add SSO settings(refer config settings section for details)

Config settings

# URL of SSO application
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_BASE_URL
ckanext.oidc_pkce.base_url = https://12345.example.okta.com

# ClientID of SSO application
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_ID
ckanext.oidc_pkce.client_id = clientid

# ClientSecret of SSO application
# (optional, only need id Client App defines a secret, default: "")
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_SECRET
ckanext.oidc_pkce.client_secret = clientsecret

# Path to the authorization endpont inside SSO application
# (optional, default: /oauth2/default/v1/authorize)
ckanext.oidc_pkce.auth_path = /auth

# Path to the token endpont inside SSO application
# (optional, default: /oauth2/default/v1/token)
ckanext.oidc_pkce.token_path = /token

# Path to the userinfo endpont inside SSO application
# (optional, default: /oauth2/default/v1/userinfo)
ckanext.oidc_pkce.userinfo_path = /userinfo

# Path to the authentication response handler inside CKAN application
# (optional, default: /user/login/oidc-pkce/callback)
ckanext.oidc_pkce.redirect_path = /local/oidc/handler

# URL to redirect user in case of failed login attempt.  When empty(default)
# redirects to `came_from` URL parameter if availabe or to CKAN login page
# otherwise.
# (optional, default: )
ckanext.oidc_pkce.error_redirect = /user/register

# Scope of the authorization token. The plugin expects at least `sub`,
# `email` and `name` attributes.
# (optional, default: openid email profile)
ckanext.oidc_pkce.scope = email

# For newly created CKAN users use the same ID as one from SSO application
# (optional, default: false)
ckanext.oidc_pkce.use_same_id = true

# When connecting to an existing(non-sso) account, override user's password
# so that it becomes impossible to login using CKAN authentication system.
# Enable this flag if you want to force SSO-logins for all users that once
# used SSO-login.
# (optional, default: false)
ckanext.oidc_pkce.munge_password = true

License

AGPL

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for DataShades from gravatar.com DataShades Avatar for smotornyuk from gravatar.com smotornyuk

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: GNU Affero General Public License v3 or later (AGPLv3+) (AGPL)
  • Author: Sergey Motornyuk
  • Tags CKAN, Okta, oidc, pkce, authentication
Classifiers

Release history Release notifications | RSS feed

0.3.1.post1

0.3.1

This version

0.3.0

0.2.3

0.2.2

0.2.1

0.2.0

0.1.2

0.1.1

0.1.0

0.0.3

0.0.2

0.0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

ckanext-oidc-pkce-0.3.0.tar.gz (23.3 kB view details)

Uploaded Source

Built Distribution

ckanext_oidc_pkce-0.3.0-py3-none-any.whl (24.5 kB view details)

Uploaded Python 3

File details

Details for the file ckanext-oidc-pkce-0.3.0.tar.gz.

File metadata

  • Download URL: ckanext-oidc-pkce-0.3.0.tar.gz
  • Upload date:
  • Size: 23.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.2 CPython/3.8.13

File hashes

Hashes for ckanext-oidc-pkce-0.3.0.tar.gz
Algorithm Hash digest
SHA256 cad8101f0d6effd76c82c104805202e97aadaea8eb8f79110f94c4ee575b49dc
MD5 2903cbb63867a7321975251b3c8b880b
BLAKE2b-256 93fff4d69a0d3cc46b8bf4e3215f6d33e4e060dec88bd620fb4be25faab9fd0e

See more details on using hashes here.

File details

Details for the file ckanext_oidc_pkce-0.3.0-py3-none-any.whl.

File metadata

File hashes

Hashes for ckanext_oidc_pkce-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 01afc08fcce5593a28bb01750a02484928a7302973981d18aca3371e55effd01
MD5 6b193f81b2cbe0b13046f86b2465e3bc
BLAKE2b-256 ad3b91d73634a8d9e32405345715526d5381814385ea36f9591582939a5cffc6

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page