Skip to main content

Oauth2/OpenID authentication for cubicweb

Project description

Summary

Oauth2/OpenID connect authentication client for cubicweb.

All configuration is done in all-in-one.conf. Defaults values should work fine with Keycloak, for other provider refer to the documentation of the content of the JWT token.

  • oauth2-enabled should be set to yes once it is configured

  • oauth2-client-id and oauth2-client-secret should be set (given by the provider).

  • For OpenID connect providers oauth2-server-url can be set. For keycloak it is https://<server>/auth/realms/<realm>. The configuration is then obtained from the metadata url /.well-known/openid-configuration

  • If you want to avoid a request to the metadata url, or if your provider doesn’t implement OpenID, you should to configure oauth2-authorization-url, oauth2-token-url and oauth2-jwk-path.

  • oauth2-token-login is used to map a field of the JWT token with CubicWeb login.

  • On the provider side, the callback url should be configured to https://<cubicweb>/oauth2/callback

At this point you should be able to log in an existing user through the login page using the “Log in with Oauth2” button.

If you want to automatically register new users, you must set oauth2-register-user to yes and configure oauth2-default-group, oauth2-token-firstname, oauth2-token-surname and oauth2-token-email.

If your instance only accepts users from the Oauth2 provider, you can set oauth2-auto-login which skip the login page and start oauth2 authentication directly.

If your instance require authenticated users from Oauth2 provider only, you can set oauth2-force-login to yes, this will redirect all unauthenticated requests to oauth2 login.

How to test this with keycloak

Using standard flow and confidential (client_id/client_secret) access.

test_full_login() might be a good entry point to understand the authentication flow.

Here is how to test this with keycloak:

  1. Create a new client using url http://:8080

  2. Set Access Type to “confidential” with standard flow enabled

  3. Get client_id & client_secret from the “Credentials” tab

  4. Enable the oauth2 cube to your project

  5. In all-in-one.conf set these parameters:

    oauth2-enabled=yes oauth2-server-url=https://keycloak/auth/realms/master oauth2-client-id=<client_id> oauth2-client-secret=<client_secret>

  6. Start your instance, go to login page and click on “Log in with Oauth2”

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cubicweb-oauth2-1.1.0.tar.gz (15.3 kB view details)

Uploaded Source

Built Distribution

cubicweb_oauth2-1.1.0-py3-none-any.whl (10.2 kB view details)

Uploaded Python 3

File details

Details for the file cubicweb-oauth2-1.1.0.tar.gz.

File metadata

  • Download URL: cubicweb-oauth2-1.1.0.tar.gz
  • Upload date:
  • Size: 15.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/5.0.0 CPython/3.12.2

File hashes

Hashes for cubicweb-oauth2-1.1.0.tar.gz
Algorithm Hash digest
SHA256 9986bc619c8710c50b3e9ef7613527cede29a7ee9d42eeb5e2de93b672f98afc
MD5 54c5cedc05f93fffd7b6942094895799
BLAKE2b-256 aae10c6b4933f5fd5bd3f88473ba8c085de7e857d46774bbffe43ffc11bb4abb

See more details on using hashes here.

File details

Details for the file cubicweb_oauth2-1.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for cubicweb_oauth2-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 0c0d02eb2c1b983d5b8d11ea653c3809fec7db51ffe65a7122976f38a5a93b4f
MD5 72541fa2c803ce6071a495f2f21174fc
BLAKE2b-256 bf1bc95ee7c340ba361146fa8adb4059d19ab65808c192d190cfaea209b7fd99

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page