Skip to main content

An add-on for Plone

Project description

Latest Version Egg Status Supported - Python Versions License Tests Coverage

pas.plugins.oidc

This is an Plone authentication plugin for OpenID Connect. OAuth 2.0 should work as well, because OpenID Connect is built on top of this protocol.

Features

  • PAS plugin, although currently no interfaces are activated.

  • Three browser views for this PAS plugin, which are the main interaction with the outside world.

Installation

Install pas.plugins.oidc by adding it to your buildout:

[buildout]

...

eggs =
    pas.plugins.oidc

and then running bin/buildout

Warning

Pay attention to the customization of User info property used as userid field, with the wrong configuration it’s easy impersonate another user.

Example setup with Keycloak

Setup Keycloak as server

Please refer to the Keycloak documentation for up to date instructions. Specifically, here we will use a Docker image, so follow the instructions on how to get started with Keycloak on Docker. This does not give you a production setup, but it is fine for local development.

Keycloak runs on port 8080 by default. Plone uses the same port. When you are reading this, you probably know how to let Plone use a different port. So let’s indeed let Keycloak use its prefered port. At the moment of writing, this is how you start a Keycloak container:

docker run -p 8080:8080 -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:19.0.3 start-dev

Note: when you exit this container, it still exists and you can restart it so you don’t lose your configuration. With docker ps -a figure out the name of the container and then use docker container start -ai <name>.

Follow the Keycloak Docker documentation further:

  • Create a realm. Give this the name plone.

  • Create a user. Remember to set a password for this user in the Credentials tab.

  • Open a different browser and check that you can login to Keycloak with this user.

In the original browser, follow the steps for securing your first app. But we will be using different settings for Plone. And when last I checked, the actual UI differed from the documentation. So:

  • Make sure you are logged in as admin in Keycloak, and are in the Plone realm.

  • Go to Clients.

  • Click ‘Create client’:

    • client type: OpenID Connect

    • client ID: plone

    • Turn ‘always display in console’ on. Useful for testing.

    • Click Next and Save.

  • Now you can fill in the Access settings. We will assume Plone runs on port 8081:

Keycloak is ready.

Setup Plone as client

  • In your Zope instance configuration, make sure Plone runs on port 8081.

  • Make sure pas.plugins.openidc is installed with pip or Buildout.

  • Start Plone and create a Plone site with id Plone.

  • In the Add-ons control panel, install pas.plugins.openidc.

  • In the ZMI go to the plugin properties at http://localhost:8081/Plone/acl_users/oidc/manage_propertiesForm

  • Set these properties:

    • OIDC/Oauth2 Issuer: http://localhost:8080/realms/plone/

    • client ID: plone. This must match the client ID you have set in Keycloak.

    • Leave the rest at the default and save the changes.

Login

Go to the other browser, or logout as admin from Keycloak. Currently, the Plone login form is unchanged. Instead, go to the login page of the plugin: http://localhost:8081/Plone/acl_users/oidc/login This will take you to Keycloak to login, and then return. You should now be logged in to Plone, and see the fullname and email, if you have set this in Keycloak.

Settings in environment variables

Instead of editing your OIDC provider settings through the ZMI, you can use collective.regenv and provide a YAML file with your settings. This is very useful if you have different settings in different environments and and you do not want to edit the settings each time you move the contents.

Varnish

If you are using the Varnish caching server in front of Plone, you may see this plugin only partially working. Especially the came_from parameter may be ignored. This is because the standard configuration from plone.recipe.varnish removes most cookies to improve anonymous caching. Solution is to make sure the __ac_session cookie is added to the cookie-pass option. Check what the current default is in the recipe, and update it:

[varnish-configuration]
recipe = plone.recipe.varnish:configuration
...
cookie-pass = "auth_token|__ac(|_(name|password|persistent|session))=":"\.(js|css|kss)$"

Contribute

References

License

The project is licensed under the GPLv2.

Contributors

Changelog

1.0a5 (2023-04-05)

  • Catch exceptions during the OAuth process [erral]

  • Update the plugin to make challenges. An anonymous user who visits a page for which you have to be authenticated, is redirected to the new require_login view on the plugin. This works the same way as the standard require_login page of Plone. [maurits]

  • Add a property for the default userinfo instead of using only sub. [eikichi18]

1.0a4 (2023-01-16)

  • Call getProperty only once when getting redirect_uris or scope. [maurits]

  • use getProperty accessor [mamico]

1.0a3 (2022-10-30)

  • Removed the hardcoded auth cookie name [alecghica]

  • Fixed Python compatibility with version >= 3.6 [alecghica]

  • check if url is in portal before redirect #2 [erral]

  • manage came_from [mamico]

1.0a2 (unreleased)

  • do userinforequest if there is a client.userinfo_endpoint [mamico]

1.0a1 (unreleased)

  • Initial release. [mamico]

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pas.plugins.oidc-1.0a5.tar.gz (35.1 kB view hashes)

Uploaded Source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page