[![Tests](https://github.com/DataShades/ckanext-oidc-pkce/actions/workflows/test.yml/badge.svg)](https://github.com/DataShades/ckanext-oidc-pkce/actions/workflows/test.yml)
# ckanext-oidc-pkce
OpenID connect with PKCE flow authenticator for CKAN.
> **Warning**
> Developed for Okta and not tested with other providers.
> PRs or feature-requests are welcome
The plugin adds an extra route to CKAN allowing login through an external
application. This route available at `/user/login/oidc-pkce`(`oid_pkce.login`
endpoint). Original authentication system from CKAN is unchanged and it's up to
you(or another extension) to hide original login page if only SSO accounts are
allowed on the portal.
## Requirements
Compatibility with core CKAN versions:
| CKAN version | Compatible? |
|--------------|-------------|
| 2.9 | yes |
| 2.10 | yes |
## Installation
1. Install the package
```sh
pip install ckanext-oidc-pkce
```
1. Add `oidc_pkce` to the `ckan.plugins` setting in your CKAN
config file
1. Add SSO settings(refer [config settings](#config-settings) section for details)
## Config settings
```ini
# URL of SSO application
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_BASE_URL
ckanext.oidc_pkce.base_url = https://12345.example.okta.com
# ClientID of SSO application
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_ID
ckanext.oidc_pkce.client_id = clientid
# ClientSecret of SSO application
# (optional, only need id Client App defines a secret, default: "")
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_SECRET
ckanext.oidc_pkce.client_secret = clientsecret
# Path to the authorization endpont inside SSO application
# (optional, default: /oauth2/default/v1/authorize)
ckanext.oidc_pkce.auth_path = /auth
# Path to the token endpont inside SSO application
# (optional, default: /oauth2/default/v1/token)
ckanext.oidc_pkce.token_path = /token
# Path to the userinfo endpont inside SSO application
# (optional, default: /oauth2/default/v1/userinfo)
ckanext.oidc_pkce.userinfo_path = /userinfo
# Path to the authentication response handler inside CKAN application
# (optional, default: /user/login/oidc-pkce/callback)
ckanext.oidc_pkce.redirect_path = /local/oidc/handler
# URL to redirect user in case of failed login attempt. When empty(default)
# redirects to `came_from` URL parameter if availabe or to CKAN login page
# otherwise.
# (optional, default: )
ckanext.oidc_pkce.error_redirect = /user/register
# Scope of the authorization token. The plugin expects at least `sub`,
# `email` and `name` attributes.
# (optional, default: openid email profile)
ckanext.oidc_pkce.scope = email
# For newly created CKAN users use the same ID as one from SSO application
# (optional, default: false)
ckanext.oidc_pkce.use_same_id = true
# When connecting to an existing(non-sso) account, override user's password
# so that it becomes impossible to login using CKAN authentication system.
# Enable this flag if you want to force SSO-logins for all users that once
# used SSO-login.
# (optional, default: false)
ckanext.oidc_pkce.munge_password = true
```
## License
[AGPL](https://www.gnu.org/licenses/agpl-3.0.en.html)
Raw data
{
"_id": null,
"home_page": "https://github.com/DataShades/ckanext-oidc-pkce",
"name": "ckanext-oidc-pkce",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "CKAN,Okta,oidc,pkce,authentication",
"author": "Sergey Motornyuk",
"author_email": "sergey.motornyuk@linkdigital.com.au",
"download_url": "https://files.pythonhosted.org/packages/da/44/dc3a3f38c6e7f018030178b8aabb82831fd2296f5e7f0af37a54b2f343ae/ckanext-oidc-pkce-0.3.1.tar.gz",
"platform": null,
"description": "[![Tests](https://github.com/DataShades/ckanext-oidc-pkce/actions/workflows/test.yml/badge.svg)](https://github.com/DataShades/ckanext-oidc-pkce/actions/workflows/test.yml)\n\n# ckanext-oidc-pkce\n\nOpenID connect with PKCE flow authenticator for CKAN.\n\n> **Warning**\n> Developed for Okta and not tested with other providers.\n> PRs or feature-requests are welcome\n\nThe plugin adds an extra route to CKAN allowing login through an external\napplication. This route available at `/user/login/oidc-pkce`(`oid_pkce.login`\nendpoint). Original authentication system from CKAN is unchanged and it's up to\nyou(or another extension) to hide original login page if only SSO accounts are\nallowed on the portal.\n\n## Requirements\n\nCompatibility with core CKAN versions:\n\n| CKAN version | Compatible? |\n|--------------|-------------|\n| 2.9 | yes |\n| 2.10 | yes |\n\n## Installation\n\n1. Install the package\n ```sh\n pip install ckanext-oidc-pkce\n ```\n\n1. Add `oidc_pkce` to the `ckan.plugins` setting in your CKAN\n config file\n\n1. Add SSO settings(refer [config settings](#config-settings) section for details)\n\n## Config settings\n\n```ini\n# URL of SSO application\n# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_BASE_URL\nckanext.oidc_pkce.base_url = https://12345.example.okta.com\n\n# ClientID of SSO application\n# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_ID\nckanext.oidc_pkce.client_id = clientid\n\n# ClientSecret of SSO application\n# (optional, only need id Client App defines a secret, default: \"\")\n# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_SECRET\nckanext.oidc_pkce.client_secret = clientsecret\n\n# Path to the authorization endpont inside SSO application\n# (optional, default: /oauth2/default/v1/authorize)\nckanext.oidc_pkce.auth_path = /auth\n\n# Path to the token endpont inside SSO application\n# (optional, default: /oauth2/default/v1/token)\nckanext.oidc_pkce.token_path = /token\n\n# Path to the userinfo endpont inside SSO application\n# (optional, default: /oauth2/default/v1/userinfo)\nckanext.oidc_pkce.userinfo_path = /userinfo\n\n# Path to the authentication response handler inside CKAN application\n# (optional, default: /user/login/oidc-pkce/callback)\nckanext.oidc_pkce.redirect_path = /local/oidc/handler\n\n# URL to redirect user in case of failed login attempt. When empty(default)\n# redirects to `came_from` URL parameter if availabe or to CKAN login page\n# otherwise.\n# (optional, default: )\nckanext.oidc_pkce.error_redirect = /user/register\n\n# Scope of the authorization token. The plugin expects at least `sub`,\n# `email` and `name` attributes.\n# (optional, default: openid email profile)\nckanext.oidc_pkce.scope = email\n\n# For newly created CKAN users use the same ID as one from SSO application\n# (optional, default: false)\nckanext.oidc_pkce.use_same_id = true\n\n# When connecting to an existing(non-sso) account, override user's password\n# so that it becomes impossible to login using CKAN authentication system.\n# Enable this flag if you want to force SSO-logins for all users that once\n# used SSO-login.\n# (optional, default: false)\nckanext.oidc_pkce.munge_password = true\n\n```\n\n## License\n\n[AGPL](https://www.gnu.org/licenses/agpl-3.0.en.html)\n",
"bugtrack_url": null,
"license": "AGPL",
"summary": "CKAN OIDC authenticator with PKCE flow",
"version": "0.3.1",
"project_urls": {
"Homepage": "https://github.com/DataShades/ckanext-oidc-pkce"
},
"split_keywords": [
"ckan",
"okta",
"oidc",
"pkce",
"authentication"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "141f4d17eaed1da20f092f4d042c8ef2d8a778d118d0d81f27b555d5ec5077b1",
"md5": "8ef41572f0283e0ad454b518ef5a41c2",
"sha256": "710d05b66d5294df9119cd8e8b3a5f916c8051060944c160f28a5a141de3d624"
},
"downloads": -1,
"filename": "ckanext_oidc_pkce-0.3.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "8ef41572f0283e0ad454b518ef5a41c2",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 24527,
"upload_time": "2023-10-02T08:02:13",
"upload_time_iso_8601": "2023-10-02T08:02:13.676527Z",
"url": "https://files.pythonhosted.org/packages/14/1f/4d17eaed1da20f092f4d042c8ef2d8a778d118d0d81f27b555d5ec5077b1/ckanext_oidc_pkce-0.3.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "da44dc3a3f38c6e7f018030178b8aabb82831fd2296f5e7f0af37a54b2f343ae",
"md5": "00a45f3e8308b5201b029d3fa1d1c8f5",
"sha256": "ac7cacd5bf4c0fb1f1fdc478d2536e8f1eacd7245440bec6bd37627449a83d6b"
},
"downloads": -1,
"filename": "ckanext-oidc-pkce-0.3.1.tar.gz",
"has_sig": false,
"md5_digest": "00a45f3e8308b5201b029d3fa1d1c8f5",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 23390,
"upload_time": "2023-10-02T08:02:15",
"upload_time_iso_8601": "2023-10-02T08:02:15.293206Z",
"url": "https://files.pythonhosted.org/packages/da/44/dc3a3f38c6e7f018030178b8aabb82831fd2296f5e7f0af37a54b2f343ae/ckanext-oidc-pkce-0.3.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-10-02 08:02:15",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "DataShades",
"github_project": "ckanext-oidc-pkce",
"travis_ci": false,
"coveralls": true,
"github_actions": true,
"requirements": [],
"lcname": "ckanext-oidc-pkce"
}