[](https://github.com/DataShades/ckanext-oidc-pkce/actions/workflows/test.yml)
# ckanext-oidc-pkce
OpenID connect with PKCE flow authenticator for CKAN.
> **Warning**
> Developed for Okta and not tested with other providers.
> PRs or feature-requests are welcome
The plugin adds an extra route to CKAN allowing login through an external
application. This route available at `/user/login/oidc-pkce`(`oid_pkce.login`
endpoint). Original authentication system from CKAN is unchanged and it's up to
you(or another extension) to hide original login page if only SSO accounts are
allowed on the portal.
## Requirements
Compatibility with core CKAN versions:
| CKAN version | Compatible? |
|--------------|-------------|
| 2.9 | yes |
| 2.10 | yes |
## Installation
1. Install the package
```sh
pip install ckanext-oidc-pkce
```
1. Add `oidc_pkce` to the `ckan.plugins` setting in your CKAN
config file
1. Add SSO settings(refer [config settings](#config-settings) section for details)
## Config settings
```ini
# URL of SSO application
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_BASE_URL
ckanext.oidc_pkce.base_url = https://12345.example.okta.com
# ClientID of SSO application
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_ID
ckanext.oidc_pkce.client_id = clientid
# ClientSecret of SSO application
# (optional, only need id Client App defines a secret, default: "")
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_SECRET
ckanext.oidc_pkce.client_secret = clientsecret
# Path to the authorization endpont inside SSO application
# (optional, default: /oauth2/default/v1/authorize)
ckanext.oidc_pkce.auth_path = /auth
# Path to the token endpont inside SSO application
# (optional, default: /oauth2/default/v1/token)
ckanext.oidc_pkce.token_path = /token
# Path to the userinfo endpont inside SSO application
# (optional, default: /oauth2/default/v1/userinfo)
ckanext.oidc_pkce.userinfo_path = /userinfo
# Path to the authentication response handler inside CKAN application
# (optional, default: /user/login/oidc-pkce/callback)
ckanext.oidc_pkce.redirect_path = /local/oidc/handler
# URL to redirect user in case of failed login attempt. When empty(default)
# redirects to `came_from` URL parameter if availabe or to CKAN login page
# otherwise.
# (optional, default: )
ckanext.oidc_pkce.error_redirect = /user/register
# Scope of the authorization token. The plugin expects at least `sub`,
# `email` and `name` attributes.
# (optional, default: openid email profile)
ckanext.oidc_pkce.scope = email
# For newly created CKAN users use the same ID as one from SSO application
# (optional, default: false)
ckanext.oidc_pkce.use_same_id = true
# When connecting to an existing(non-sso) account, override user's password
# so that it becomes impossible to login using CKAN authentication system.
# Enable this flag if you want to force SSO-logins for all users that once
# used SSO-login.
# (optional, default: false)
ckanext.oidc_pkce.munge_password = true
```
## License
[AGPL](https://www.gnu.org/licenses/agpl-3.0.en.html)
Raw data
{
"_id": null,
"home_page": null,
"name": "ckanext-oidc-pkce",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": "DataShades <datashades@linkdigital.com.au>",
"keywords": "CKAN, Okta, oidc, pkce, authentication",
"author": null,
"author_email": "DataShades <datashades@linkdigital.com.au>, Sergey Motornyuk <sergey.motornyuk@linkdigital.com.au>",
"download_url": "https://files.pythonhosted.org/packages/c6/27/1564bcd56c6fdb870ee8da7c1ad028ab71f6199546ccf5c484a24fc3603c/ckanext_oidc_pkce-0.3.1.post1.tar.gz",
"platform": null,
"description": "[](https://github.com/DataShades/ckanext-oidc-pkce/actions/workflows/test.yml)\n\n# ckanext-oidc-pkce\n\nOpenID connect with PKCE flow authenticator for CKAN.\n\n> **Warning**\n> Developed for Okta and not tested with other providers.\n> PRs or feature-requests are welcome\n\nThe plugin adds an extra route to CKAN allowing login through an external\napplication. This route available at `/user/login/oidc-pkce`(`oid_pkce.login`\nendpoint). Original authentication system from CKAN is unchanged and it's up to\nyou(or another extension) to hide original login page if only SSO accounts are\nallowed on the portal.\n\n## Requirements\n\nCompatibility with core CKAN versions:\n\n| CKAN version | Compatible? |\n|--------------|-------------|\n| 2.9 | yes |\n| 2.10 | yes |\n\n## Installation\n\n1. Install the package\n ```sh\n pip install ckanext-oidc-pkce\n ```\n\n1. Add `oidc_pkce` to the `ckan.plugins` setting in your CKAN\n config file\n\n1. Add SSO settings(refer [config settings](#config-settings) section for details)\n\n## Config settings\n\n```ini\n# URL of SSO application\n# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_BASE_URL\nckanext.oidc_pkce.base_url = https://12345.example.okta.com\n\n# ClientID of SSO application\n# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_ID\nckanext.oidc_pkce.client_id = clientid\n\n# ClientSecret of SSO application\n# (optional, only need id Client App defines a secret, default: \"\")\n# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_SECRET\nckanext.oidc_pkce.client_secret = clientsecret\n\n# Path to the authorization endpont inside SSO application\n# (optional, default: /oauth2/default/v1/authorize)\nckanext.oidc_pkce.auth_path = /auth\n\n# Path to the token endpont inside SSO application\n# (optional, default: /oauth2/default/v1/token)\nckanext.oidc_pkce.token_path = /token\n\n# Path to the userinfo endpont inside SSO application\n# (optional, default: /oauth2/default/v1/userinfo)\nckanext.oidc_pkce.userinfo_path = /userinfo\n\n# Path to the authentication response handler inside CKAN application\n# (optional, default: /user/login/oidc-pkce/callback)\nckanext.oidc_pkce.redirect_path = /local/oidc/handler\n\n# URL to redirect user in case of failed login attempt. When empty(default)\n# redirects to `came_from` URL parameter if availabe or to CKAN login page\n# otherwise.\n# (optional, default: )\nckanext.oidc_pkce.error_redirect = /user/register\n\n# Scope of the authorization token. The plugin expects at least `sub`,\n# `email` and `name` attributes.\n# (optional, default: openid email profile)\nckanext.oidc_pkce.scope = email\n\n# For newly created CKAN users use the same ID as one from SSO application\n# (optional, default: false)\nckanext.oidc_pkce.use_same_id = true\n\n# When connecting to an existing(non-sso) account, override user's password\n# so that it becomes impossible to login using CKAN authentication system.\n# Enable this flag if you want to force SSO-logins for all users that once\n# used SSO-login.\n# (optional, default: false)\nckanext.oidc_pkce.munge_password = true\n\n```\n\n## License\n\n[AGPL](https://www.gnu.org/licenses/agpl-3.0.en.html)\n",
"bugtrack_url": null,
"license": "AGPL",
"summary": "CKAN OIDC authenticator with PKCE flow",
"version": "0.3.1.post1",
"project_urls": {
"Homepage": "https://github.com/DataShades/ckanext-oidc-pkce"
},
"split_keywords": [
"ckan",
" okta",
" oidc",
" pkce",
" authentication"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "8c59ec13e5a46f4433c0a2b3d95e2ba1c11c21ad3d010c5e31083c4a271fcd08",
"md5": "0a80df45ff730add25103966b92d37a0",
"sha256": "b3dad70c90711e599e372c7965c98510119747053750bc567ab1c12c1776e050"
},
"downloads": -1,
"filename": "ckanext_oidc_pkce-0.3.1.post1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "0a80df45ff730add25103966b92d37a0",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 26316,
"upload_time": "2024-10-17T14:33:05",
"upload_time_iso_8601": "2024-10-17T14:33:05.796065Z",
"url": "https://files.pythonhosted.org/packages/8c/59/ec13e5a46f4433c0a2b3d95e2ba1c11c21ad3d010c5e31083c4a271fcd08/ckanext_oidc_pkce-0.3.1.post1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "c6271564bcd56c6fdb870ee8da7c1ad028ab71f6199546ccf5c484a24fc3603c",
"md5": "9155c864cb9221ef7def9deaf58693d5",
"sha256": "6f820688d9d037110cecea9b34a45a8704d7bad2ebf472f4817ec0172c9481c9"
},
"downloads": -1,
"filename": "ckanext_oidc_pkce-0.3.1.post1.tar.gz",
"has_sig": false,
"md5_digest": "9155c864cb9221ef7def9deaf58693d5",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 25107,
"upload_time": "2024-10-17T14:33:07",
"upload_time_iso_8601": "2024-10-17T14:33:07.790728Z",
"url": "https://files.pythonhosted.org/packages/c6/27/1564bcd56c6fdb870ee8da7c1ad028ab71f6199546ccf5c484a24fc3603c/ckanext_oidc_pkce-0.3.1.post1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-10-17 14:33:07",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "DataShades",
"github_project": "ckanext-oidc-pkce",
"travis_ci": false,
"coveralls": true,
"github_actions": true,
"requirements": [],
"lcname": "ckanext-oidc-pkce"
}
JSON
