[](https://github.com/DataShades/ckanext-oidc-pkce/actions/workflows/test.yml)
# ckanext-oidc-pkce
OpenID connect with PKCE flow authenticator for CKAN.
> **Warning**
> Developed for Okta and not tested with other providers.
> PRs or feature-requests are welcome
The plugin adds an extra route to CKAN allowing login through an external
application. This route available at `/user/login/oidc-pkce`(`oid_pkce.login`
endpoint). Original authentication system from CKAN is unchanged and it's up to
you(or another extension) to hide original login page if only SSO accounts are
allowed on the portal.
## Requirements
Compatibility with core CKAN versions:
| CKAN version | Compatible? |
|--------------|-------------|
| 2.9 | yes |
| 2.10 | yes |
## Installation
1. Install the package
```sh
pip install ckanext-oidc-pkce
```
1. Add `oidc_pkce` to the `ckan.plugins` setting in your CKAN
config file
1. Add SSO settings(refer [config settings](#config-settings) section for details)
## Config settings
```ini
# URL of SSO application
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_BASE_URL
ckanext.oidc_pkce.base_url = https://12345.example.okta.com
# ClientID of SSO application
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_ID
ckanext.oidc_pkce.client_id = clientid
# ClientSecret of SSO application
# (optional, only need id Client App defines a secret, default: "")
# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_SECRET
ckanext.oidc_pkce.client_secret = clientsecret
# Path to the authorization endpont inside SSO application
# (optional, default: /oauth2/default/v1/authorize)
ckanext.oidc_pkce.auth_path = /auth
# Path to the token endpont inside SSO application
# (optional, default: /oauth2/default/v1/token)
ckanext.oidc_pkce.token_path = /token
# Path to the userinfo endpont inside SSO application
# (optional, default: /oauth2/default/v1/userinfo)
ckanext.oidc_pkce.userinfo_path = /userinfo
# Path to the authentication response handler inside CKAN application
# (optional, default: /user/login/oidc-pkce/callback)
ckanext.oidc_pkce.redirect_path = /local/oidc/handler
# URL to redirect user in case of failed login attempt. When empty(default)
# redirects to `came_from` URL parameter if availabe or to CKAN login page
# otherwise.
# (optional, default: )
ckanext.oidc_pkce.error_redirect = /user/register
# Scope of the authorization token. The plugin expects at least `sub`,
# `email` and `name` attributes.
# (optional, default: openid email profile)
ckanext.oidc_pkce.scope = email
# For newly created CKAN users use the same ID as one from SSO application
# (optional, default: false)
ckanext.oidc_pkce.use_same_id = true
# When connecting to an existing(non-sso) account, override user's password
# so that it becomes impossible to login using CKAN authentication system.
# Enable this flag if you want to force SSO-logins for all users that once
# used SSO-login.
# (optional, default: false)
ckanext.oidc_pkce.munge_password = true
```
## License
[AGPL](https://www.gnu.org/licenses/agpl-3.0.en.html)
Raw data
{
"_id": null,
"home_page": null,
"name": "ckanext-oidc-pkce",
"maintainer": null,
"docs_url": null,
"requires_python": null,
"maintainer_email": "DataShades <datashades@linkdigital.com.au>",
"keywords": "CKAN, Okta, oidc, pkce, authentication",
"author": null,
"author_email": "DataShades <datashades@linkdigital.com.au>, Sergey Motornyuk <sergey.motornyuk@linkdigital.com.au>",
"download_url": "https://files.pythonhosted.org/packages/1c/93/bbd92879523a3a38d3de3b333c2ebd9cf96b5c9c6444776f56a83a87d547/ckanext_oidc_pkce-0.4.1.tar.gz",
"platform": null,
"description": "[](https://github.com/DataShades/ckanext-oidc-pkce/actions/workflows/test.yml)\n\n# ckanext-oidc-pkce\n\nOpenID connect with PKCE flow authenticator for CKAN.\n\n> **Warning**\n> Developed for Okta and not tested with other providers.\n> PRs or feature-requests are welcome\n\nThe plugin adds an extra route to CKAN allowing login through an external\napplication. This route available at `/user/login/oidc-pkce`(`oid_pkce.login`\nendpoint). Original authentication system from CKAN is unchanged and it's up to\nyou(or another extension) to hide original login page if only SSO accounts are\nallowed on the portal.\n\n## Requirements\n\nCompatibility with core CKAN versions:\n\n| CKAN version | Compatible? |\n|--------------|-------------|\n| 2.9 | yes |\n| 2.10 | yes |\n\n## Installation\n\n1. Install the package\n ```sh\n pip install ckanext-oidc-pkce\n ```\n\n1. Add `oidc_pkce` to the `ckan.plugins` setting in your CKAN\n config file\n\n1. Add SSO settings(refer [config settings](#config-settings) section for details)\n\n## Config settings\n\n```ini\n# URL of SSO application\n# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_BASE_URL\nckanext.oidc_pkce.base_url = https://12345.example.okta.com\n\n# ClientID of SSO application\n# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_ID\nckanext.oidc_pkce.client_id = clientid\n\n# ClientSecret of SSO application\n# (optional, only need id Client App defines a secret, default: \"\")\n# Could be overriden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_SECRET\nckanext.oidc_pkce.client_secret = clientsecret\n\n# Path to the authorization endpont inside SSO application\n# (optional, default: /oauth2/default/v1/authorize)\nckanext.oidc_pkce.auth_path = /auth\n\n# Path to the token endpont inside SSO application\n# (optional, default: /oauth2/default/v1/token)\nckanext.oidc_pkce.token_path = /token\n\n# Path to the userinfo endpont inside SSO application\n# (optional, default: /oauth2/default/v1/userinfo)\nckanext.oidc_pkce.userinfo_path = /userinfo\n\n# Path to the authentication response handler inside CKAN application\n# (optional, default: /user/login/oidc-pkce/callback)\nckanext.oidc_pkce.redirect_path = /local/oidc/handler\n\n# URL to redirect user in case of failed login attempt. When empty(default)\n# redirects to `came_from` URL parameter if availabe or to CKAN login page\n# otherwise.\n# (optional, default: )\nckanext.oidc_pkce.error_redirect = /user/register\n\n# Scope of the authorization token. The plugin expects at least `sub`,\n# `email` and `name` attributes.\n# (optional, default: openid email profile)\nckanext.oidc_pkce.scope = email\n\n# For newly created CKAN users use the same ID as one from SSO application\n# (optional, default: false)\nckanext.oidc_pkce.use_same_id = true\n\n# When connecting to an existing(non-sso) account, override user's password\n# so that it becomes impossible to login using CKAN authentication system.\n# Enable this flag if you want to force SSO-logins for all users that once\n# used SSO-login.\n# (optional, default: false)\nckanext.oidc_pkce.munge_password = true\n\n```\n\n## License\n\n[AGPL](https://www.gnu.org/licenses/agpl-3.0.en.html)\n",
"bugtrack_url": null,
"license": "AGPL",
"summary": "CKAN OIDC authenticator with PKCE flow",
"version": "0.4.1",
"project_urls": {
"Homepage": "https://github.com/DataShades/ckanext-oidc-pkce"
},
"split_keywords": [
"ckan",
" okta",
" oidc",
" pkce",
" authentication"
],
"urls": [
{
"comment_text": null,
"digests": {
"blake2b_256": "3a519f36887977dbdfda9bba25e11366eb4ab42feb498f2ed6073b942d604812",
"md5": "d28ffc72fdd633769a4c20d6f7958d8e",
"sha256": "cf2235b64c9ba9f04d02f70719520857393b8dba5a05acbb0c67dd819bc401fc"
},
"downloads": -1,
"filename": "ckanext_oidc_pkce-0.4.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "d28ffc72fdd633769a4c20d6f7958d8e",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": null,
"size": 26897,
"upload_time": "2025-08-18T06:32:51",
"upload_time_iso_8601": "2025-08-18T06:32:51.844823Z",
"url": "https://files.pythonhosted.org/packages/3a/51/9f36887977dbdfda9bba25e11366eb4ab42feb498f2ed6073b942d604812/ckanext_oidc_pkce-0.4.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": null,
"digests": {
"blake2b_256": "1c93bbd92879523a3a38d3de3b333c2ebd9cf96b5c9c6444776f56a83a87d547",
"md5": "984304aa260869e8a7c390a67bc384f4",
"sha256": "00da7dd69e2f10ba633176f5352cdd82f2aac4e26b9f8c068c99c65cb7760ac6"
},
"downloads": -1,
"filename": "ckanext_oidc_pkce-0.4.1.tar.gz",
"has_sig": false,
"md5_digest": "984304aa260869e8a7c390a67bc384f4",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 25629,
"upload_time": "2025-08-18T06:32:53",
"upload_time_iso_8601": "2025-08-18T06:32:53.239965Z",
"url": "https://files.pythonhosted.org/packages/1c/93/bbd92879523a3a38d3de3b333c2ebd9cf96b5c9c6444776f56a83a87d547/ckanext_oidc_pkce-0.4.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-08-18 06:32:53",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "DataShades",
"github_project": "ckanext-oidc-pkce",
"travis_ci": false,
"coveralls": true,
"github_actions": true,
"requirements": [],
"lcname": "ckanext-oidc-pkce"
}
JSON
