Summary
-------
Oauth2/OpenID connect authentication client for cubicweb.
All configuration is done in `all-in-one.conf`. Defaults values should work
fine with Keycloak, for other provider refer to the documentation of the
content of the JWT token.
* `oauth2-enabled` should be set to `yes` once it is configured
* `oauth2-client-id` and `oauth2-client-secret` should be set (given by the
provider).
* For OpenID connect providers `oauth2-server-url` can be set. For keycloak it
is https://<server>/auth/realms/<realm>. The configuration is then obtained
from the metadata url /.well-known/openid-configuration
* If you want to avoid a request to the metadata url, or if your provider
doesn't implement OpenID, you should to configure `oauth2-authorization-url`,
`oauth2-token-url` and `oauth2-jwk-path`.
* `oauth2-token-login` is used to map a field of the JWT token with CubicWeb
login.
* On the provider side, the callback url should be configured to
https://<cubicweb>/oauth2/callback
At this point you should be able to log in an existing user through the login
page using the "Log in with Oauth2" button.
If you want to automatically register new users, you must set
`oauth2-register-user` to `yes` and configure `oauth2-default-group`,
`oauth2-token-firstname`, `oauth2-token-surname` and `oauth2-token-email`.
If your instance only accepts users from the Oauth2 provider, you can set
`oauth2-auto-login` which skip the login page and start oauth2 authentication
directly.
If your instance require authenticated users from Oauth2 provider only, you
can set `oauth2-force-login` to `yes`, this will redirect all unauthenticated
requests to oauth2 login.
How to test this with keycloak
------------------------------
Using standard flow and confidential (client_id/client_secret) access.
test_full_login() might be a good entry point to understand the authentication
flow.
Here is how to test this with keycloak:
1. Create a new client using url http://:8080
2. Set Access Type to "confidential" with standard flow enabled
3. Get client_id & client_secret from the "Credentials" tab
4. Enable the oauth2 cube to your project
5. In all-in-one.conf set these parameters:
oauth2-enabled=yes
oauth2-server-url=https://keycloak/auth/realms/master
oauth2-client-id=<client_id>
oauth2-client-secret=<client_secret>
6. Start your instance, go to login page and click on "Log in with Oauth2"
Raw data
{
"_id": null,
"home_page": "http://www.cubicweb.org/project/cubicweb-oauth2",
"name": "cubicweb-oauth2",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.5",
"maintainer_email": "",
"keywords": "",
"author": "LOGILAB S.A. (Paris, FRANCE)",
"author_email": "contact@logilab.fr",
"download_url": "https://files.pythonhosted.org/packages/aa/e1/0c6b4933f5fd5bd3f88473ba8c085de7e857d46774bbffe43ffc11bb4abb/cubicweb-oauth2-1.1.0.tar.gz",
"platform": null,
"description": "Summary\n-------\n\nOauth2/OpenID connect authentication client for cubicweb.\n\nAll configuration is done in `all-in-one.conf`. Defaults values should work\nfine with Keycloak, for other provider refer to the documentation of the\ncontent of the JWT token.\n\n* `oauth2-enabled` should be set to `yes` once it is configured\n* `oauth2-client-id` and `oauth2-client-secret` should be set (given by the\n provider).\n* For OpenID connect providers `oauth2-server-url` can be set. For keycloak it\n is https://<server>/auth/realms/<realm>. The configuration is then obtained\n from the metadata url /.well-known/openid-configuration\n* If you want to avoid a request to the metadata url, or if your provider\n doesn't implement OpenID, you should to configure `oauth2-authorization-url`,\n `oauth2-token-url` and `oauth2-jwk-path`.\n* `oauth2-token-login` is used to map a field of the JWT token with CubicWeb\n login.\n* On the provider side, the callback url should be configured to\n https://<cubicweb>/oauth2/callback\n\nAt this point you should be able to log in an existing user through the login\npage using the \"Log in with Oauth2\" button.\n\nIf you want to automatically register new users, you must set\n`oauth2-register-user` to `yes` and configure `oauth2-default-group`,\n`oauth2-token-firstname`, `oauth2-token-surname` and `oauth2-token-email`.\n\n\nIf your instance only accepts users from the Oauth2 provider, you can set\n`oauth2-auto-login` which skip the login page and start oauth2 authentication\ndirectly.\n\n\nIf your instance require authenticated users from Oauth2 provider only, you\ncan set `oauth2-force-login` to `yes`, this will redirect all unauthenticated\nrequests to oauth2 login.\n\nHow to test this with keycloak\n------------------------------\n\nUsing standard flow and confidential (client_id/client_secret) access.\n\ntest_full_login() might be a good entry point to understand the authentication\nflow.\n\nHere is how to test this with keycloak:\n\n1. Create a new client using url http://:8080\n2. Set Access Type to \"confidential\" with standard flow enabled\n3. Get client_id & client_secret from the \"Credentials\" tab\n4. Enable the oauth2 cube to your project\n5. In all-in-one.conf set these parameters:\n oauth2-enabled=yes\n oauth2-server-url=https://keycloak/auth/realms/master\n oauth2-client-id=<client_id>\n oauth2-client-secret=<client_secret>\n6. Start your instance, go to login page and click on \"Log in with Oauth2\"\n\n\n",
"bugtrack_url": null,
"license": "LGPL",
"summary": "Oauth2/OpenID authentication for cubicweb",
"version": "1.1.0",
"project_urls": {
"Homepage": "http://www.cubicweb.org/project/cubicweb-oauth2"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "bf1bc95ee7c340ba361146fa8adb4059d19ab65808c192d190cfaea209b7fd99",
"md5": "72541fa2c803ce6071a495f2f21174fc",
"sha256": "0c0d02eb2c1b983d5b8d11ea653c3809fec7db51ffe65a7122976f38a5a93b4f"
},
"downloads": -1,
"filename": "cubicweb_oauth2-1.1.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "72541fa2c803ce6071a495f2f21174fc",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.5",
"size": 10195,
"upload_time": "2024-03-06T08:52:01",
"upload_time_iso_8601": "2024-03-06T08:52:01.373638Z",
"url": "https://files.pythonhosted.org/packages/bf/1b/c95ee7c340ba361146fa8adb4059d19ab65808c192d190cfaea209b7fd99/cubicweb_oauth2-1.1.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "aae10c6b4933f5fd5bd3f88473ba8c085de7e857d46774bbffe43ffc11bb4abb",
"md5": "54c5cedc05f93fffd7b6942094895799",
"sha256": "9986bc619c8710c50b3e9ef7613527cede29a7ee9d42eeb5e2de93b672f98afc"
},
"downloads": -1,
"filename": "cubicweb-oauth2-1.1.0.tar.gz",
"has_sig": false,
"md5_digest": "54c5cedc05f93fffd7b6942094895799",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.5",
"size": 15306,
"upload_time": "2024-03-06T08:52:03",
"upload_time_iso_8601": "2024-03-06T08:52:03.309058Z",
"url": "https://files.pythonhosted.org/packages/aa/e1/0c6b4933f5fd5bd3f88473ba8c085de7e857d46774bbffe43ffc11bb4abb/cubicweb-oauth2-1.1.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-03-06 08:52:03",
"github": false,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"lcname": "cubicweb-oauth2"
}
JSON