OpenID connect with PKCE flow authenticator for CKAN.
Warning Developed for Okta and not tested with other providers. PRs or feature-requests are welcome
The plugin adds an extra route to CKAN allowing login through an external
application. This route is available at /user/login/oidc-pkce(oidc_pkce.login
endpoint). Original authentication system from CKAN is unchanged and it's up to
you (or another extension) to hide original login page if only SSO accounts are
allowed on the portal.
Compatibility with core CKAN versions:
| CKAN version | Compatible? |
|---|---|
| 2.9 | yes |
| 2.10 | yes |
-
Install the package
pip install ckanext-oidc-pkce
-
Add
oidc_pkceto theckan.pluginssetting in your CKAN config file -
Add SSO settings(refer config settings section for details)
# URL of SSO application
# Could be overridden at runtime with env var CKANEXT_OIDC_PKCE_BASE_URL
ckanext.oidc_pkce.base_url = https://12345.example.okta.com
# ClientID of SSO application
# Could be overridden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_ID
ckanext.oidc_pkce.client_id = clientid
# ClientSecret of SSO application
# (optional, only need id if Client App defines a secret, default: "")
# Could be overridden at runtime with env var CKANEXT_OIDC_PKCE_CLIENT_SECRET
ckanext.oidc_pkce.client_secret = clientsecret
# Path to the authorization endpoint inside SSO application
# (optional, default: /oauth2/default/v1/authorize)
ckanext.oidc_pkce.auth_path = /auth
# Path to the token endpoint inside SSO application
# (optional, default: /oauth2/default/v1/token)
ckanext.oidc_pkce.token_path = /token
# Path to the userinfo endpoint inside SSO application
# (optional, default: /oauth2/default/v1/userinfo)
ckanext.oidc_pkce.userinfo_path = /userinfo
# Path to the authentication response handler inside CKAN application
# (optional, default: /user/login/oidc-pkce/callback)
ckanext.oidc_pkce.redirect_path = /local/oidc/handler
# URL to redirect user in case of failed login attempt.
# When empty (default), redirects to `came_from` URL parameter if available
# or to CKAN login page otherwise.
# (optional, default: )
ckanext.oidc_pkce.error_redirect = /user/register
# Scope of the authorization token. The plugin expects at least `sub`,
# `email` and `name` attributes.
# (optional, default: openid email profile)
ckanext.oidc_pkce.scope = email
# Whether newly created CKAN users will use the same ID as the one
# from the SSO application
# (optional, default: false)
ckanext.oidc_pkce.use_same_id = true
# When connecting to an existing (non-SSO) account, override user's password
# so that it becomes impossible to log in using CKAN authentication system.
# Enable this flag if you want to force SSO logins for all accounts
# that have SSO.
# Does not apply to sysadmins (as they need to know their passwords in order
# to update user profiles).
# (optional, default: false)
ckanext.oidc_pkce.munge_password = true