CESNET OIDC Auth backend for OARepo
Project description
CESNET OIDC Auth backend for OARepo
This remote backend is appropriate for e.g. a SPA application which communicates with Invenio via REST calls. It also manages mapping of external CESNET (Perun) groups onto internal Invenio roles and Invenio user-role synchronization using this mapping.
Installation
Cesnet OpenID Remote is on PyPI so all you need is:
$ pip install cesnet-openid-remote
Then run the following to ensure cesnet_group
and cesnet_group_role
mapping database tables
are created:
$ invenio alembic upgrade heads
Configuration
- Register a new application with CESNET OIDC Provider. When registering the application ensure that the Redirect URI points to:
https://<my_invenio_site>:5000/api/oauth/authorized/eduid/
- Grab the Client ID and Client Secret after registering the application
and add them to your ENVIRONMENT (
.env
):
OPENIDC_KEY=*Client ID*
OPENIDC_SECRET=*Client Secret*
- Now access the login page from your SPA using CESNET OAuth:
window.location =
"https://<my_invenio_site>:5000/api/oauth/login/eduid?next=<my_next_page>";
By default the CESNET module will try first look if a link already exists
between an eduID account and a user. If no link is found, it will be created.
Any external Perun groups will be automatically linked to invenio roles on
each login.
For more details you can play with a :doc:working example <examplesapp>
.
If you wish to prevent this module from managing (adding/removing users to/from role) certain Invenio roles, configure such roles in:
OAUTHCLIENT_CESNET_OPENID_PROTECTED_ROLES = ['admin']
"""Role names that shouldn't be managed/(un)assigned to users by this extension."""
CLI
To manage CESNET group to Invenio Role mappings you can use the following CLI command group:
$ invenio cesnet:groups --help
Usage: invenio cesnet:group [OPTIONS] COMMAND [ARGS]...
Management commands for CESNET external group mappings.
Options:
--help Show this message and exit.
Commands:
add Add a CESNET group to Invenio Role.
create Create an external CESNET group.
list List external CESNET groups.
remove Remove a CESNET group from an Invenio Role.
Customization
To customize group handling and validation, refer to your custom validation and parse functions using the following config values:
OAUTHCLIENT_CESNET_OPENID_GROUP_VALIDATOR = 'cesnet_openid_remote.groups.validate_group_uri'
"""Function used to validate external group URI."""
OAUTHCLIENT_CESNET_OPENID_GROUP_PARSER = 'cesnet_openid_remote.groups.parse_group_uri'
"""Function used to parse external group URI to (UUID, extra_data) pair."""
Further documentation is available on https://cesnet-openid-remote.readthedocs.io/
Copyright (C) 2021 CESNET.
CESNET-OpenID-Remote is free software; you can redistribute it and/or modify it under the terms of the MIT License; see LICENSE file for more details.
.. Copyright (C) 2021 CESNET.
CESNET-OpenID-Remote is free software; you can redistribute it and/or
modify it under the terms of the MIT License; see LICENSE file for more
details.
Changes
Version 0.1.0 (released TBD)
- Initial public release.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for cesnet-openid-remote-1.2.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | b4e42b9addb3739b9b3a58650e5806b3eb28b72694eeeb87966c0ec9b0cce396 |
|
MD5 | eeb92287a83b7866fe2effaf2a4d6d7d |
|
BLAKE2b-256 | 33c857f4912bed3c53394b2be74f78ac53ad28637afc7ca9a3fe585cb1d79c2b |
Hashes for cesnet_openid_remote-1.2.1-py2.py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 0f9ea87dbd8d7ee814f0fd7cb13a35b2789e9e5d80ec367853a50569b720fdd0 |
|
MD5 | 41cc4cd5b6b1843e6c1e8bdf3f17ebe8 |
|
BLAKE2b-256 | f2970e4c783c7b050baf944c27f9fc4d1ba7254d53a2b5434d00d263e784923b |