Skip to main content

Pas plugin use to connect to

Project description

Install local or remote connector to Imio authentic (SSO).


  • Override Plone login page
  • Connect with SSO
  • Disabled edition of username and e-mail
  • Connect with JWT
CI Status Coveralls


You need libffi-dev and openssl-dev packages installed (sudo apt install libffi-dev openssl-dev) Install pas.plugins.imio by adding it to your buildout:



eggs =

And then running bin/buildout

After your instance is up, you can now install pas.plugins.imio from addons page.


To update list of users, go to one of this view :

  • /@@add-authentic-users?type=usagers
  • /@@add-authentic-users?type=agents

To login with an user registred into Plone/Zope instead of pas plugin use this view :

  • Plone 4: ${portal_url}/login_form
  • Plone 5.2+: ${portal_url}/zope_login

You can also use plone default view for login with zope admin: aq_parent/@@plone-root-login

How to use JWT

First, add an Openid Connect client to Authentic with these options:

  • Processus d’autorisation : mot de passe du propriétaire de ressource
  • Politique des identifiants : identifiant unique
  • Portée de cession par crédentiels du propriétaire de la ressource : openid
  • Algorithme de signature IDToken : RSA
  • Oidc claims : userid | django_user_identifier | openid

Second, you can ask Authentic to get a JWT

Python code example:

import requests

url = "http://agents.localhost/idp/oidc/token/"
payload = {
    "grant_type": "password",
    "client_id": "client-id-plone5-app",
    "client_secret": "client-secret-plone5-app",
    "username": "jdoe",
    "password": "jdoe",
    "scope": ["openid"],
headers = {
    "Content-Type": "application/x-www-form-urlencoded",

response =, headers=headers, data=payload).json()
id_token = response.get("id_token")

Finally, you can request Plone with bearer header:

import requests

url = "http://localhost:8081/imio/test-1/"
headers = {
    "Accept": "application/json",
    "Authorization": "Bearer {0}".format(id_token),

response = requests.get(url, headers=headers)


This product has been translated into

  • English
  • French


The project is licensed under the GPLv2.



2.0.6 (2022-07-18)

  • Do not verify_signature for jwt call because of error: “Could not deserialize key data”. [bsuttor]

2.0.5 (2022-07-13)

  • Keep old roles on migration of users. [bsuttor]

2.0.4 (2022-07-13)

  • Temporary remove override because it do not work on Plone 6. [bsuttor]
  • Add possibility to remove old user (without login). [bsuttor]

2.0.3 (2022-06-29)

  • Migration code refactoring & add tests [laulaz]

2.0.2 (2022-06-29)

  • Add migration code (to new userid) for local roles / ownership [laulaz]

2.0.1 (2022-06-15)

  • Add posibility to delete user on zmi view. [bsuttor]
  • Improve user migration code [laulaz]
  • Verify signature for login with JWT. [bsuttor]

2.0 (2022-06-01)

  • Get userid and user login for user connected by JWT. [bsuttor]
  • Allow user search on any parts of id/login/email (not just the start) [laulaz]
  • Use uuid as plone instead of username. [bsuttor, laulaz]
  • Be aware of next url when you call auhentic users api. [bsuttor]
  • Add zmi view of users. [bsuttor]

1.0.11 (2022-04-21)

  • Revert previous release. [bsuttor]

1.0.10 (2022-04-21)

  • Nothing changed yet.

1.0.9 (2022-01-19)

  • Get rid of includeDependencies for Plone 6 compatibility. [laulaz]

1.0.8 (2021-10-15)

  • Fill username when user is created with JWT. [bsuttor]

1.0.7 (2021-10-15)

  • Create user with JWT token on first connection. [bsuttor]

1.0.6 (2021-06-01)

  • Fixed ModuleNotFoundError: No module named ‘App.class_init’ on Zope 5. [bsuttor]
  • Add JWT support. [bsuttor]

1.0.5 (2021-01-04)

  • Improve Anysurfer integration. [bsuttor]
  • Added revoke-user-access page to remove a user from its groups and revoke its roles. [odelaere]

1.0.4 (2020-10-08)

  • Plugin also provide IUserIntrospection so user from Authentic PAS plugin will also listed in api.user.get_users(). [bsuttor]
  • Use IItem for Object to redirect imio_login instead of INavigation. It’s solved bug to redirect from other page than root navigation, and so page which required access. [bsuttor]
  • Fix redirect after login for Plone < 5.2. [odelaere]

1.0.3 (2020-07-30)

  • Add Plone 5 testing profile. [bsuttor]

1.0.2 (2020-07-16)

  • Fix(testing profile): dependency of plone4 profile do not exists, use default. [bsuttor]

1.0.1 (2020-07-16)

  • Add plone 4 testing profile. [bsuttor]
  • Do not install usager login by default. [bsuttor]
  • Fix: import zcml permission from [bsuttor]

1.0.0 (2020-05-29)

  • Fix: set username on python3 when new user added. [bsuttor]

1.0b11 (2020-03-27)

  • Also see came_from on request for next url. [bsuttor]

1.0b10 (2020-03-27)

  • Fix: redirect on homepage. [bsuttor]
  • Improve next_url login. [bsuttor]

1.0b9 (2020-02-26)

  • Use state / user_state to redirect to page which apply SSO. [bsuttor]

1.0b8 (2020-02-21)

  • Set talk less. [bsuttor]

1.0b7 (2020-02-11)

  • Fix french typo. [bsuttor]

1.0b6 (2020-02-07)

  • Add dependency. [bsuttor]

1.0b5 (2020-02-07)

  • Improve python3 compatibility, check if python 2 before safe_utf8. [bsuttor]

1.0b4 (2020-02-07)

  • Bad release. [bsuttor]

1.0b3 (2020-02-07)

  • Override plone userlist page to add link to WCA on Plone 5. [bsuttor]
  • Add zope_login to bypass SSO auth. [bsuttor]

1.0b2 (2020-02-04)

  • Fix python3 EnumerateUsers. [bsuttor]
  • Override plone userlist page to add link to WCA. [bsuttor]

1.0b1 (2019-12-16)

  • Python 3 support. [bsuttor]

1.0a10 (2019-11-18)

  • Add css for login-page [bsuttor]
  • Add fr translations. [bsuttor]

1.0a9 (2019-11-05)

  • Override default login_form template (with z3c.jbot) to allow login with zope admin and an external url set. [bsuttor]

1.0a8 (2019-09-04)

  • Set Site Manager role to user with admin of service role on Authentic. [bsuttor]

1.0a7 (2019-06-28)

  • Set Manager role if you are into admin role on Authentic. [bsuttor]
  • Add Member role to user connected with Authentic. [bsuttor]

1.0a6 (2019-05-20)

  • Get logout hostname redirect from agents config. [bsuttor]
  • Add roles scope on agents. [bsuttor]

1.0a5 (2019-05-09)

  • Add userfactories to connect with email for usagers and with userid of agents. [bsuttor]

1.0a4 (2019-04-26)

  • Use different OU for usagers and agents. [bsuttor]

1.0a3 (2019-04-25)

  • Use different usagers and agents environement variables to connect to SOO. [bsuttor]

1.0a2 (2019-04-25)

  • Use agents and usagers to connect to Plone. [bsuttor]

1.0a1 (2018-03-28)

  • Initial release. [bsuttor]

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pas.plugins.imio-2.0.6.tar.gz (55.4 kB view hashes)

Uploaded source

Supported by

AWS AWS Cloud computing Datadog Datadog Monitoring Facebook / Instagram Facebook / Instagram PSF Sponsor Fastly Fastly CDN Google Google Object Storage and Download Analytics Huawei Huawei PSF Sponsor Microsoft Microsoft PSF Sponsor NVIDIA NVIDIA PSF Sponsor Pingdom Pingdom Monitoring Salesforce Salesforce PSF Sponsor Sentry Sentry Error logging StatusPage StatusPage Status page