PAS plugin for Plone. Allow users to login using social networks through Velruse
A PAS plugin for Plone that authenticate users from social networks through the use of Velruse.
This Plone plugin let you to enable authentication of social networks users in Plone sites, using Velruse.
Velruse is a Pyramid application so defined:
Velruse is a set of authentication routines that provide a unified way to have a website user authenticate to a variety of different identity providers and/or a variety of different authentication schemes.
It is similar in some ways to Janrain Engage with the exception of being open-source, locally installable, and easily pluggable for custom identity providers and authentication schemes.
—from Velruse documentation
Plone ecosystem already have at least one plugin for a general social authentication: plonesocial.auth.rpx. But in some environments (for example: public company or whatever use case where the user’s privacy follow strict rules) this kind of service can’t be used.
Privacy apart, Velruse is open source* and **easilly pluggable: you can provide authentication providers for new services not covered by Janrain.
Check also this Velruse presentation for more.
Velruse can be executed as a separate Pyramid service and the Plone plugin needs this configuration. It will talk to Velruse using HTTP requests.
TODO: recent Zope version can be executed in the WSGI stack. Maybe future version of the plugin would support also this alternative way? Who knows.
Just add pas.plugins.velruse to your buildout configuration and re-run it.
[instance] recipe = plone.recipe.zope2instance ... eggs = ... pas.plugins.velruse
After Plone restart, add “Velruse authentication plugin” product to you Plone site.
All configuration are done through the “Velruse integration settings” configuration, from the Plone control panel.
The first section is for configuration that globally controls how Plone talk to Velruse, and other user interface options.
- Site login enabled
- If you want to keep enabled the standard Plone site login form or not.
- Authentication services enabled
- A configuration list of available Velruse backends. See below.
- Connection timeout
- A timeout value for connection to velruse server.
The “Authentication services enabled” configuration is composed by a set of triplets:
- (optional) A descriptive name of the remote service. For example: “Facebook”.
- URL or path
- (mandatory) URL or path to the running Velruse service. Please note: this must be a public URL the user must able to access. This is not really mandatory, but if not provided the login method is not displayed in the login form.
(optional) URL or path for an icon that can recall the service logo.
Default CSS implementation is for 64x64px images.
URLs above can be absolute (“http://auth.yourservice.com/login/facebook”) or relative to the portal root URL by using a starting slash (“/velruse/login/facebook”). The latter will help you keeping Plone and Velruse behind Apache.
Those information are used to properly configure the new login form.
The other configuration section is relative the Velruse PAS plugin(s).
- Velruse server host
- The hostname of the Pyramid Velruse service. For example: 127.0.0.1:8080 if Velruse run on the same server of Plone.
- Velruse auth info path
The configured Pyramid route for calling auth_info. Default is /velruse/auth_info.
Keep in mind this warning taken from official Velruse documentation:
The /auth_info URL should be considered sensitive and only trusted services should be allowed access. If an attacker intercepts a an authentication token, they could potentially query /auth_info and learn all of the credentials for the user.
- User roles
- Set of default roles automatically given to users that perform authentication with the Velruse plugin. Default to “Members” only.
Plus, you have two additional forms: “Users management” and “Blacklist management” to manage user’s data inside the plugin. You can delete data or enableadd the user to the blacklist. Blacklisted users can’t authenticate anymore.
Right now only Twitter, Facebook, Linkedin and Google+ are automatically configured:
- from Twitter: fullname, location, personal home page and portrait (no e-mail can be read)
- from Facebook: fullname, e-mail and portrait
- from Linkedin: fullname, e-mail and portrait (must properly configure the Linkedin API)
- from Google: fullname and e-mail
But Velruse support a lot of additional providers; if you want to enable more (this is true also for custom providers) you must configure the plugin, setting what data try to read by changing a configuration variable.
from pas.plugins.velruse.config import PROPERTY_PROVIDERS_INFO PROPERTY_PROVIDERS_INFO['yourmagicnewprovider'] = ('fullname', 'email', 'description')
TODO: this will probably change in future, maybe replaced by a blacklist of property you don’t want to read, or something configurable TTW.
- Plone 3.3
- Plone 4.2
- Plone 4.3
All using Velruse 1.1.
- Initial release