collective / pas.plugins.oidc

PAS plugin for OpenID Connect authentication
Other
3 stars 13 forks source link
hacktoberfest oidc-client plone plone-addon
pas.plugins.oidc logo

pas.plugins.oidc

[![PyPI](https://img.shields.io/pypi/v/pas.plugins.oidc)](https://pypi.org/project/pas.plugins.oidc/) [![PyPI - Python Version](https://img.shields.io/pypi/pyversions/pas.plugins.oidc)](https://pypi.org/project/pas.plugins.oidc/) [![PyPI - Wheel](https://img.shields.io/pypi/wheel/pas.plugins.oidc)](https://pypi.org/project/pas.plugins.oidc/) [![PyPI - License](https://img.shields.io/pypi/l/pas.plugins.oidc)](https://pypi.org/project/pas.plugins.oidc/) [![PyPI - Status](https://img.shields.io/pypi/status/pas.plugins.oidc)](https://pypi.org/project/pas.plugins.oidc/) [![PyPI - Plone Versions](https://img.shields.io/pypi/frameworkversions/plone/pas.plugins.oidc)](https://pypi.org/project/pas.plugins.oidc/) [![Meta](https://github.com/collective/pas.plugins.oidc/actions/workflows/meta.yml/badge.svg)](https://github.com/collective/pas.plugins.oidc/actions/workflows/meta.yml) ![Code Style](https://img.shields.io/badge/Code%20Style-Black-000000) [![GitHub contributors](https://img.shields.io/github/contributors/collective/pas.plugins.oidc)](https://github.com/collective/pas.plugins.oidc) [![GitHub Repo stars](https://img.shields.io/github/stars/collective/pas.plugins.oidc?style=social)](https://github.com/collective/pas.plugins.oidc)

Intro

This is a Plone authentication plugin for OpenID Connect. OAuth 2.0 should work as well because OpenID Connect is built on top of this protocol.

Features

Group Enumeration

If you need to support group enumeration from a Keycloak server, we recommend installing the package pas.plugins.keycloakgroups.

Installation

This package supports Plone sites using Volto and Classic UI.

For proper Volto support, the requirements are:

Add pas.plugins.oidc to the Plone installation using pip:

bash pip install pas.plugins.oidc

Requirements

As of version 2.* of this package the minimum requirements are Plone 6.0 and python 3.8.

Warning

Pay attention to the customization of User info property used as userid field, with the wrong configuration it's easy to impersonate another user.

Configure the plugin

Login and Logout URLs

Default UI (Volto)

When using this plugin with a Volto frontend, please install @plone-collective/volto-authomatic add-on on your frontend project.

Also, on the OpenID provider, configure the Redirect URL as <Path to your Plone site>/login-oidc/oidc.

Classic UI

When using this plugin with Plone 6 Classic UI the standard URLs used for login (http://localhost:8080/Plone/login) and logout (http://localhost:8080/Plone/logout) will not trigger the usage of the plugin.

To login into a site using the OIDC provider, you will need to change those login URLs to the following:

Where:

Example setup with Keycloak

The pas.plugins.oidc repository has a working setup for a Keycloak development server using Docker and Docker Compose. To use it, in a terminal, run the command:

Start-up

make keycloak-start

This does not give you a production setup, but it is fine for local development.

This command will use the docker-compose.yml file available in the tests directory.

Manage Keycloak

After start up, Keycloak will be accessible on http://127.0.0.1:8180, and you can manage it with the following credentials:

Realms

There are two realms configured plone and plone-test. The later is used in automated tests, while the former should be used for your development environment.

The plone realm ships with an user that has the following credentials:

And, to configure the oidc plugins, please use:

Stop Keycloak

To stop a running Keycloak (needed when running tests), use:

make keycloak-stop

Warning

Attention, before Keycloak 18, the parameter for logout was redirect_uri and it has been deprecated since version 18. But the Keycloak server can run with the redirect_uri if needed, it is possible to use the plugin with the legacy redirect_uri parameter enabled also. The problem is that if the deprecated parameter is enabled in the plugin but not in the server, the plugin will not work.

So, this is the way it works:

So, for Keycloak, it does not matter if we use the default or legacy mode if the Keycloak runs in legacy mode.

Notes:

Additional Documentation

Please refer to the Keycloak documentation for up to date instructions. Specifically, here we will use a Docker image, so follow the instructions on how to get started with Keycloak on Docker.

Setup Plone as a client

Plone is ready done configured!

See this screenshot:

Login

Go to the other browser, or logout as admin from Keycloak Admin Console. Currently, the Plone login form is unchanged.

Instead, for testing go to the login page of the plugin: http://localhost:8080/Plone/acl_users/oidc/login, this will take you to Keycloak to login, and then return. You should now be logged in to Plone, and see the full name and email, if you have set this in Keycloak.

Logout

If the login did work as expected you can try to Plone logout. Currently, the Plone logout form is unchanged.

Instead, for testing go to the logout page of the plugin: http://localhost:8080/Plone/acl_users/oidc/logout, this will take you to Keycloak to logout, and then return to the post-logout redirect URL.

Technical Decisions

Usage of sessions in the login process

This plugin uses sessions during the login process to identify the user while he goes to the OIDC provider and comes back from there.

The plugin has 2 ways of working with sessions:

Settings in environment variables

Optionally, instead of editing your OIDC provider settings through the ZMI, you can use collective.regenv and provide a YAML file with your settings. This is very useful if you have different settings in different environments and you do not want to edit the settings each time you move the contents.

Varnish

Optionally, if you are using the Varnish caching server in front of Plone, you may see this plugin only partially working. Especially the came_from parameter may be ignored. This is because the buildout standard configuration from plone.recipe.varnish removes most cookies to improve anonymous caching.

The solution is to make sure the __ac_session cookie is added to the cookie-pass option. Check what the current default is in the buildout recipe, and update it:

Contribute

Local Development Setup

You need a working python environment (system, virtualenv, pyenv, etc) version 3.8 or superior.

Then install the dependencies and a development instance using:

make install

Start Local Server

Start Plone, on port 8080, with the command:

make start

Keycloak

The pas.plugins.oidc repository has a working setup for a Keycloak development server using Docker and Docker Compose. To use it, in a terminal, run the command:

make keycloak-start

There are two realms configured plone and plone-test. The later is used in automated tests, while the former should be used for your development environment.

The plone realm ships with an user that has the following credentials:

To stop a running Keycloak (needed when running tests), use:

make keycloak-stop

Update translations

make i18n

Format codebase

make format

Run tests

Testing of this package is done with pytest and tox.

Run all tests with:

make test

Run all tests but stop on the first error and open a pdb session:

./bin/tox -e test -- -x --pdb

Run tests named TestServiceOIDCPost:

./bin/tox -e test -- -k TestServiceOIDCPost

References

License

The project is licensed under the GPLv2.