I am Unable to authenticate CKAN 2.7.2(running on http) using oauth2 on WSO2 Identity Server

[kushagrasrivastva-NEC]

Referring to this article : https://github.com/conwetlab/ckanext-oauth2/wiki/Activating-and-Installing

I used all the mentioned configuration on the above given URL and configured ckan accordingly.

At,the same time I registered my CKAN app on WSO2 IS will callback url and the necessary things by referring this url: https://docs.wso2.com/display/IS550/Adding+and+Configuring+a+Service+Provider

ckan.oauth2.authorization_endpoint = https:///oauth2/authorize ckan.oauth2.token_endpoint = https:///oauth2/token ckan.oauth2.profile_api_url = https:///oauth2/userinfo ckan.oauth2.client_id = 5seegwA5oh2n83bylenNmq8lbEca ckan.oauth2.client_secret = _AamqYSNK1JmaHCXciMu3d_sgvca ckan.oauth2.scope = all_info ckan.oauth2.rememberer_name = auth_tkt ckan.oauth2.profile_api_user_field = id ckan.oauth2.profile_api_fullname_field = displayName ckan.oauth2.profile_api_mail_field = email ckan.oauth2.authorization_header = Authorization

Also, have exported the following while running ckan using paster serve :

export OAUTHLIB_INSECURE_TRANSPORT=True

Also, I have added an application (ckan provider) in WSO2-IS also with callback URL = where the CKAN instance is running (i.e a private IP of 172.30.66.XX type running on port 5000)

& run through run using paster serve /etc/ckan/default/development.ini

After, doing the following I get an error on CKAN Side

@aarranz If you can please intervene and help regarding this? Are we missing something on CKAN side or WSO2 side ??

[aarranz]

Hi @kushagrasrivastva-NEC!

I have deployed a WSO2-IS instance (v5.6.0), CKAN 2.8 and ckanext-oauth2 v0.6.0 and I'm getting a different error message:

(invalid_request) Request body and headers contain authorization information

I have deployed WSO2-IS using docker and the only version I see is v5.6.0 (I'm saying this because I seen that the documentation link you provided is from v5.5.0, are you using this version?).

Anyway, I have find where are the problems and I was able to make it work, I will polish the changes and make a PR asap. I guess those change will also work for v5.5.0... but I cannot warranty this point. The only thing I had to change in the configuration is the requested scopes:

ckan.oauth2.scope = all_info openid

Regarding the mapping about user profile fields, it seems to be correct, although it depends on the list of claims and the mappings you configured both in the service provider and in the identity module of WSO2-IS.

I have used this claim configuration on the service provider:

and the following ckanext-oauth2 configuration:

ckan.oauth2.profile_api_user_field = email
ckan.oauth2.profile_api_fullname_field = name
ckan.oauth2.profile_api_mail_field = email

[kushagrasrivastva-NEC]

Hi @aarranz Thanks for your prompt reply. I am using CKan 2.7.2 , WSO2-IS 5.1 and ckanext-oauth2 (oauthlib==0.8.0) , will it be giving a problem in authentication process?? Can it be a version dependency issue??

I have followed the given steps. Kindly correct if I am missing or doing something wrong:

• I have used API store and published ckan application.

• Entered the ckan callback url as http://url-of-ckan/oauth2/callback

• Entered the generated client ID and client secret from step 1 in ckan configuration.

• Also, made the given changes mentioned by you regarding claim configurations and ckanext-oauth2 configurations.

Now, it gives below error.

Also, please share the service provider settings you used in WSO2-IS, if any. Please, suggest what else can be done to make it work.

Also, can you please tell what is the purpose for using the claim mapping configuration.

[aarranz]

I am using CKan 2.7.2 , WSO2-IS 5.1 and ckanext-oauth2 (oauthlib==0.8.0) , will it be giving a problem in authentication process?? Can it be a version dependency issue??

Probably the changes I made work with this configuration but, as I have used different versions for testing, I cannot confirm this. Anyway, I have just released v0.6.1, please update your ckanext-oauth2 version (e.g. by issuing the following command: pip install ckanext-oauth2==0.6.1) and try again.

I have followed the given steps. Kindly correct if I am missing or doing something wrong:

• I have used API store and published ckan application.
• Entered the ckan callback url as http://url-of-ckan/oauth2/callback
• Entered the generated client ID and client secret from step 1 in ckan configuration.
• Also, made the given changes mentioned by you regarding claim configurations and ckanext-oauth2 configurations. Now, it gives below error.

[image]

I'm not a WSO2-IS expert, but seems an error with the session, please try removing cookies and signing in again from scratch.

Also, can you please tell what is the purpose for using the claim mapping configuration.

The purporse is that without this configuration, the oauth2 application is not able to retrieve that information using the https:///oauth2/userinfo API endpoint. You can get more details about this on the «Invoking the userinfo endpoint» section (ckanext-oauth2 currently does not support JWT) on the WSO documentation.

[aarranz]

Any progress/feedback?

Take into account that this ticket was closed automatically when we merged #23. But we are still working on it, and we need confirmation from your side 😄.

Cheers