search

conwetlab / ckanext-oauth2

OAuth2 support for CKAN
GNU Affero General Public License v3.0
25 stars 56 forks source link

oauth2 and authorization #26

Closed argiris-mat closed 6 years ago

argiris-mat commented 6 years ago

Hi there,

I'm facing some issues with the combination of ckanext-oauth2 0.6.1, keycloak and ckan 2.8.1.

I get the following logs, I pasted a short version.

ckan | 2018-10-15 11:15:54,240 DEBUG [ckan.logic] check access NotAuthorized - package_show user= "User not authorized to read package ef123867-46d9-4fbf-b339-9ca7cf63b379" ckan | 2018-10-15 11:15:54,248 DEBUG [ckan.views] No valid session data - deleting session ckan | 2018-10-15 11:15:54,438 DEBUG [ckanext.oauth2.plugin] identify ckan | 2018-10-15 11:15:54,438 WARNI [ckanext.oauth2.plugin] The user is not currently logged.

Is version 0.6.1 compatible with ckan 2.8.1?

The expected behaviour is to be able to authenticate with either admin or sso users and assign sso users to groups having access to different resources.

Currently when you create a user, its not a system user but a group user. I'm wondering whats the authentication/authorisation architecture. I'm happy to contribute documentation if you help me understand the expected behaviour.

Cheers

aitormagan commented 6 years ago

Hi!

AFAIK, version 0.6.1 must be compatible with ckan 2.8.1 (see #19).

On the other hand, as far as I remember, when you login using this extension, users are created with a general role and are not included in any group. That means that even if you are an admin in KeyCloak, you won't be an admin in your CKAN instance unless you execute the proper command once the user has logged in for the first time. Same thing for the groups/organizations: users must be introduced in CKAN groups once logged in.

I do not know if this helps. If you have any other doubt, please, do not hesitate to answer in this issue.

BR Aitor

argiris-mat commented 6 years ago

Thank you for the reply.

This was my impression as well but I was not able to figure out how I assign them to groups. I create my user with my email but the username was a random string. Is it possible for this to be configurable? Something like ckan.auth.sso_user_groups = group1, group2, ckan.auth.sso_admin_groups = group3, group4.

Another error message I was getting was that users couldn't access "packages". Is a package the same as a group?

Cheers

aitormagan commented 6 years ago

I guess what you ask can be developed but I am afraid you will have to do it in your own :(. Anyway, even a random string is assigned as user name, the display name can be used to assign user to groups as stated in: https://docs.ckan.org/en/ckan-2.7.3/user-guide.html#managing-an-organization

As far as I remember, the package asset refers to datasets but I am not pretty sure. Can you confirm that the ef123867-46d9-4fbf-b339-9ca7cf63b379 dataset is public or the logged user has enough privilegies to access it?

BR Aitor

argiris-mat commented 6 years ago

Thank you for the clarification, I will have another look. I will close this ticket.