I am trying to integrate the ckanext-oauth2 extension into CKAN v2.10.1. However, I am encountering "pylons and xmlrpclib" error while integrating extension.

In my analysis, I found that these errors are occurring due to flask and python3 changes in CKAN latest code whereas this extension is supporting python2 only.

I have asked CKAN community about this issue on ticket #7744. On this ticket community has suggested to changes in the extension to support Python 3 and Flask in order to make it compatible with CKAN's latest code.

Please confirm if it is okay to fix according to the issue confirmed in CKAN?

Very thanks for your project.
My execution environment is built with these versions.

• AWS Fargate
  • CKAN [2.9.5]
  • ckanext-oauth2 [0.7.0]
• Amazon ELB (for "https" front-end listener)
• Amazon Cognito

I hava questions for re-login.

I operated my browser like these.

1. I browsed my CKAN top page.
2. I clicked "Log in". My browser displayed "sign in dialog".
3. I entered "Username" and "Password" and click "Sign in".
4. I got success logged in.
5. I Clicked "Logout". My browser displayed "Logged Out" message.
6. I clicked "Log in" again.
7. I got success logged in WITHOUT sign in dialog.

Is this behavior normal?

What should I do if I want to log in with a different account?

regards

If the CKAN instance is working over HTTPs and the certificates are not valid, DataPuser fails. The behaviour should be studied when the CKAN instance is working over HTTPs with valid certificates.

Very thanks for your project.

My execution environment is built with these versions.

• AWS Fargate
  • CKAN [2.9.5]
  • ckanext-oauth2 [0.7.0]
• Amazon ELB (for "https" front-end listener)
• Amazon Cognito

I got a probrem with following steps.

1. browse 'https://myckan.example.com/' , and "CKAN" is displayed
2. click "Log in"
3. wait a few minutes
4. redirected "http://myckan.example.com/dashboard" and got error
   • Why "http"?
   • Why "/dashboard"?

And I got same result with this URL.

• 'https://myckan.example.com/user/logged_out_redirect'

NOTE [Success] authenticate with cognito

• 'https://myckan.example.com/dataset/'
• 'https://myckan.example.com/organization/'
• 'https://myckan.example.com/group/'

I read source files and found.
Why exists these steps? (about 79 line at "ckanext/oauth2/plugin.py")

    pages = ['/', '/user/logged_out_redirect']
    if came_from_url_parsed.path in pages:
        came_from_url = default_page

In other way
Can't I set the "default_page" specified in an environment variable?

regards

when try to retrieve the profile it generate a request that is invalid according to keycloak,
previous build up to the on that introduced testing 2.7.3 where fine

Hi,
some providers do not reply with a flat JSON; for example, dataporten.no has a /userinfo endpoint where the user's details are stored under user:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8

{
    "user": {
        "userid": "...",
        "userid_sec": ["feide:..."],
        "name": "...",
        "email": "...",
        "profilephoto": "p:..."
    },
    "audience": "..."
}

Source: https://docs.feide.no/developer_oauth/technical_details/oauth_authentication.html

The user_json function assumes a flat JSON instead:

I made a workaround for that, but it is not a generic fix: NINAnor@f86448f

Hi there,

I'm facing some issues with the combination of ckanext-oauth2 0.6.1, keycloak and ckan 2.8.1.

I get the following logs, I pasted a short version.

ckan | 2018-10-15 11:15:54,240 DEBUG [ckan.logic] check access NotAuthorized - package_show user= "User not authorized to read package ef123867-46d9-4fbf-b339-9ca7cf63b379"
ckan | 2018-10-15 11:15:54,248 DEBUG [ckan.views] No valid session data - deleting session
ckan | 2018-10-15 11:15:54,438 DEBUG [ckanext.oauth2.plugin] identify
ckan | 2018-10-15 11:15:54,438 WARNI [ckanext.oauth2.plugin] The user is not currently logged.

Is version 0.6.1 compatible with ckan 2.8.1?

The expected behaviour is to be able to authenticate with either admin or sso users and assign sso users to groups having access to different resources.

Currently when you create a user, its not a system user but a group user. I'm wondering whats the authentication/authorisation architecture. I'm happy to contribute documentation if you help me understand the expected behaviour.

Cheers

I have update the ckanext-oauth2==0.7.0 extension. Earlier i was used older oauth2 extension.
CKAN-2.7.2
IDM - WSO2
When I am try to login on UI of CKAN, I am getting below error.

invalid_callback
Registered callback does not match with the provided url.

Is anyone faced this issue while updating ckanext-oauth2 latest extension. Please help me in this . Whether this extension needs another configuration?

Referring to this article : https://github.com/conwetlab/ckanext-oauth2/wiki/Activating-and-Installing

I used all the mentioned configuration on the above given URL and configured ckan accordingly.

At,the same time I registered my CKAN app on WSO2 IS will callback url and the necessary things by referring this url: https://docs.wso2.com/display/IS550/Adding+and+Configuring+a+Service+Provider

ckan.oauth2.authorization_endpoint = https:///oauth2/authorize
ckan.oauth2.token_endpoint = https:///oauth2/token
ckan.oauth2.profile_api_url = https:///oauth2/userinfo
ckan.oauth2.client_id = 5seegwA5oh2n83bylenNmq8lbEca
ckan.oauth2.client_secret = _AamqYSNK1JmaHCXciMu3d_sgvca
ckan.oauth2.scope = all_info
ckan.oauth2.rememberer_name = auth_tkt
ckan.oauth2.profile_api_user_field = id
ckan.oauth2.profile_api_fullname_field = displayName
ckan.oauth2.profile_api_mail_field = email
ckan.oauth2.authorization_header = Authorization

Also, have exported the following while running ckan using paster serve :

export OAUTHLIB_INSECURE_TRANSPORT=True

Also, I have added an application (ckan provider) in WSO2-IS also with callback URL = where the CKAN instance is running (i.e a private IP of 172.30.66.XX type running on port 5000)

& run through run using paster serve /etc/ckan/default/development.ini

After, doing the following I get an error on CKAN Side

@aarranz If you can please intervene and help regarding this? Are we missing something on CKAN side or WSO2 side ??

I'm using the OAuth2 extension in CKAN. I've been able to get it to take me to the authentication page, but after the user authenticates, it gives an error "ERR_TOO_MANY_REDIRECTS". This happens both with Auth0 and KeyCloak.

Looking in the network logs in Chrome, it is bouncing between these two sites

https://uhc.auth0.com/authorize?response_type=code&client_id=3eCaIwYG5FDYuktQWFUyz1yLLEfm1ozk&redirect_uri=https%3A%2F%2Fdata.uhcdata.org%2Foauth2%2Fcallback&scope=profile+email+openid&state=eyJjYW1lX2Zyb20iOiAiL2Rhc2hib2FyZCJ9

and

https://data.uhcdata.org/oauth2/callback?code=yly7Oeqsa_uhxYsA&state=eyJjYW1lX2Zyb20iOiAiL2Rhc2hib2FyZCJ9

This is what I have in the CKAN error logs:

$ [Sat Feb 22 22:06:22.119178 2020] [wsgi:error] [pid 11985:tid 140387217442560] [remote 127.0.0.1:55848] 2020-02-22 22:06:22,119 INFO [ckan.lib.base] /user/login render time 0.012 seconds [Sat Feb 22 22:06:22.319345 2020] [wsgi:error] [pid 11985:tid 140387301369600] [remote 127.0.0.1:55852] 2020-02-22 22:06:22,319 DEBUG [ckanext.oauth2.plugin] identify [Sat Feb 22 22:06:22.319493 2020] [wsgi:error] [pid 11985:tid 140387301369600] [remote 127.0.0.1:55852] 2020-02-22 22:06:22,319 WARNI [ckanext.oauth2.plugin] The user is not currently logged... [Sat Feb 22 22:06:22.320023 2020] [wsgi:error] [pid 11985:tid 140387301369600] [remote 127.0.0.1:55852] 2020-02-22 22:06:22,319 DEBUG [ckanext.oauth2.controller] login [Sat Feb 22 22:06:22.320545 2020] [wsgi:error] [pid 11985:tid 140387301369600] [remote 127.0.0.1:55852] 2020-02-22 22:06:22,320 DEBUG [ckanext.oauth2.oauth2] Challenge: Redirecting challenge to$ [Sat Feb 22 22:06:22.327613 2020] [wsgi:error] [pid 11985:tid 140387301369600] [remote 127.0.0.1:55852] 2020-02-22 22:06:22,327 INFO [ckan.lib.base] /user/login render time 0.017 seconds

There doesn't seem to be any way to configure the api call that gets made on logout so ckan isn't actually logging me out of my account i.e. when i press logout and then login I am not prompted to login again.

Hi,

After login on my oauth provider, The return url is unable to create the user and the following error appears.

This is my return url http://localhost:5000/oauth2/callback?code=874crw6o1zsq9viytna0usuttp9htvy2gasc8ny0&state=eyJjYW1lX2Zyb20iOiAiL2Rhc2hib2FyZCJ9

but it's directly redirected to "http://localhost:5000/" with error:

None: Max retries exceeded with url: /oauth/token (Caused by None)

Any idea what's causing this problem?

This is the only log I could get

ckan_ckan | 2019-10-18 11:16:02,180 DEBUG [ckanext.oauth2.plugin] identify
ckan_ckan | 2019-10-18 11:16:02,181 WARNI [ckanext.oauth2.plugin] The user is not currently logged...
ckan_ckan | 2019-10-18 11:16:02,206 DEBUG [ckanext.oauth2.controller] login
ckan_ckan | 2019-10-18 11:16:02,208 DEBUG [ckanext.oauth2.oauth2] Challenge: Redirecting challenge to page http://localhost:8080/oauth/authorize?response_type=code&client_id=oauth_client_id&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2Foauth2%2Fcallback&state=eyJjYW1lX2Zyb20iOiAiL2Rhc2hib2FyZCJ9
ckan_ckan | 2019-10-18 11:16:02,209 INFO [ckan.lib.base] /user/login render time 0.032 seconds
ckan_ckan | 2019-10-18 11:16:04,808 DEBUG [ckanext.oauth2.plugin] identify
ckan_ckan | 2019-10-18 11:16:04,808 WARNI [ckanext.oauth2.plugin] The user is not currently logged...
ckan_ckan | 2019-10-18 11:16:04,828 INFO [ckan.lib.base] /oauth2/callback render time 0.023 seconds
ckan_ckan | 2019-10-18 11:16:04,854 DEBUG [ckanext.oauth2.plugin] identify
ckan_ckan | 2019-10-18 11:16:04,855 WARNI [ckanext.oauth2.plugin] The user is not currently logged...
ckan_ckan | 2019-10-18 11:16:05,143 DEBUG [ckanext.oauth2.plugin] identify
ckan_ckan | 2019-10-18 11:16:05,143 WARNI [ckanext.oauth2.plugin] The user is not currently logged...

It looks like users can alter their password and email address. I do not think that should be allowed by default if OAuth2 is used as authentication.

Hello, I am trying to integrate CKAN with Keycloak, I have installed the extension, edited the production.ini file and I can login but one I am redirected back to CKAN I get always the same error. Any hints?

Hi
My setup configuration versions are

CKAN2.7.2.
WSOIS - 5.7
WSO2am - 2.6

I have update the ckanext-oauth2==0.7.0 extension at CKAN side. After updating the oauth2 version, I am unable to login on CKAN via wso2am. Earlier it was working fine. Is their any configuration changes are also required at wso2 side?
callback url is : https:/hostname/oauth2/callback

I am getting the below error :

**invalid_callback

Registered callback does not match with the provided url.**

@aarranz can you please help here.

It would be nice to not redirect the user to OAuth2Controller as soon as they click on the Log in link, but show the usual login page with an extra button for the OAuth2 authentication, or keep two different Log in links, one for OAuth2 users, one for CKAN users. That would allow existing users to log in.

We could have an option just to map such controller to a different URL, so that it does not override the original one. Any opinion on that?

Dear everyone. I have tried to set up the extension towards Azure AD using OIDC.

In that context I have a few questions:

• It seems the extension now support JWT (according to this page https://fiware-ckan-extensions.readthedocs.io/en/latest/installation-administration-guide.html). So this fits OIDC nicely. Can you confirm this?

• Given that JWT is supported, is there any point of keeping the user info endpoint? I think with the scope of oidc profile email we have everything we need for CKAN?

• Looking at the code it seems you fetch the user information from the access token. But with OIDC we can also get the id token and I would rather fetch that information from there.

• Is there a OIDC example using this plugin somewhere where we know the connection have been successful?

• Do CKAN support @ in user names?

Given that OIDC is rather strictly defined and that it support discovery as well, would it make sense to make a new plugin, or at least add a mode for OIDC only and get rid of the legacy stuff? Maybe fork of this plugin and utilize https://github.com/rohe/pyoidc or something along those lines? Do you know if anyone is working on something like this?

Thanks a lot for the work you have done on this plugin.

Hello,
I have installed 0.9.0 CKAN from source with datapusher and datastore extensions on Python3 and all was good. However, I tried to install the Oauth2 ckan extension and I have found problems.
I downloaded the git repository with git clone (v0.7.0 branch) and then do "python setup.py develop" on ckanext-oauth2 directory. It was good. I included the oauth2 plugin in ckan.plugins in "ckan.ini" file and all the oauth2 variables:

ckan.oauth2.authorization_endpoint = http://localhost:18000/controlpanel/oauth/authorize
ckan.oauth2.token_endpoint = http://localhost:18000/controlpanel/oauth/token
ckan.oauth2.profile_api_url = http://localhost:21000/oauth-server/user
ckan.oauth2.client_id =
ckan.oauth2.client_secret =
ckan.oauth2.scope = openid
ckan.oauth2.rememberer_name = auth_tkt
ckan.oauth2.profile_api_user_field = principal
ckan.oauth2.profile_api_mail_field = email
ckan.oauth2.authorization_header = Authorization

(I have the Oauth Server up in my local host).
But when I go to my ckan instance (http://localhost:5000) and press the Log in button, it does not redirects me to the login page of my oauth server. Instead, it redirects me to ckan Log in page.

What am I doing wrong? May I have to edit the who.ini file?

Thank you.

Hi,
I'm using CKAN 2.6.8 https://github.com/italia/ckan-it and WSO2 IDM, the plugin works correctly installing in Dockerfile via pip install.
I have CKAN_PROFILE_API_USER_FIELD env variable enhanced with name attribute, which corresponds to CKAN username

In oauth2.py class, in the method user_json(self, user_data), I have noticed this instruction
user = None
users = model.User.by_email(email)

If I try to change email in an existing CKAN user, the login doesn't work because CKAN returns this error: username Integrity Violation Error - username already exists

Looking at CKAN source code, I have found a method get of user.py class, https://github.com/ckan/ckan/blob/master/ckan/model/user.py

If i change instruction at line 180 of oauth2.py class, users = model.User.by_email(email), with this one
users = model.User.get(user_name) can I resolve this kind of issue?
Otherwise can you suggest me alternatives?

Thanks.

Current integration tests (selenium), are failing randomly, e.g.: https://travis-ci.org/conwetlab/ckanext-oauth2/builds/374848363

Hi,
I'm Urtza Iturraspe and I am testing CKAN and all its extension for using it in a European Project and defend it to European Comission.
I have some problems with this extension when I use oauth extension.
In my production.ini file I put the extesion and all information related this.
ckan.plugins = stats text_view image_view recline_view oauth2

## OAuth2 configuration
ckan.oauth2.logout_url = /user/_logout
ckan.oauth2.register_url = https://localhost:8443/sign_up/
ckan.oauth2.reset_url = https://localhost:8443/password/request/
ckan.oauth2.edit_url = https://localhost:8443/idm/settings
ckan.oauth2.authorization_endpoint = https://localhost:8443/oauth2/authorize
ckan.oauth2.token_endpoint = https://localhost:8443/oauth2/token
ckan.oauth2.profile_api_url = https://localhost:8443/user
ckan.oauth2.client_id = 7ef5d5fa-a0a9-4f19-ba4b-417d9611d032
ckan.oauth2.client_secret = 4964cf66-eed4-4f70-af99-ad41329a1f59
ckan.oauth2.scope = all_info
ckan.oauth2.rememberer_name = auth_tkt
ckan.oauth2.profile_api_user_field = username
ckan.oauth2.profile_api_fullname_field = displayName
ckan.oauth2.profile_api_mail_field = email
ckan.oauth2.authorization_header = Bearer
ckan.oauth2.legacy_idm = True

I have created and IDM application for this too, putting callback URL correctly.
I started Idm and restart apache and when I sign in into IDM with the user and password and when I return to CKAN I have this error:

(psycopg2.IntegrityError) duplicate key value violates unique constraint "user_name_key" DETAIL: Key (name)=(admin) already exists.

I look into oauth.js file 👍
def identify --> method
users = model.User.by_email(email)
log.debug(' length users::: '+str(len(users))) -> I get 0 users.

It is correct?

At the end of this meths:

Save the user in the database

        model.Session.add(user)
  
        model.Session.commit()
      
        model.Session.remove()

My error came using the last three lines of this method. In which database save the user?
I can't do anything else, please someone can help me?

I am using KeyRock 7.0.1 version, It is neccesary use another one. If it is OK I have a problem because I have install Biz Ecosystem and it uses KeyRock 7.0.1.

Thanks,
Urtza

When a user is performing a request and it's OAuth2 Token is outdated, it must be refreshed. The OAuth2 plugin offers a method for doing it, but it is not working since the following exception is risen:

get_token() takes exactly 1 argument (2 given)

I'm getting the following error when coming back from the IDM v7:

400 Client Error: Bad Request for url: http://portal.mso4sc.eu:3000/user?access_token=9214c92dcfad473623730a73fe076998095bb50b

I tested with the older version of the IDM, v5.4.0, and it works, but I need it to be working with the v7.

This is the log produced by ckan:

ckan          | 2018-05-09 17:09:11,121 DEBUG [ckanext.oauth2.plugin] identify
ckan          | 2018-05-09 17:09:11,122 WARNI [ckanext.oauth2.plugin] The user is not currently logged...
ckan          | 2018-05-09 17:09:11,124 DEBUG [ckanext.oauth2.plugin] login
ckan          | 2018-05-09 17:09:11,126 DEBUG [ckanext.oauth2.oauth2] Challenge: Redirecting challenge to page http://portal.mso4sc.eu:3000/oauth2/authorize?response_type=code&client_id=b07e803c-8f1d-4717-8e00-e169a5f368af&redirect_uri=http%3A%2F%2F10.38.3.3%3A5000%2Foauth2%2Fcallback&scope=all_info&state=eyJjYW1lX2Zyb20iOiAiL2Rhc2hib2FyZCJ9
ckan          | 2018-05-09 17:09:11,346 INFO  [ckan.lib.base]  /user/login render time 0.229 seconds
ckan          | 2018-05-09 17:09:11,977 DEBUG [ckanext.oauth2.plugin] identify
ckan          | 2018-05-09 17:09:11,978 WARNI [ckanext.oauth2.plugin] The user is not currently logged...
ckan          | 2018-05-09 17:09:12,119 INFO  [ckan.lib.base]  /oauth2/callback render time 0.146 seconds
ckan          | 2018-05-09 17:09:12,397 DEBUG [ckanext.oauth2.plugin] identify
ckan          | 2018-05-09 17:09:12,398 WARNI [ckanext.oauth2.plugin] The user is not currently logged...
ckan          | 2018-05-09 17:09:12,463 INFO  [ckan.lib.base]  / render time 0.267 seconds
ckan          | 2018-05-09 17:09:12,846 DEBUG [ckanext.oauth2.plugin] identify
ckan          | 2018-05-09 17:09:12,847 WARNI [ckanext.oauth2.plugin] The user is not currently logged...
ckan          | 2018-05-09 17:09:12,853 DEBUG [ckanext.oauth2.plugin] identify
ckan          | 2018-05-09 17:09:12,854 WARNI [ckanext.oauth2.plugin] The user is not currently logged...
ckan          | 2018-05-09 17:09:12,856 INFO  [ckan.lib.base]  /api/i18n/en render time 0.007 seconds

When jwt is enabled via env/config, tokens are accepted without verification. I tested this with expired but otherwise valid tokens. The token is decoded with jwt.decode(access_token, verify=False). As far as I understand, this means that any token would be accepted, since the signature is not checked with a public key/certificate.

So you could just change the username in the token and sign it with an arbitrary key to impersonate any user.

I'm installing this extention on a dockerized ckan 2.7 with nginx as reverse proxy to enable https

Everything is working fine except for the redirect uri built as:

http://myhost/oauth2/callback (schema is wrong, should be https)

By inspecting the source code I found that the redirection uri is built from request.host_url:

    def _redirect_uri(self, request):
        return ''.join([request.host_url, constants.REDIRECT_URL])

And since nginx forwards requests to the ckan container via http, the schema found into the flask request object is http and not https (=> uri is wrongly built)

This is my nginx configuration:

[...]
proxy_pass http://ckan:5000;
proxy_set_header   X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_set_header   X-Forwarded-Proto $scheme;
[...]

Already tried to force the schema passed as X-Forwarded-Proto but without any result.

In the meanwhile I found that recently you modified how the request uri is build:

New implementation from master:

self.redirect_uri = urljoin(urljoin(config.get('ckan.site_url', 'http://localhost:5000'), config.get('ckan.root_path')), constants.REDIRECT_URL)

And since this implementation is based on site_url, I think that this version should work fine with my configuration but i'm unable to test it.

Could you include this fix to the pypi package?
I tried to install the extention directly from git, but it does not work:

pip install --upgrade pip install git+git://github.com/conwetlab/ckanext-oauth2.git@master

Downloading/unpacking git+git://github.com/conwetlab/ckanext-oauth2.git@master
  Cloning git://github.com/conwetlab/ckanext-oauth2.git (to master) to /tmp/pip-Qo4L9v-build
  Running setup.py (path:/tmp/pip-Qo4L9v-build/setup.py) egg_info for package from git+git://github.com/conwetlab/ckanext-oauth2.git@master
Downloading/unpacking pip from https://files.pythonhosted.org/packages/0f/74/ecd13431bcc456ed390b44c8a6e917c1820365cbebcb6a8974d1cd045ab4/pip-10.0.1-py2.py3-none-any.whl#sha256=717cdffb2833be8409433a93746744b59505f42146e8d37de6c62b430e25d6d7
  Downloading pip-10.0.1-py2.py3-none-any.whl (1.3MB): 1.3MB downloaded
Downloading/unpacking install
  Could not find any downloads that satisfy the requirement install
Cleaning up...
No distributions at all found for install

As final question: do you think that you will support the latest ckan versions (2.8 and 2.9) in a near future?

Thank you very much for your work with this ext

I'm using dockerized CKAN (2.7.2) + ckanext-oauth2 (0.3.8) + WSO2 ( WSO2 API Manager & WSO2 Identity Server )

I've created a user test1 as a primary tenant user and test2 as a secondary tenant user in wso2. And I've used the ckan.oauth2.client_id and ckan.oauth2.client_secret of primary tenant user (i.e. test1) in ckan.ini file (screenshot is attached below).

In the above case when we are login the CKAN with test1 (primary user), then we are successfully able to login but when we are login the CKAN with test2 (secondary user). then we are getting error i.e. Application you are trying to access does not allow users from your organization.

Does ckanext-oauth2 supports multiple applications (for e.g. application of primary tenant and application from secondary tenant at a time) for authentication? or How can we login from both users i.e. created on different wso2 tenants?

Thanks for this great extension. It seems this is the only one that is maintained for OAuth 2.0, or am I mistaken?

Are there efforts to try to upgrade this to Python 3?

Hello everyone

We use Ckan2.9.4 to develop our project, but ckan-oauth2 only supports 2.7 or 2.8.
Do you have any plans to upgrade version for ckan2.9?

Thanks a lot for the work you have done on this plugin.

Hello team,

I am using the Ckan2.10.1, but ckan-oauth2 only supports 2.7 or 2.8. In this version python 2 is used.
In CKAN 2.10.1 pylons is removed.
Do you have any plans to upgrade version for ckan2.10.1?

Sometimes user_data can be a list. I made a small change to support Feide, which is a common method for authenticating users in Norway.

I would like to make a patch for that, without breaking compatibility with other users. Is there any suggestion? I am not very familiar with the standard.

-- NINAnor@c51315f

This call here:

essentially means that a session file is created for every single request that is made to CKAN, which would explain the massive number of session files. This leads to millions and millions of session files being created, which eventually means that the server will run out of inodes, causing the application to crash.

Session files should only be created when needed (eg to display flash messages)

After installing CKAN with ckanext-oauth2 plugin (fiware-migration branch), run with "paster serve" command (development) and try to log in, I'm getting the following error after redirect again to CKAN:

Scope has changed from "profile other.scope" to "all_info"

This is the relevant configuration part of development.ini:

## OAuth2 configuration
ckan.oauth2.logout_url = /user/logged_out
ckan.oauth2.register_url = https://account.lab.fiware.org/users/sign_up
ckan.oauth2.reset_url = https://account.lab.fiware.org/users/password/new
ckan.oauth2.edit_url = https://account.lab.fiware.org/settings
ckan.oauth2.authorization_endpoint = https://account.lab.fiware.org/oauth2/authorize
ckan.oauth2.token_endpoint = https://account.lab.fiware.org/oauth2/token
ckan.oauth2.profile_api_url = https://account.lab.fiware.org/user
ckan.oauth2.client_id = ******************************
ckan.oauth2.client_secret = *****************************
ckan.oauth2.scope = profile other.scope
ckan.oauth2.rememberer_name = auth_tkt
ckan.oauth2.profile_api_user_field = id
ckan.oauth2.profile_api_fullname_field = displayName
ckan.oauth2.profile_api_mail_field = email
ckan.oauth2.authorization_header = Bearer

And this is how I'm starting ckan:

export OAUTHLIB_INSECURE_TRANSPORT=True
cd /usr/lib/ckan/default/src/ckan
paster serve /etc/ckan/default/development.ini

What is the role(s) that have to be configured in Fiware IDM to login as admin in CKAN? Is there other useful roles that CKAN understand?

Thanks.

Very thanks for your project.

My execution environment is built with these versions.

• AWS Fargate
  • CKAN [2.9.5]
  • ckanext-oauth2 [0.7.0]
• Amazon ELB (for "https" front-end listener)
• Amazon Cognito

On my execution environment, I got a error.

I tried to fix it.
I hope you like the following.

diff --git a/ckanext/oauth2/oauth2.py b/ckanext/oauth2/oauth2.py
index 28a2724..cc9c782 100644
--- a/ckanext/oauth2/oauth2.py
+++ b/ckanext/oauth2/oauth2.py
@@ -115,10 +115,14 @@ class OAuth2Helper(object):
             )
 
         try:
+            req_url = toolkit.request.url
+            ckan_site_url = os.environ.get('CKAN_SITE_URL')
+            if (ckan_site_url.startswith("https:")):
+                req_url = req_url.replace("http:", "https:")
             token = oauth.fetch_token(self.token_endpoint,
                                       headers=headers,
                                       client_secret=self.client_secret,
-                                      authorization_response=toolkit.request.url,
+                                      authorization_response=req_url,
                                       verify=self.verify_https)
         except requests.exceptions.SSLError as e:
             # TODO search a better way to detect invalid certificates

regards

hello everyone:
Even if I login using the https protocol, it still shows the error ' (insecure_transport) OAuth 2 MUST utilize https.' after the authentication.
ckan version: 2.8.9

I use fiware IDM authentication. After the authentication, I checked the cookies and found that the expires of ckan is one year earlier than the current date.

I'm stuck because I can't login.

Thanks a lot for the work you have done on this plugin.

I have this versions:
IDM KeyRock to the last version 7.0.2
CKAN: 2.8.1
ckanext-oauth2: 0.6.1
When I click on "View Profile" I get an "Internal Server Error"

I have created an application in IDM for CKAN.

This is my production.ini extract related with this:

## OAuth2 configuration

ckan.oauth2.logout_url= https://localhost:8443/auth/logout?_method=DELETE
ckan.oauth2.register_url = https://localhost:8443/sign_up/
ckan.oauth2.reset_url = https://localhost:8443/password/request/
ckan.oauth2.edit_url = https://localhost:8443/idm/settings
ckan.oauth2.authorization_endpoint = https://localhost:8443/oauth2/authorize
ckan.oauth2.token_endpoint = https://localhost:8443/oauth2/token
ckan.oauth2.profile_api_url = https://localhost:8443/user
ckan.oauth2.client_id = e826fe8a-e917-4652-8b02-430a1beb2c46
ckan.oauth2.client_secret = 760bebd6-59a7-4a10-92f0-bbf912d4e967
ckan.oauth2.scope = all_info
ckan.oauth2.rememberer_name = auth_tkt
ckan.oauth2.profile_api_user_field = username
ckan.oauth2.profile_api_fullname_field = displayName
ckan.oauth2.profile_api_mail_field = email
ckan.oauth2.authorization_header = Bearer
#ckan.oauth2.legacy_idm = True

Aitor Magan told me that probably this extension has some problem with the IDM Keyrock 7.0.1.
Isn't it?

I can't see anything in apache logs (CKAN runs in Apache https://www.ckan.com), see below:

[Wed Sep 19 10:31:43.590803 2018] [ssl:debug] [pid 12039:tid 140400660506368] ssl_engine_kernel.c(354): [client 127.0.0.1:41522] AH02034: Subsequent (No.2) HTTPS request received for child 84 (server www.ckan.com:443), referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.590867 2018] [authz_core:debug] [pid 12039:tid 140400660506368] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of Require all granted: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.590873 2018] [authz_core:debug] [pid 12039:tid 140400660506368] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of <RequireAny>: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.590908 2018] [authz_core:debug] [pid 12039:tid 140400660506368] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of Require all granted: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.590911 2018] [authz_core:debug] [pid 12039:tid 140400660506368] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of <RequireAny>: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.597198 2018] [ssl:debug] [pid 12039:tid 140400668899072] ssl_engine_kernel.c(354): [client 127.0.0.1:41522] AH02034: Subsequent (No.3) HTTPS request received for child 83 (server www.ckan.com:443), referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.597254 2018] [authz_core:debug] [pid 12039:tid 140400668899072] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of Require all granted: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.597259 2018] [authz_core:debug] [pid 12039:tid 140400668899072] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of <RequireAny>: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.597291 2018] [authz_core:debug] [pid 12039:tid 140400668899072] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of Require all granted: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.597295 2018] [authz_core:debug] [pid 12039:tid 140400668899072] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of <RequireAny>: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.601693 2018] [ssl:info] [pid 12038:tid 140400685684480] [client 127.0.0.1:41524] AH01964: Connection to child 17 established (server www.ckan.com:443)
[Wed Sep 19 10:31:43.601819 2018] [ssl:debug] [pid 12038:tid 140400685684480] ssl_engine_kernel.c(2096): [client 127.0.0.1:41524] AH02043: SSL virtual host for servername www.ckan.com found
[Wed Sep 19 10:31:43.601827 2018] [core:debug] [pid 12038:tid 140400685684480] protocol.c(2216): [client 127.0.0.1:41524] select protocol from , choices=h2,http/1.1 for server www.ckan.com
[Wed Sep 19 10:31:43.601832 2018] [ssl:debug] [pid 12038:tid 140400685684480] ssl_engine_kernel.c(2096): [client 127.0.0.1:41524] AH02043: SSL virtual host for servername www.ckan.com found
[Wed Sep 19 10:31:43.605663 2018] [ssl:debug] [pid 12038:tid 140400685684480] ssl_engine_kernel.c(2023): [client 127.0.0.1:41524] AH02041: Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
[Wed Sep 19 10:31:43.605696 2018] [ssl:info] [pid 12038:tid 140400685684480] (70014)End of file found: [client 127.0.0.1:41524] AH01991: SSL input filter read failed.
[Wed Sep 19 10:31:43.605737 2018] [ssl:debug] [pid 12038:tid 140400685684480] ssl_engine_io.c(1017): [client 127.0.0.1:41524] AH02001: Connection closed to child 17 with standard shutdown (server www.ckan.com:443)
[Wed Sep 19 10:31:43.615353 2018] [ssl:debug] [pid 12039:tid 140400769611520] ssl_engine_kernel.c(354): [client 127.0.0.1:41522] AH02034: Subsequent (No.4) HTTPS request received for child 71 (server www.ckan.com:443), referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.615412 2018] [authz_core:debug] [pid 12039:tid 140400769611520] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of Require all granted: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.615417 2018] [authz_core:debug] [pid 12039:tid 140400769611520] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of <RequireAny>: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.615451 2018] [authz_core:debug] [pid 12039:tid 140400769611520] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of Require all granted: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.615454 2018] [authz_core:debug] [pid 12039:tid 140400769611520] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of <RequireAny>: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.733520 2018] [ssl:debug] [pid 12039:tid 140400702469888] ssl_engine_kernel.c(354): [client 127.0.0.1:41522] AH02034: Subsequent (No.5) HTTPS request received for child 79 (server www.ckan.com:443), referer: https://www.ckan.com/fanstatic/css/:version:2018-09-03T15:06:44.25/main.min.css
[Wed Sep 19 10:31:43.733578 2018] [authz_core:debug] [pid 12039:tid 140400702469888] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of Require all granted: granted, referer: https://www.ckan.com/fanstatic/css/:version:2018-09-03T15:06:44.25/main.min.css
[Wed Sep 19 10:31:43.733590 2018] [authz_core:debug] [pid 12039:tid 140400702469888] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of <RequireAny>: granted, referer: https://www.ckan.com/fanstatic/css/:version:2018-09-03T15:06:44.25/main.min.css
[Wed Sep 19 10:31:43.733656 2018] [authz_core:debug] [pid 12039:tid 140400702469888] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of Require all granted: granted, referer: https://www.ckan.com/fanstatic/css/:version:2018-09-03T15:06:44.25/main.min.css
[Wed Sep 19 10:31:43.733660 2018] [authz_core:debug] [pid 12039:tid 140400702469888] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of <RequireAny>: granted, referer: https://www.ckan.com/fanstatic/css/:version:2018-09-03T15:06:44.25/main.min.css
[Wed Sep 19 10:31:43.790617 2018] [ssl:debug] [pid 12039:tid 140400727648000] ssl_engine_kernel.c(354): [client 127.0.0.1:41522] AH02034: Subsequent (No.6) HTTPS request received for child 76 (server www.ckan.com:443), referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.790697 2018] [authz_core:debug] [pid 12039:tid 140400727648000] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of Require all granted: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.790702 2018] [authz_core:debug] [pid 12039:tid 140400727648000] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of <RequireAny>: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.790730 2018] [authz_core:debug] [pid 12039:tid 140400727648000] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of Require all granted: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.790732 2018] [authz_core:debug] [pid 12039:tid 140400727648000] mod_authz_core.c(809): [client 127.0.0.1:41522] AH01626: authorization result of <RequireAny>: granted, referer: https://www.ckan.com/dashboard
[Wed Sep 19 10:31:43.796941 2018] [wsgi:error] [pid 12037:tid 140400820553472] 2018-09-19 10:31:43,796 DEBUG [ckanext.oauth2.plugin] URTZA :::: identify plugin.py
[Wed Sep 19 10:31:43.799909 2018] [wsgi:error] [pid 12037:tid 140400820553472] 2018-09-19 10:31:43,799 INFO  [ckanext.oauth2.plugin] User admin logged using session
[Wed Sep 19 10:31:43.799981 2018] [wsgi:error] [pid 12037:tid 140400820553472] 2018-09-19 10:31:43,799 INFO  [ckanext.oauth2.plugin] UserName is: admin
[Wed Sep 19 10:31:43.800077 2018] [wsgi:error] [pid 12037:tid 140400820553472] 2018-09-19 10:31:43,800 INFO  [ckanext.oauth2.plugin] g.user: admin
[Wed Sep 19 10:31:43.800195 2018] [wsgi:error] [pid 12037:tid 140400820553472] 2018-09-19 10:31:43,800 INFO  [ckanext.oauth2.plugin] toolkit c.user: admin
[Wed Sep 19 10:31:43.802049 2018] [wsgi:error] [pid 12037:tid 140400820553472] 2018-09-19 10:31:43,801 INFO  [ckanext.oauth2.plugin] toolkit c.usertoken: {u'access_token': u'00f6ce9bde903320665182360dff821348b2ed88', u'token_type': u'Bearer', u'expires_in': u'28799', u'refresh_token': u'ebf8c3808d1dc7c41a4de04af6ee3edd4fd4a8e0'}
[Wed Sep 19 10:31:43.802221 2018] [wsgi:error] [pid 12037:tid 140400820553472] 2018-09-19 10:31:43,802 INFO  [ckanext.oauth2.plugin] toolkit c.usertoken_refresh: <functools.partial object at 0x7fb184314db8>
[Wed Sep 19 10:31:48.811217 2018] [ssl:debug] [pid 12039:tid 140400618542848] ssl_engine_io.c(1017): [remote 127.0.0.1:41522] AH02001: Connection closed to child 76 with standard shutdown (server www.ckan.com:443)

Please someone can help me to resolve this?
Thanks,
Urtza

I'm trying to authenticate ckan using Azure/Microsoft with Oauth2 extension unable to login.

Hi, first of all thanks for this great extension!
I was trying to set up oauth2 authentication with a provider that is running under a www. subdomain. It has a valid wildcard certificate, but no Subject Alternative Name for the naked domain without any subdomain.

The extension was displaying (insecure_transport) OAuth 2 MUST utilize https., but all configuration values were using the www. prefix and after setting OAUTHLIB_INSECURE_TRANSPORT=True it worked fine.
Does anybody have an idea why the extension might end up doing a call to the naked domain without the www. prefix (or at least trying to verify the certificate for that domain), despite it being present in all config values?