Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

oauth: change app name #1990

Merged
merged 2 commits into from
Dec 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions .github/workflows/tests.yml
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ on:

jobs:
Tests:
runs-on: ubuntu-latest
runs-on: ubuntu-22.04
strategy:
matrix:
python-version: [3.9]
Expand All @@ -49,7 +49,7 @@ jobs:
sudo apt-get install ffmpeg
ffmpeg -version

- name: Install ldap dependencies
- name: Install LDAP dependencies
run: |
sudo apt-get update
sudo apt-get install libsasl2-dev libldap2-dev libssl-dev
Expand Down
10 changes: 5 additions & 5 deletions cds/config.py
Original file line number Diff line number Diff line change
Expand Up @@ -1140,10 +1140,10 @@ def _parse_env_bool(var_name, default=None):
OAUTHCLIENT_CERN_OPENID_SESSION_KEY = "identity.cdsvideos_openid_provides"
"""Name of session key where CERN roles are stored."""

REMOTE_APP_NAME = "cern_openid"
REMOTE_APP_NAME = "cern_cdsvideos_openid"

OAUTHCLIENT_CERN_OPENID_USERINFO_URL = (
"https://auth.cern.ch/auth/realms/cern/" "protocol/openid-connect/userinfo"
"https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/userinfo"
)

OAUTH_REMOTE_APP = copy.deepcopy(cern_openid.REMOTE_APP)
Expand All @@ -1156,11 +1156,11 @@ def _parse_env_bool(var_name, default=None):
),
access_token_url=os.environ.get(
"OAUTH_CERN_OPENID_ACCESS_TOKEN_URL",
"https://auth.cern.ch/auth/realms/cern/" "protocol/openid-connect/token",
"https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/token",
),
authorize_url=os.environ.get(
"OAUTH_CERN_OPENID_AUTHORIZE_URL",
"https://auth.cern.ch/auth/realms/cern/" "protocol/openid-connect/auth",
"https://auth.cern.ch/auth/realms/cern/protocol/openid-connect/auth",
),
)
)
Expand Down Expand Up @@ -1190,7 +1190,7 @@ def _parse_env_bool(var_name, default=None):
algorithms=["HS256", "RS256"],
)

OAUTHCLIENT_REMOTE_APPS = dict(cern_openid=OAUTH_REMOTE_APP)
OAUTHCLIENT_REMOTE_APPS = dict(cern_cdsvideos_openid=OAUTH_REMOTE_APP)
"""CERN Openid Remote Application."""

## Needed for populating the user profiles when users login via CERN Openid
Expand Down
67 changes: 6 additions & 61 deletions cds/modules/oauthclient/cern_openid.py
Original file line number Diff line number Diff line change
Expand Up @@ -22,62 +22,9 @@
# waive the privileges and immunities granted to it by virtue of its status
# as an Intergovernmental Organization or submit itself to any jurisdiction.

"""Pre-configured remote application for enabling sign in/up with CERN.
1. Edit your configuration and add:
.. code-block:: python
import copy
from invenio_oauthclient.contrib import cern_openid
OAUTH_REMOTE_REST_APP = copy.deepcopy(cern_openid.REMOTE_REST_APP)
# update any params if needed
OAUTH_REMOTE_REST_APP["params"].update({})
OAUTHCLIENT_REMOTE_APPS = dict(
cern_openid=OAUTH_REMOTE_REST_APP,
)
OAUTHCLIENT_REST_REMOTE_APPS = dict(
cern_openid=OAUTH_REMOTE_REST_APP,
)
CERN_APP_OPENID_CREDENTIALS = dict(
consumer_key="changeme",
consumer_secret="changeme",
)
2. Register a new application with CERN OPENID visiting the page
``https://application-portal.web.cern.ch/``. When registering the
application ensure that the *Redirect URI* points to:
``http://localhost:5000/api/oauth/authorized/cern_openid/``, if you have
used the rest oauth application, or
``http://localhost:5000/oauth/authorized/cern_openid/`` (note, CERN
does not allow localhost to be used, thus you need to follow the CERN OAUTH
section in the common recipes in
``https://digital-repositories.web.cern.ch/digital-repositories``.
3. Grab the *Client ID* and *Client Secret* after registering the application
and add them to your instance configuration (``invenio.cfg``):
.. code-block:: python
CERN_APP_OPENID_CREDENTIALS = dict(
consumer_key="<CLIENT ID>",
consumer_secret="<CLIENT SECRET>",
)
4. Now login using CERN OAuth:
- http://localhost:5000/oauth/login/cern/ , if you configure the UI oauth
application.
- http://localhost:5000/api/oauth/login/cern/ , if you configure the API
oauth application.
5. Also, you should see CERN listed under Linked accounts:
http://localhost:5000/account/settings/linkedaccounts/
By default the CERN module will try first look if a link already exists
between a CERN account and a user. If no link is found, the user is asked
to provide an email address to sign-up.
In templates you can add a sign in/up link:
.. code-block:: jinja
<a href="{{ url_for("invenio_oauthclient.login",
remote_app="cern_openid") }}">
Sign in with CERN
</a>
"""OpenID login.
Copied from invenio-oauthclient, extended with e-groups fetching.
"""

from datetime import datetime, timedelta
Expand Down Expand Up @@ -132,7 +79,7 @@ def logout():
def find_remote_by_client_id(client_id):
"""Return a remote application based with given client ID."""
for remote in current_oauthclient.oauth.remote_apps.values():
if remote.name == "cern_openid" and remote.consumer_key == client_id:
if remote.name == "cern_cdsvideos_openid" and remote.consumer_key == client_id:
return remote


Expand All @@ -155,9 +102,7 @@ def account_roles_and_extra_data(account, resource, refresh_timedelta=None):
return account.extra_data.get("roles", []), account.extra_data.get("groups", [])

roles = resource["cern_roles"]
extra_data = current_app.config.get(
"OAUTHCLIENT_CERN_OPENID_EXTRA_DATA_SERIALIZER", fetch_extra_data
)(resource)
extra_data = fetch_extra_data(resource)

account.extra_data.update(roles=roles, updated=updated.isoformat(), **extra_data)

Expand Down Expand Up @@ -311,7 +256,7 @@ def on_identity_changed(sender, identity):
return

remote = g.get("oauth_logged_in_with_remote", None)
if not remote or remote.name != "cern_openid":
if not remote or remote.name != "cern_cdsvideos_openid":
# signal coming from another remote app
return

Expand Down
2 changes: 1 addition & 1 deletion cds/modules/theme/templates/cds_theme/header.html
Original file line number Diff line number Diff line change
Expand Up @@ -75,7 +75,7 @@
<li><a href=" {{url_for_security('login', next=request.path)}}"><strong><i class="fa fa-sign-in"></i> {{_('Log in')}}</strong></a></li>
{%- else %}
<li>
<a href="{{url_for('invenio_oauthclient.login', remote_app='cern_openid', next=request.path)}}">
<a href="{{url_for('invenio_oauthclient.login', remote_app='cern_cdsvideos_openid', next=request.path)}}">
<strong><i class="fa fa-sign-in"></i> {{_('Log in')}}</strong>
</a>
</li>
Expand Down