Authentification external
Requirements
To use external Authentification OAuth 1.0 and or OAuth 2.0, you need an internet FQDN and a secured web site with https.
Library
abcdesktop uses requests_oauthlib python module. Requests-OAuthlib uses the Python Requests and OAuthlib libraries for building OAuth1 and OAuth2 clients.
authmanagers external:
external authentification use OAuth 2.0 authenticaton.
The external authentification configuration is defined as a dictionary object and contains a list of external provider.
Sample providers entry using the Google OAuth 2.0 authentification service.
'external': {
'providers': {
'google': {
'google': {
'displayname': 'Google',
'enabled': True,
'client_id': 'xxxx',
'client_secret': 'xxxx',
'userinfo_auth': True,
'scope': [ 'https://www.googleapis.com/auth/userinfo.email', 'openid' ],
'userinfo_url': 'https://www.googleapis.com/oauth2/v1/userinfo',
'redirect_uri_prefix' : 'https://hostname.domain.local/API/auth/oauth',
'redirect_uri_querystring': 'manager=external&provider=google',
'authorization_base_url': 'https://accounts.google.com/o/oauth2/v2/auth',
'token_url': 'https://oauth2.googleapis.com/token',
'policies': { 'acl' : { 'permit': [ 'all' ] } }
}
}
}
The variable values client_id and client_secret have been set to obfuscate value 'xxxx'. The FQDN hostname.domain.local is referred to your public server FQDN.
| Variable name | Type | Description | Sample |
|---|---|---|---|
displayname |
string | Display Name show in Web front | Google |
enabled |
boolean | LDAP Base Distinguished Names | True |
client_id |
string | client id | XXX-YYY.apps.googleusercontent.com |
client_secret |
string | client secret | XXX |
scope |
list of string | scope | [ 'https://www.googleapis.com/auth/userinfo.email', 'openid' ] |
userinfo_url |
string | dialog URL | `https://www.googleapis.com/oauth2/v1/userinfo' |
redirect_uri_prefix |
string | redirect URL | https://hostname.domain.local/API/auth/oauth |
redirect_uri_querystring |
string | URL query string | manager=external&provider=google |
authorization_base_url |
string | callback URL | https://accounts.google.com/o/oauth2/v2/auth |
token_url |
string | token URL | https://oauth2.googleapis.com/token |
The complete redirect url concats the two values redirect_uri_prefix and redirect_uri_querystring.
Orange OAuth
Orange's OAuth is supported for authentication. This API is based on OpenID Connect, which combines end-user authentication with OAuth2 authorisation.
Orange Application
Create your Orange Application here https://developer.orange.com/apis and set credentials for Orange Authentification API in the section
'orange': {
'displayname': 'Orange',
'enabled': True,
'basic_auth': True,
'userinfo_auth': True,
'scope' : [ 'openid', 'form_filling' ],
'client_id': 'xxxx',
'client_secret': 'xxxx',
'redirect_uri_prefix' : 'https://hostname.domain.local/API/auth/oauth',
'redirect_uri_querystring': 'manager=external&provider=orange',
'authorization_base_url': 'https://api.orange.com/openidconnect/fr/v1/authorize',
'token_url': 'https://api.orange.com/openidconnect/fr/v1/token',
'userinfo_url': 'https://api.orange.com/formfilling/fr/v1/userinfo',
'policies': { 'acl' : { 'permit': [ 'all' ] } }
}
Facebook OAuth
Facebook's OAuth is supported for authentication.
Facebook Application
Create your Facebook Application credentials here : https://developers.facebook.com/apps/ and set the credentials for Facebook Authentification API
'facebook': {
'displayname': 'Facebook',
'enabled': True,
'userinfo_auth': True,
'client_id': 'xxxx',
'client_secret': 'xxxx',
'redirect_uri_prefix' : 'https://hostname.domain.local/API/auth/oauth',
'redirect_uri_querystring': 'manager=external&provider=facebook',
'authorization_base_url': 'https://www.facebook.com/dialog/oauth',
'userinfo_url': 'https://graph.facebook.com/v2.6/me?fields=picture.width(400),name',
'token_url': 'https://graph.facebook.com/v2.3/oauth/access_token',
'userinfomap': {
'*': '*',
'picture': 'picture.data.url'
},
'policies': { 'acl' : { 'permit': [ 'all' ] } }
}
Google OAuth
Google's OAuth is supported for authentication. The client_id is the google's OAuth client ID, and the client_secret is the OAuth client secret.
Google Application
Create your Google credentials here : https://console.developers.google.com/apis/ and set the correct credentials for Google Authentification API in the section [gauth]
'google': {
'displayname': 'Google',
'enabled': True,
'client_id': 'xxxx',
'client_secret': 'xxxx',
'userinfo_auth': True,
'scope': [ 'https://www.googleapis.com/auth/userinfo.email', 'openid' ],
'userinfo_url': 'https://www.googleapis.com/oauth2/v1/userinfo',
'redirect_uri_prefix' : 'https://hostname.domain.local/API/auth/oauth',
'redirect_uri_querystring': 'manager=external&provider=google',
'authorization_base_url': 'https://accounts.google.com/o/oauth2/v2/auth',
'token_url': 'https://oauth2.googleapis.com/token',
'policies': { 'acl' : { 'permit': [ 'all' ] } }
}
Github OAuth
GitHub's OAuth implementation supports the standard authorization code grant type and the OAuth 2.0 Device Authorization Grant for apps that don't have access to a web browser.
Github OAuth
Enable other users to authorize your OAuth App. Create your Github credentials here : authorizing-oauth-apps and set the correct credentials for Github Authentification API
'github': {
'displayname': 'Github',
'enabled': True,
'basic_auth': True,
'userinfo_auth': True,
'scope' : [ 'read:user' ],
'client_id': 'xxxx',
'client_secret': 'xxxx',
'redirect_uri_prefix' : 'https://hostname.domain.local/API/auth/oauth',
'redirect_uri_querystring': 'manager=external&provider=github',
'authorization_base_url': 'https://github.com/login/oauth/authorize',
'token_url': 'https://github.com/login/oauth/access_token',
'userinfo_url': 'https://api.github.com/user',
'policies': { 'acl' : { 'permit': [ 'all' ] } }
}
Great, you have check how the implicit Authentification configuration works.