Skip to content

Authentification external

Requirements

To use external Authentification OAuth 1.0 and or OAuth 2.0, you need an internet FQDN and a secured web site with https.

Library

abcdesktop uses requests_oauthlib python module. Requests-OAuthlib uses the Python Requests and OAuthlib libraries for building OAuth1 and OAuth2 clients.

authmanagers external:

external authentification use OAuth 2.0 authenticaton.

The external authentification configuration is defined as a dictionary object and contains a list of external provider.

Sample providers entry using the Google OAuth 2.0 authentification service.

'external': {
    'providers': {
    'google': { 
    'google': { 
        'displayname': 'Google', 
        'enabled': True,
        'client_id': 'xxxx', 
        'client_secret': 'xxxx',
        'userinfo_auth': True,
        'scope': [ 'https://www.googleapis.com/auth/userinfo.email',  'openid' ],
        'userinfo_url': 'https://www.googleapis.com/oauth2/v1/userinfo',
        'redirect_uri_prefix' : 'https://hostname.domain.local/API/auth/oauth',
        'redirect_uri_querystring': 'manager=external&provider=google',
        'authorization_base_url': 'https://accounts.google.com/o/oauth2/v2/auth',
        'token_url': 'https://oauth2.googleapis.com/token',
        'policies': { 'acl'  : { 'permit': [ 'all' ] } }
      }   
   }
}

The variable values client_id and client_secret have been set to obfuscate value 'xxxx'. The FQDN hostname.domain.local is referred to your public server FQDN.

Variable name Type Description Sample
displayname string Display Name show in Web front Google
enabled boolean LDAP Base Distinguished Names True
client_id string client id XXX-YYY.apps.googleusercontent.com
client_secret string client secret XXX
scope list of string scope [ 'https://www.googleapis.com/auth/userinfo.email', 'openid' ]
userinfo_url string dialog URL `https://www.googleapis.com/oauth2/v1/userinfo'
redirect_uri_prefix string redirect URL https://hostname.domain.local/API/auth/oauth
redirect_uri_querystring string URL query string manager=external&provider=google
authorization_base_url string callback URL https://accounts.google.com/o/oauth2/v2/auth
token_url string token URL https://oauth2.googleapis.com/token

The complete redirect url concats the two values redirect_uri_prefix and redirect_uri_querystring.

Orange OAuth

Orange's OAuth is supported for authentication. This API is based on OpenID Connect, which combines end-user authentication with OAuth2 authorisation.

Orange Application

Create your Orange Application here https://developer.orange.com/apis and set credentials for Orange Authentification API in the section

 'orange': {       
        'displayname': 'Orange', 
        'enabled': True,
        'basic_auth': True,
        'userinfo_auth': True,
        'scope' : [ 'openid', 'form_filling' ],
        'client_id': 'xxxx',
        'client_secret': 'xxxx',
        'redirect_uri_prefix' : 'https://hostname.domain.local/API/auth/oauth',
        'redirect_uri_querystring': 'manager=external&provider=orange',
        'authorization_base_url': 'https://api.orange.com/openidconnect/fr/v1/authorize',
        'token_url': 'https://api.orange.com/openidconnect/fr/v1/token', 
        'userinfo_url': 'https://api.orange.com/formfilling/fr/v1/userinfo',
        'policies': { 'acl'  : { 'permit': [ 'all' ] } }
      }

Facebook OAuth

Facebook's OAuth is supported for authentication.

Facebook Application

Create your Facebook Application credentials here : https://developers.facebook.com/apps/ and set the credentials for Facebook Authentification API

'facebook': { 
        'displayname': 'Facebook', 
        'enabled': True,
        'userinfo_auth': True,
        'client_id': 'xxxx', 
        'client_secret': 'xxxx', 
        'redirect_uri_prefix' : 'https://hostname.domain.local/API/auth/oauth',
        'redirect_uri_querystring': 'manager=external&provider=facebook',
        'authorization_base_url': 'https://www.facebook.com/dialog/oauth',
        'userinfo_url': 'https://graph.facebook.com/v2.6/me?fields=picture.width(400),name',
        'token_url': 'https://graph.facebook.com/v2.3/oauth/access_token',
        'userinfomap': {
            '*': '*',
            'picture': 'picture.data.url'
        },
        'policies': { 'acl'  : { 'permit': [ 'all' ] } }
      }

Google OAuth

Google's OAuth is supported for authentication. The client_id is the google's OAuth client ID, and the client_secret is the OAuth client secret.

Google Application

Create your Google credentials here : https://console.developers.google.com/apis/ and set the correct credentials for Google Authentification API in the section [gauth]

'google': { 
        'displayname': 'Google', 
        'enabled': True,
        'client_id': 'xxxx', 
        'client_secret': 'xxxx',
        'userinfo_auth': True,
        'scope': [ 'https://www.googleapis.com/auth/userinfo.email',  'openid' ],
        'userinfo_url': 'https://www.googleapis.com/oauth2/v1/userinfo',
        'redirect_uri_prefix' : 'https://hostname.domain.local/API/auth/oauth',
        'redirect_uri_querystring': 'manager=external&provider=google',
        'authorization_base_url': 'https://accounts.google.com/o/oauth2/v2/auth',
        'token_url': 'https://oauth2.googleapis.com/token',
        'policies': { 'acl'  : { 'permit': [ 'all' ] } }
      }

Github OAuth

GitHub's OAuth implementation supports the standard authorization code grant type and the OAuth 2.0 Device Authorization Grant for apps that don't have access to a web browser.

Github OAuth

Enable other users to authorize your OAuth App. Create your Github credentials here : authorizing-oauth-apps and set the correct credentials for Github Authentification API

'github': {
        'displayname': 'Github',
        'enabled': True,
        'basic_auth': True,
        'userinfo_auth': True,
        'scope' : [ 'read:user' ], 
        'client_id': 'xxxx',
        'client_secret': 'xxxx',
        'redirect_uri_prefix' : 'https://hostname.domain.local/API/auth/oauth',
        'redirect_uri_querystring': 'manager=external&provider=github',
        'authorization_base_url': 'https://github.com/login/oauth/authorize',
        'token_url': 'https://github.com/login/oauth/access_token',
        'userinfo_url': 'https://api.github.com/user',
        'policies': { 'acl'  : { 'permit': [ 'all' ] } }
      }

Great, you have check how the implicit Authentification configuration works.