Activating and Installing

To install the plugin, enter your virtualenv and install the package using pip as follows:

pip install ckanext-oauth2

Add the following to your CKAN .ini (generally /etc/ckan/default/production.ini) file:

ckan.plugins = oauth2 <other-plugins>

## OAuth2 configuration
ckan.oauth2.logout_url = /user/logged_out
ckan.oauth2.register_url = https://YOUR_OAUTH_SERVICE/users/sign_up
ckan.oauth2.reset_url = https://YOUR_OAUTH_SERVICE/users/password/new
ckan.oauth2.edit_url = https://YOUR_OAUTH_SERVICE/settings
ckan.oauth2.authorization_endpoint = https://YOUR_OAUTH_SERVICE/authorize
ckan.oauth2.token_endpoint = https://YOUR_OAUTH_SERVICE/token
ckan.oauth2.profile_api_url = https://YOUR_OAUTH_SERVICE/user
ckan.oauth2.client_id = YOUR_CLIENT_ID
ckan.oauth2.client_secret = YOUR_CLIENT_SECRET
ckan.oauth2.scope = profile other.scope
ckan.oauth2.rememberer_name = auth_tkt
ckan.oauth2.profile_api_user_field = JSON_FIELD_TO_FIND_THE_USER_IDENTIFIER
ckan.oauth2.profile_api_fullname_field = JSON_FIELD_TO_FIND_THE_USER_FULLNAME
ckan.oauth2.profile_api_mail_field = JSON_FIELD_TO_FIND_THE_USER_MAIL
ckan.oauth2.authorization_header = OAUTH2_HEADER

Note: In case you are using FIWARE as OAuth2 provider, this is the concrete oauth2 configuration you should use (e.g. using FIWARE lab):

## OAuth2 configuration
ckan.oauth2.logout_url = /user/logged_out
ckan.oauth2.register_url = https://account.lab.fiware.org/users/sign_up
ckan.oauth2.reset_url = https://account.lab.fiware.org/users/password/new
ckan.oauth2.edit_url = https://account.lab.fiware.org/settings
ckan.oauth2.authorization_endpoint = https://account.lab.fiware.org/oauth2/authorize
ckan.oauth2.token_endpoint = https://account.lab.fiware.org/oauth2/token
ckan.oauth2.profile_api_url = https://account.lab.fiware.org/user
ckan.oauth2.client_id = YOUR_CLIENT_ID
ckan.oauth2.client_secret = YOUR_CLIENT_SECRET
ckan.oauth2.scope = all_info
ckan.oauth2.rememberer_name = auth_tkt
ckan.oauth2.profile_api_user_field = id
ckan.oauth2.profile_api_fullname_field = displayName
ckan.oauth2.profile_api_mail_field = email
ckan.oauth2.authorization_header = Authorization

And this is an example for connecting using Google:

## OAuth2 configuration
ckan.oauth2.logout_url = /user/logged_out
ckan.oauth2.authorization_endpoint = https://accounts.google.com/o/oauth2/auth
ckan.oauth2.token_endpoint = https://accounts.google.com/o/oauth2/token
ckan.oauth2.profile_api_url = https://www.googleapis.com/oauth2/v1/userinfo
ckan.oauth2.client_id = YOUR_CLIENT_ID
ckan.oauth2.client_secret = YOUR_CLIENT_SECRET
ckan.oauth2.scope = openid email profile
ckan.oauth2.rememberer_name = auth_tkt
ckan.oauth2.profile_api_user_field = email
ckan.oauth2.profile_api_fullname_field = name
ckan.oauth2.profile_api_mail_field = email
ckan.oauth2.authorization_header = Authorization

Additional notes:

• This extension only works when your CKAN instance is working over HTTPS, since OAuth 2.0 depends on it. You can follow the Starting CKAN over HTTPs tutorial to learn how to do that.
• You can run the extension to connect to a OAuth2 server using HTTP, or to a server using an invalid certificate (e.g. a self-signed one), by editing the file /etc/apache2/envvars and adding the following environment variable, or directly exporting the variable in the shell if you are executing development server with "paster serve ..." :

export OAUTHLIB_INSECURE_TRANSPORT=True

• The callback URL that you should set on your OAuth 2.0 is: https://YOUR_CKAN_INSTANCE/oauth2/callback, replacing YOUR_CKAN_INSTANCE by the machine and port where your CKAN instance is running.