Connecting Science Gateway/Applications hosting framework with the User Registration Portal (URP)
Applications on Demand Service menu: | Home • | Documentation for providers • | Documentation for developers • | Architecture |
This article is Deprecated and should no longer be used, but is still available for reasons of reference. |
Warning:
This guideline is now deprecated. Please check EGI_Verifier_Guideline for the current version.
Overview
This wiki page contains a short overview of the integration steps that Science Gateway/Applications hosting frameworks must complete to contribute to the EGI Applications on Demand (AoD) service.
The User Registration Portal (URP) provides the identity federation mechanism that enables users to authenticate in any of the connected Science Gateways/Applications hosting frameworks with either social credentials or the EGI SSO accounts.
In this old implementation, this identity federation is implemented with Unity [1], an authentication & authorization management solution that uses OpenID Connect as standard interface.
Connecting the Science Gateway with the URP
Client service Registration
1. Open the GGUS ticket to operations that include return URIs
2. UNITY team send Client clientID and secretKey
response_type:code redirect_uri: [[Redirect url]] client_id:unity-oauth-egrantstate: [[You should generate your own state eg. md5(uniqid(rand(), TRUE));]] scope:profile openid
[https://unity.egi.eu/oauth2-as/oauth2-authz https://unity.egi.eu/oauth2-as/oauth2-authz]response_type=code &client_id=123123123 &redirect_uri=https%3A%2F%2Fclient.pl%2Fauth &scope=openid%20profile
&state=a123a123a123
Location: [https://client.pl/auth https://client.pl/auth]
code=uniquecode123 &state=a123a123a123
POST /token HTTP/1.1Host: [http://client.pl/ client.pl]
Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code&code=uniquecode123&redirect_uri=https%3A%2F%2Fclient.pl%2Fauth
HTTP/1.1 200 OKContent-Type: application/json
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"accessToken123",
"token_type":"Bearer",
"expires_in":3600,
"refresh_token":"refreshToken123",
"id_token":"idToken123123"}
important data:
unity.server.clientId= [YOUR CLIENT ID] unity.server.clientSecret= [YOUR SECRET KEY] unity.server.authorize=[https://unity.egi.eu/oauth2-as/oauth2-authz https://unity.egi.eu/oauth2-as/oauth2-authz] unity.server.token=[https://unity.egi.eu/oauth2/token https://unity.egi.eu/oauth2/token] unity.server.base=[https://unity.egi.eu/ https://unity.egi.eu]
List of attributes released by Unity
for scope 'profile':
- name (string)
- email (string)
- confirmedRegistration (true/false) - tells if user has confirmed affiliation request
- hasActiveSla - (true/false) - tells if user has confirmed resource request
both confirmedRegistration and hasActiveSla have to be set to 'true' to accept user as full member
for scope 'additional':
- persistent (string) - persistent ID of user given by UNITY. Attribute should be used by SG providers as a source of unique userID.
OpenID Connect for Liferay
OpenId Connect for Liferay is a very rough but effective implementation of the OpenId connect protocol for Liferay. Use this module to authenticate with any OpenId Connect provider.
OpenID Connect for Django
To configure Django project to support OpenID Authentication it is possible to use the django-oidc-auth module.
How to use
$ pip install django-oidc-auth
Then configure the module:
INSTALLED_APPS += ['oidc_auth'] AUTHENTICATION_BACKENDS = ('oidc_auth.auth.OpenIDConnectBackend',) + AUTHENTICATION_BACKENDS OIDC_AUTH = { 'DEFAULT_PROVIDER': { 'issuer': 'https://unity.egi.eu/oauth2', 'client_id': AUTH_OIDC_CLIENT_ID, 'client_secret': AUTH_OIDC_SECRET, }, 'SCOPES': ['openid', 'profile'], }
Finally, add this to your urls.py:
urlpatterns = patterns('your.views', # ... url(r'oidc/', include('oidc_auth.urls')), )
Run
python manage.py migrate