Skip to content

Python social auth

Petri Riihikallio edited this page Aug 22, 2021 · 11 revisions

WebMark doesn't store any passwords for security reasons. Authentication is done by other services using OAuth2 and implemented with Python Social Auth. The required configuration is at the end of settings.py.

To make it work, you need to register WebMark in all authentication providers to be supported. Currently ORCiD, Google and Facebook are supported. The keys and secrets are in the .env file on the staging server. However, do not use those for development!! Set up a new registration at least with Google for local development and testing. Put this key and secret in your local .env file. For development you only need one registered authentication provider. You can share this file with fellow developers, but do NOT post it on GitHub (you'd make a fool of yourself).

If you goof

In case you inadvertly publish the credentials, you can reset the secret key in all of the services. Just remember to copy the new secrets to your .env and restart your server.

  • Google: Click the OAut 2.0 Client ID name on the Credentials page and click RESET SECRET at the top of the page
  • ORCiD: Click on the pencil icon to the right of your app name and click on Reset client secret
  • Facebook: In your app's Settings > Basic click on App Secret Show and then Reset

If you pushed your .env to GitHub then you can clear the history with:

git rm --cached .env
git commit --amend -CHEAD
git push

Google

Setting up Google OAuth requires several steps. However, it is good for development use since you can point it to localhost using http (sans TLS). This will guide you through the required fields:

  1. Log in Google Developer Dashboard. You may need to promote your Google ID to a developer ID.
  2. Set up the OAuth consent screen first:
    1. User-Type: External (you can later publish your app to any user)
    2. App name: QuantMark (or WebMark or whatever)
    3. User support email: [email protected]
    4. Application home page: https://ohtup-staging.cs.helsinki.fi/qleader/
    5. Authorized domains: helsinki.fi
    6. Developer contact information: [email protected] (or whatever)
    7. Click Save and continue
    8. Add scopes:
      • ../auth/userinfo.email
      • ../auth/userinfo.profile
      • openid
    9. Click Save and continue
    10. Add your own and you developers team members' Google IDs
  3. Set up Credentials next:
    1. Click on Create credentials > OAuth Client ID
    2. Application type: Web application
    3. Name: QuantMark (or whatever)
    4. Authorized redirect URIs:
    5. Click Create and copy the Client ID and secret to your .env

ORCiD

ORCiD IDs are popular with researchers, but ORCiD will only redirect to https URLs. Setting up certificates for your developments server is a pain. Otherwise ORCiD is fairly straightforward to set up:

  1. Log in to ORCiD developer
  2. Create a new app:
    1. Name of your application: QuantMark (or WebMark or whatever)
    2. Your website URL: https://ohtup-staging.cs.helsinki.fi/qleader/
    3. Description or your application: Quantum chemistry experiment register (or whatever)
    4. Redirect URIs: https://ohtup-staging.cs.helsinki.fi/qleader/complete/orcid/
    5. The Save button is a graphic on the right about halfway down vertically
  3. You may need to click on Show details to see the Client ID and Secret. Copy them to your .env

Facebook

You can use Facebook for development as well, if you change "Enforce HTTPS" to No.

  1. Log in to Facebook for Developers
  2. Switch to My Apps and click on Create App
    1. Choose Consumer
    2. App Display Name: QuantMark (or WebMark or whatever)
    3. App Contact Email: [email protected] (or whatever)
  3. Add Facebook Login to your app by clickin Set up, but don't run the Quickstart
  4. On the left, select Facebook Login > Settings
    1. Valid OAuth Redirect URIs: https://ohtup-staging.cs.helsinki.fi/qleader/complete/facebook/
    2. "Client OAuth Login", "Web OAuth Login", "Enforce HTTPS" and "Use Strict Mode for Redirect URIs" should be Yes by default
    3. "Force Web OAuth Reauthentication", "Embedded Browser OAuth Login", "Login from Devices" and "Login with the JavaScript SDK" should be No by default
  5. On the left, select Settings > Basic to see App ID and App Secret and copy them to your .env

🔴 Disclaimer

The user interfaces for the ID providers change frequently. This was valid in the summer of 2021.

Repositories

Clone this wiki locally