OpenID/OAuth2 authentication client for ESGF
The ESGF authentication client is a Django web aplication that replaces the ESGF ORP. If a dataset file requires authentication, the THREDDS authentication filter redirects a user web browser to the web app. The web app discovers authentication services provided by an IdP selected by a user in the drop down, and redirects the user web browser to OAuth2 or OpenID server where the user enters his/her username and password. When the user is authenticated successfully, the OAuth2 (or OpenID) server redirects the user web browser back to the web app. The web app sets a secret cookie and redirects the user back to the THREDDS authentication filter.
Create Python 2.7 virtual environment
$ python --version
Python 2.7.10
$ virtualenv venv
$ . venv/bin/activate
Download and install crypto-cookie:
(venv)$ git clone git@github.com:philipkershaw/crypto-cookie
(venv)$ cd crypto-cookie
(venv)$ python setup.py
(venv)$ cd ..
Download and install esgf-auth with dependencies (Django, social-auth-app-django, social-auth-core, etc.)
(venv)$ git clone git@github.com:lukaszlacinski/esgf-auth
(venv)$ cd esgf-auth
(venv)$ pip install -r requirements.txt
Create the database
(venv)$ ./manage.py migrate
Create /esg/config/esgf_oauth2.json file with a client key and secret
received from an admin of an ESGF OAuth2 server. When you register your
OAuth2 client, your redirect URI is
https://<your_hostname>/esgf-auth/complete/esgf/
. Here is a sample
esgf_oauth2.json file:
{
"ceda.ac.uk":
"key": "BUwBQaqS7qs2pSLhwHiAQlqt+hc=",
"secret": "Qf+EsAoDmZzdW1L/H4zAj2u/tg3ISCnqxby+2bD7hY/GCZcRJgUjFQ=="
},
"esgf-node.llnl.gov": {
"key": "RMRXIub0/m4RIfo7sdr2OiGOTmc=",
"secret": "N9PT+3/rGnjGPkEBsyzhoggsyFYdX6ptPG9Gy6Olb0j8ub/4+DJtiA=="
}
}
Create a second file /esg/config/esgf_auth_config.json with additional site-specific information. An example of such configuration file is:
{
"ESGF_HOSTNAME":"my-node.esgf.org",
"ESGF_SECRET_KEY":"o7GIieXmQzUGslstjWS7d8==",
"DJANGO_SECRET_KEY":"xu0jf]LBUHfLHWbHXzBcDuffHaWQYrev8ojXXd1M"
}
where all values need to be changed by each site administrator. The value of "ESGF_SECRET_KEY" must match the value used to encode the authentication cookies that is configured in the THREDDS web.xml file.
For example, on Ubuntu, add the following lines to
/etc/apache2/sites-available/default-ssl,conf in
<VirtualHost _default_:443>
WSGIDaemonProcess esgf_auth python-path=<your_base_dir>/esgf-auth:<your_base_dir>/venv/lib/python2.7/site-packages
WSGIScriptAlias /esgf-auth <your_base_dir>/esgf-auth/esgf_auth/wsgi.py process-group=esgf_auth
<Directory <your_base_dir>/esgf-auth/esgf_auth>
<Files wsgi.py>
# Apache >= 2.4
#Require all granted
# Apache <= 2.2
Order allow,deny
Allow from all
</Files>
</Directory>
Alias /esgf-auth/home/static/ <your_base_dir>/esgf-auth/static/
<Directory <your_base_dir>/esgf-auth/static>
Options -Indexes
# Apache >= 2.4
#Require all granted
# Apache <= 2.2
Order allow,deny
Allow from all
AllowOverride None
</Directory>
After restarting Apache, open https://<your_hostname>/esgf-auth/thredds/
in a web browser. The page mimics THREDDS server with the authentication
filter. You will also likely need to change ownership of the 'esgf-auth' directory to
www-data (on Ubuntu), so Apache can access the SQLite3 database file.