Skip to content

Commit

Permalink
Merge pull request #11582 from camptocamp/backport/11577-to-master
Browse files Browse the repository at this point in the history
[Backport master] Create a dedicated page for the authentication
  • Loading branch information
sbrunner authored Dec 11, 2024
2 parents cfb1df0 + f8ca362 commit d2a52e3
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 38 deletions.
44 changes: 21 additions & 23 deletions doc/integrator/authentication.rst
Original file line number Diff line number Diff line change
@@ -1,19 +1,20 @@

.. _integrator_authentication:

Authentication
--------------
==============

~~~~~~~~~~~~~~~~~~~
Supported standards
~~~~~~~~~~~~~~~~~~~
-------------------

- `OpenID Connect`: as client, to be able to connect to an external OpenID Connect (OIDC) server.
- `TOTP`: for two-factor authentication (2FA), this can be used for example with Google Authenticator.
- `OAuth2` as server: An external application can use GeoMapFish as a single sign-on (SSO) for the
authentication, even if it was initially implemented to be able to connect from QGIS desktop on an
application that requires two factor authentication.

~~~~~~~~~~~~~~~~~~
The default policy
~~~~~~~~~~~~~~~~~~
------------------

By default, ``c2cgeoportal`` applications use an *auth ticket* authentication
policy (``AuthTktAuthenticationPolicy``). With this policy, the user name is
Expand All @@ -40,28 +41,23 @@ In the file ``env.project``, you can configure the policy with the following var
See also `the official documentation <https://docs.pylonsproject.org/projects/pyramid/en/latest/api/authentication.html#pyramid.authentication.AuthTktAuthenticationPolicy>`_.


~~~~~~~~~~~~~~~~~~~~
Using another policy
~~~~~~~~~~~~~~~~~~~~
--------------------

When using ``AuthTktAuthenticationPolicy``, an "auth ticket" cookie should be
set in the request for the user to be identified. In some applications, using
a custom identification mechanism may be needed instead, for instance to use SSO.
Our knowledge base has an example of how this can be achieved.

~~~~~~~~~~~~~~~
User validation
~~~~~~~~~~~~~~~
---------------

For logging in, ``c2cgeoportal`` validates the user credentials
(username/password) by reading the user information from the ``user`` database
table. If a c2cgeoportal application should work with another user information
source, like LDAP, a custom *client validation* mechanism can be set up.
Our knowledge base has an example of how this can be achieved.

~~~~~~~~~~
Basic auth
~~~~~~~~~~
----------

To be able to access the OGC services from your desktop GIS, you should enable the basic authentication
by setting ``BASICAUTH`` to ``True`` in the ``env.project`` file.
Expand All @@ -73,9 +69,8 @@ in your query string.

For security reasons, basic authentication and two factor authentication should not be enabled together.

~~~~~~~~~~~~~~~~~~~~~~~~~~
Two factors authentication
~~~~~~~~~~~~~~~~~~~~~~~~~~
--------------------------

GeoMapFish support TOTP (Time-Based One-Time Password Algorithm) two factors authentication
(`RFC 6238 <https://tools.ietf.org/html/rfc6238>`_).
Expand All @@ -96,9 +91,8 @@ should uncheck the 'The user changed his password' field on the user in the admi
For security reasons, basic authentication and two factor authentication should not be enabled together,
you should use :ref:`OAuth2<integrator_authentication_oauth2>` for that.

~~~~~~~~~~~~~~~
Account lockout
~~~~~~~~~~~~~~~
---------------

To lock an account after a certain number of authentication failures, set the following settings:

Expand All @@ -111,9 +105,9 @@ To lock an account after a certain number of authentication failures, set the fo
To unlock a user, the administrator should uncheck the 'Deactivated' field on the user in the
admin interface.

~~~~~~~~

Intranet
~~~~~~~~
--------

To configure the intranet networks fill in the configuration like:

Expand All @@ -138,19 +132,17 @@ See `Python documentation <https://docs.python.org/3.4/library/ipaddress.html#ip

A user can easily manually set the `Forwarded` or `X-Forwarded-For` header to spoof his IP.

~~~~~~~~~~~~~~~~~~~
Lost admin password
~~~~~~~~~~~~~~~~~~~
-------------------

You can generate a new admin password the following command:

.. argparse::
:ref: c2cgeoportal_geoportal.scripts.manage_users.get_argparser
:prog: docker compose exec geoportal manage-users

~~~~~~~~~~~~~~~~~~~~
External application
~~~~~~~~~~~~~~~~~~~~
--------------------

Some service of GeoMapFish has some host restriction if you mix the domain.

Expand All @@ -177,3 +169,9 @@ Admin
We provide a view for the admin interface, to be able to clear the cache per OGC server.
If for an unknown reason you have not the same host in the ``Host`` header and ``came_from`` parameter, you should
add the domain of the ``came_from`` parameter in the vars in ``vars/admin_interface/allowed_hosts``.


.. _integrator_authentication_oauth2:
.. include:: authentication_oauth2.rst
.. _integrator_authentication_oidc:
.. include:: authentication_oidc.rst
2 changes: 1 addition & 1 deletion doc/integrator/authentication_oauth2.rst
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
OAuth2 with QGIS
~~~~~~~~~~~~~~~~
----------------

In the admin interface create an 'OAuth2 Client' with:

Expand Down
9 changes: 1 addition & 8 deletions doc/integrator/authentication_oidc.rst
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
OpenID Connect
~~~~~~~~~~~~~~
--------------

We can configure an OpenID connect service as an SSO (Single Sign-On) provider for our application. This allows users to log in to our application using their OpenID Connect credentials.

Expand Down Expand Up @@ -33,7 +33,6 @@ We use `OpenID Connect Discovery 1.0 <https://openid.net/specs/openid-connect-di
end
Geoportal->>-Browser: response

~~~~~~~~~~~~~~~~~~~~~~~
Authentication provider
~~~~~~~~~~~~~~~~~~~~~~~

Expand All @@ -52,7 +51,6 @@ If we want to use OpenID Connect as an authentication provider, we need to set t
With that the user will be create in the database at the first login, and the access right will be set in the GeoMapFish database.
The user correspondence will be done on the email field.

~~~~~~~~~~~~~~~~~~~~~~
Authorization provider
~~~~~~~~~~~~~~~~~~~~~~

Expand All @@ -74,7 +72,6 @@ If we want to use OpenID Connect as an authorization provider, we need to set th
With that the user will not be in the database only the roles will be set in the GeoMapFish database.

~~~~~~~~~~~~~
Other options
~~~~~~~~~~~~~

Expand Down Expand Up @@ -107,7 +104,6 @@ Other options
display_name: name
email: email
~~~~~~~~~~~~~~~~~~~~
Example with Zitadel
~~~~~~~~~~~~~~~~~~~~

Expand All @@ -121,7 +117,6 @@ Example with Zitadel
query_user_info: true
create_user: true
~~~~~
Hooks
~~~~~

Expand Down Expand Up @@ -153,7 +148,6 @@ Configure the hooks in the project initialization:
config.add_request_method(get_remember_from_user_info, name="get_remember_from_user_info")
config.add_request_method(get_user_from_remember, name="get_user_from_remember")
~~~~~~~~~~~~~~~~~
QGIS with Zitadel
~~~~~~~~~~~~~~~~~

Expand All @@ -173,7 +167,6 @@ On QGIS:
* Set ``Client ID`` to ``<client_id>``.
* Set ``Scope`` to the ``openid profile email``.

~~~~~~~~~~~~~~
Implementation
~~~~~~~~~~~~~~

Expand Down
1 change: 1 addition & 0 deletions doc/integrator/index.rst
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ Content:
database
configuration
customize
authentication
security
features
docker
Expand Down
6 changes: 0 additions & 6 deletions doc/integrator/security.rst
Original file line number Diff line number Diff line change
Expand Up @@ -3,12 +3,6 @@
Security
========

.. _integrator_authentication:
.. include:: authentication.rst
.. _integrator_authentication_oidc:
.. include:: authentication_oidc.rst
.. _integrator_authentication_oauth2:
.. include:: authentication_oauth2.rst
.. include:: https.rst
.. include:: reset_password.rst

Expand Down

0 comments on commit d2a52e3

Please sign in to comment.