http://localhost/ticket/787 <p> Auth Proposal </p> <p> Use case: We'd like an authenticated and authorized Drupal user to be able to edit/delete packages using the API </p> <p> To do this a user would need a CKAN API key so we need some way of Drupal telling CKAN who a user is so that they can get their API key. </p> <p> Proposed Implementation </p> <hr /> <p> A user visits the CKAN API key page to get their key. Because CKAN is at catalogue.data.gov.uk (a subdomain of the Drupal site) it can read Drupal cookies. </p> <p> If there is no <tt></tt>DRXtrArgs<tt></tt> or <tt></tt>DRXtrArgs2<tt></tt> cookie, we know the user isn't signed in so we redirect them to Drupal to sign in. </p> <p> WISHLIST: It would be really nice if we could pass the URL to redirect back to Drupal so tha Druapl can send them back to the CKAN API key page </p> <p> Either way, they get back to CKAN and now the cookies exist. When the first HTTP request header is sent, CKAN will read the Drupal session ID and then call a Drupal API, server to server. </p> <p> TODO: Implement an API on the drupal server which accepts a Drupal session ID as an argument and returns the username and credentials, but only if the request if from the CKAN server (perhaps we specify an API key in the request) </p> <p> If the session is valid CKAN will set its own auth cookie and show them the page with the API key. CKAN only considers a user signed in if both the CKAN cookie *and* Drupal session ID are present. If at any time they sign out of Drupal the Drupal session disappears so they will be signed out of CKAN too. </p> <p> Now the user has an API key they can use the standard CKAN command line API tools. </p> <p> The API key is the only thing the user will need to use the CKAN API. This poses a problem. What if a user is removed from Drupal but still has a CKAN API key? </p> <p> Two solutions: </p> <ol><li>API keys will be set to only be valid for the length of a Drupal session so that a user will only be able to use the write API for a little time after credentials are revoked </li></ol><ol start="2"><li>CKAN provides an API to allow Drupal to revoke keys </li></ol><p> Option 1. seems easier to me. If we choose this we will write a <tt></tt>get_api_key<tt></tt> command line tool so that Drupal user can write things like this: </p> <p> :: </p> <blockquote> <p> datapkg list_packages --api_key <tt>get_api_key</tt> </p> </blockquote> <p> The <tt></tt>get_api_key<tt></tt> function will prompt for username and password and then perform the steps necessary to get an API key. </p> en-us http://assets.okfn.org/p/ckan/img/ckan_logo_shortname.png http://localhost/ticket/787 Trac 0.12.3 pudo Tue, 09 Nov 2010 09:33:27 GMT http://localhost/ticket/787#comment:1 http://localhost/ticket/787#comment:1 <p> Alternative: </p> <ul><li>The Drupal system will expose a resource at data.gov.uk/profile which wil contain the reqesting user's nickname, fullname, email etc. in JSON (or XML) form. </li><li>The Drupal system will also run an OAuth server (and provide /request_token, /access_token, /authorize). </li><li>CKAN's login form will be rewired to initiate a client OAuth request on the /profile resource. </li><li>Recognizing CKAN's callback URL at catalogue.data.gov.uk, Drupal will automatically grant the request if a user is signed in. </li><li>Upon return, a user is created, optionally using the OAuth access token as the users API key, thus making it known both to Drupal and CKAN. </li><li>The authorizer will be extended to check access to the /profile resource for OAuth accounts (slow but safe). </li></ul><p> Advantages: </p> <ul><li>Well-known protocol, does not depend on cookies (which are strange and never behave as defined, or even the same in multiple browsers) </li><li>Python code is available: <a class="ext-link" href="http://oauth.googlecode.com/svn/code/python/oauth/example"><span class="icon">​</span>http://oauth.googlecode.com/svn/code/python/oauth/example</a> </li><li>Drupal seems to have very complete support: <a class="ext-link" href="http://drupal.org/node/296205"><span class="icon">​</span>http://drupal.org/node/296205</a> </li><li>Can be fully implemented as a plugin, using an OAuthClientController for callback and adding hooks to the Authorizer (perhaps need to reconfigure who.ini) </li></ul> Ticket johnbywater Mon, 15 Nov 2010 10:07:38 GMT http://localhost/ticket/787#comment:2 http://localhost/ticket/787#comment:2 <ul> <li><strong>sprint</strong> changed from <em>1.3.3</em> to <em>1.3.4</em> </li> </ul> <p> Moved from sprint 1.3.3 </p> Ticket thejimmyg Fri, 07 Jan 2011 16:32:46 GMT http://localhost/ticket/787#comment:3 http://localhost/ticket/787#comment:3 <ul> <li><strong>priority</strong> set to <em>major</em> </li> <li><strong>component</strong> set to <em>dgu</em> </li> <li><strong>milestone</strong> changed from <em>ckan-v1.3</em> to <em>longterm</em> </li> </ul> Ticket thejimmyg Mon, 28 Mar 2011 09:47:47 GMT http://localhost/ticket/787#comment:4 http://localhost/ticket/787#comment:4 <ul> <li><strong>repo</strong> set to <em>ckan</em> </li> <li><strong>theme</strong> set to <em>none</em> </li> <li><strong>milestone</strong> changed from <em>longterm</em> to <em>ckan-v1.4-sprint-5</em> </li> </ul> Ticket thejimmyg Mon, 18 Apr 2011 09:14:14 GMT http://localhost/ticket/787#comment:5 http://localhost/ticket/787#comment:5 <p> The AuthAPI now exists as an IMiddleware plugin, we really need the permission system moved into CKAN before it is useful though and this depends on a refactor of the Auth system. See <a class="closed ticket" href="http://localhost/ticket/1094" title="enhancement: [super] Refactor the Auth System (closed: duplicate)">#1094</a> </p> Ticket thejimmyg Mon, 18 Apr 2011 09:14:43 GMT http://localhost/ticket/787#comment:6 http://localhost/ticket/787#comment:6 <ul> <li><strong>milestone</strong> changed from <em>ckan-v1.4-sprint-5</em> to <em>ckan-v1.4-sprint-6</em> </li> </ul> Ticket shevski Fri, 08 Jul 2011 12:00:48 GMT http://localhost/ticket/787#comment:7 http://localhost/ticket/787#comment:7 <ul> <li><strong>milestone</strong> changed from <em>ckan-v1.5</em> to <em>ckan-current-sprint</em> </li> </ul> Ticket kindly Mon, 15 Aug 2011 09:23:03 GMT http://localhost/ticket/787#comment:8 http://localhost/ticket/787#comment:8 <ul> <li><strong>keywords</strong> <em>dgu</em> added </li> </ul> Ticket thejimmyg Mon, 12 Sep 2011 09:51:58 GMT http://localhost/ticket/787#comment:9 http://localhost/ticket/787#comment:9 <ul> <li><strong>status</strong> changed from <em>new</em> to <em>closed</em> </li> <li><strong>resolution</strong> set to <em>fixed</em> </li> <li><strong>milestone</strong> changed from <em>ckan-current-sprint</em> to <em>ckan-sprint-2011-09-12</em> </li> </ul> <p> The joint authentication was implemented a long time ago and is deployed on catalogue.data.gov.uk. We'll build the authorisation layer in ticket <a class="new ticket" href="http://localhost/ticket/1326" title="enhancement: Write a set of auth plugin functions to integrate with Druapl (new)">#1326</a> so marking this as fixed. </p> Ticket