Installation:
1. Install the package:
pip install ckanext-oidc-pkce
2. Add ‘oidc_pkce’ to ckan.plugins in your config file
3. Configure SSO settings (see config_env_vars)
#
Access SSO login at: /user/login/oidc-pkce
#
Required Configuration:
ckanext.oidc_pkce.base_url - URL of SSO application (e.g. https://12345.example.okta.com)
ckanext.oidc_pkce.client_id - ClientID of SSO application
#
Optional Configuration:
ckanext.oidc_pkce.client_secret - Client secret (only if app defines one, default: empty)
ckanext.oidc_pkce.auth_path - Authorization endpoint path (default: /oauth2/default/v1/authorize)
ckanext.oidc_pkce.token_path - Token endpoint path (default: /oauth2/default/v1/token)
ckanext.oidc_pkce.userinfo_path - Userinfo endpoint path (default: /oauth2/default/v1/userinfo)
ckanext.oidc_pkce.redirect_path - Local callback path (default: /user/login/oidc-pkce/callback)
ckanext.oidc_pkce.error_redirect - Error redirect URL (default: empty, redirects to came_from or login)
ckanext.oidc_pkce.scope - Token scope expecting at least sub, email, name (default: openid email profile)
ckanext.oidc_pkce.use_same_id - Use SSO ID as CKAN user ID for new users (default: false)
ckanext.oidc_pkce.munge_password - Override password for SSO users to force SSO-only login (default: false)
#
Environment Variables:
Can override config with: CKANEXT_OIDC_PKCE_BASE_URL, CKANEXT_OIDC_PKCE_CLIENT_ID, CKANEXT_OIDC_PKCE_CLIENT_SECRET