Django-allauth
RDMO uses the excellent django-allauth as its main authorization library. It enables workflows for user registration and password retrieval, as well as authentication from 3rd party sites using OAUTH2.
The library should be installed in RDMO using:
pip install rdmo[allauth]
Accounts
To enable regular accounts in RDMO add:
ACCOUNT = True
ACCOUNT_SIGNUP = True
ACCOUNT_TERMS_OF_USE = False
INSTALLED_APPS += [
'allauth',
'allauth.account',
]
AUTHENTICATION_BACKENDS.append('allauth.account.auth_backends.AuthenticationBackend')
MIDDLEWARE.append('allauth.account.middleware.AccountMiddleware')
to your config/settings/local.py. The setting ACCOUNT = True enables the general django-allauth features in RDMO, while ACCOUNT_SIGNUP = True enables new users to register with your RDMO instance. ACCOUNT_TERMS_OF_USE = False disables the Terms of Use. If you set it to True every registering user will have to agree to your policy. The last lines enable django-allauth to be used by RDMO.
The behavior of django-allauth can be further configured by the settings documented in the django-allauth documentation. RDMO sets some defaults, which can be found in rdmo/rdmo/core/settings.py in the rdmo package.
Other 3rd party authentication solutions
Generic OpenID Connect provider
The generic openid_connect provider from django-allauth allows for an easy configuration of multiple OpenID Connect providers.
In addition to the settings for Social accounts above, a few extra settings are required in the config/settings/local.py for this provider. Please note the django-allauth docs on openid-connect for the source of the following information:
SOCIALACCOUNT_PROVIDERS = {
"openid_connect": {
"APPS": [
{
"provider_id": "my-server",
"name": "My Login Server",
"client_id": "your.service.id",
"secret": "your.service.secret",
"settings": {
"server_url": "https://my.server.example.com",
# Optional token endpoint authentication method.
# May be one of "client_secret_basic", "client_secret_post"
# If omitted, a method from the the server's
# token auth methods list is used
"token_auth_method": "client_secret_basic",
},
},
{
"provider_id": "other-server",
"name": "Other Login Server",
"client_id": "your.other.service.id",
"secret": "your.other.service.secret",
"settings": {
"server_url": "https://other.server.example.com",
},
},
]
}
}
and add the provider to INSTALLED_APPS
INSTALLED_APPS += [
'allauth.socialaccount.providers.openid_connect',
]
The OpenID Connect callback URL for each configured server will use the provider_id as the {id} in accounts/{id}/login/callback/.
NFDI-AAI Community AAI solutions
For RDMO service providers that are related to a NFDI Consortium, there might be the possibility to join a Community AAI solution in the context of the NFDI-AAI project. These Identity Providers support both SAML and OIDC, where the OIDC can be readily configured in RDMO via the generic openid_connect provider from django-allauth.
Social accounts
In order to use 3rd party accounts (facebook, github, etc.) with RDMO add:
to your
config/settings/local.py. The settingSOCIALACCOUNT = Trueis used by RDMO to show certain parts of the user interface connected to 3rd party accounts, while as before, the lines afterINSTALLED_APPSenable the feature to be used by RDMO.SOCIALACCOUNT_AUTO_SIGNUP = Trueforces new users to fill out a signup form even if the provider does provide the email address. Each provider has a separate app you need to add toINSTALLED_APPS. A list of all providers supported by django-allauth can be found here.Once the installation is complete, the credentials of your OAUTH provider need to be entered in the admin interface. This is covered in the administration chapter of this documentation.
Groups
RDMO can be configured to add users from certain 3rd party accounts automatically to certain groups, e.g.
This can be used to restrict project creation based on authentication method.