.. _integrator_authentication: Authentication ============== Supported standards ------------------- - `OpenID Connect`: as client, to be able to connect to an external OpenID Connect (OIDC) server. - `TOTP`: for two-factor authentication (2FA), this can be used for example with Google Authenticator. - `OAuth2` as server: An external application can use GeoMapFish as a single sign-on (SSO) for the authentication, even if it was initially implemented to be able to connect from QGIS desktop on an application that requires two factor authentication. The default policy ------------------ By default, ``c2cgeoportal`` applications use an *auth ticket* authentication policy (``AuthTktAuthenticationPolicy``). With this policy, the user name is obtained from the "auth ticket" cookie set in the request. The policy is created, and added to the application's configuration, in the application's main ``__init__.py`` file. In the file ``env.project``, you can configure the policy with the following variables: ``AUTHTKT_TIMEOUT``: Default to one day. ``AUTHTKT_REISSUE_TIME``: Default to 2h30, recommended to be 10 times smaller than ``AUTHTKT_TIMEOUT``. ``AUTHTKT_MAXAGE``: Default to one day, good to have the same value as ``AUTHTKT_TIMEOUT``. ``AUTHTKT_SECRET``: Should be defined ``AUTHTKT_COOKIENAME``: Should be defined ``AUTHTKT_HTTP_ONLY``: Default to ``true``. ``AUTHTKT_SECURE``: Default to ``true``. ``AUTHTKT_SAMESITE``: Default to ``Lax``. .. note:: With the default configuration, for security reasons, the authentication will only work if the project is served on ``https``. See also `the official documentation `_. Using another policy -------------------- When using ``AuthTktAuthenticationPolicy``, an "auth ticket" cookie should be set in the request for the user to be identified. In some applications, using a custom identification mechanism may be needed instead, for instance to use SSO. User validation --------------- For logging in, ``c2cgeoportal`` validates the user credentials (username/password) by reading the user information from the ``user`` database table. If a c2cgeoportal application should work with another user information source, like LDAP, a custom *client validation* mechanism can be set up. Basic auth ---------- To be able to access the OGC services from your desktop GIS, you should enable the basic authentication by setting ``BASICAUTH`` to ``True`` in the ``env.project`` file. To force the application to ask for a password, you should have the attribute ``authentication_required`` in your query string. .. note:: For security reasons, basic authentication and two factor authentication should not be enabled together. Two factors authentication -------------------------- GeoMapFish support TOTP (Time-Based One-Time Password Algorithm) two factors authentication (`RFC 6238 `_). To enable the two factors authentication you should set the following settings: .. code:: yaml vars: authentication: two_factor: true two_factor_issuer_name: If a user lost his second authentication factor he can't ask for a new one, to reset it the administrator should uncheck the 'The user changed his password' field on the user in the admin interface. .. note:: For security reasons, basic authentication and two factor authentication should not be enabled together, you should use :ref:`OAuth2` for that. Account lockout --------------- To lock an account after a certain number of authentication failures, set the following settings: .. code:: yaml vars: authentication: max_consecutive_failures: 10 To unlock a user, the administrator should uncheck the 'Deactivated' field on the user in the admin interface. Intranet -------- To configure the intranet networks fill in the configuration like: .. code:: yaml vars: intranet: networks: - 192.168.1.0/24 - 192.168.1.0/255.255.255.0 - 192.168.1.0/0.0.0.255 - 2001:db00::0/24 - 2001:db00::0/ffff:ff00:: See `Python documentation `_. .. note:: Intranet detection is provided to improve usability for web site usage within the Intranet; however, please be aware that Intranet detection is not a secure mechanism. To secure access to sensitive data, do not rely on Intranet detection; for that, you must use user authentication. A user can easily manually set the `Forwarded` or `X-Forwarded-For` header to spoof his IP. Lost admin password ------------------- You can generate a new admin password the following command: .. argparse:: :ref: c2cgeoportal_geoportal.scripts.manage_users.get_argparser :prog: docker compose exec geoportal manage-users External application -------------------- Some service of GeoMapFish has some host restriction if you mix the domain. Application authentication ~~~~~~~~~~~~~~~~~~~~~~~~~~ To be considered as authenticated we should have the correct ``Cookie`` header, we also check the ``Referer`` header to be sure that the user is coming from the same domain. If he is equals to the ``Host`` header, we consider that the user is coming from the same domain. If your server and client application are not on the same domain, to make the login working, you should add the client application domain name (with port) in the vars in ``vars/authorized_referers``. This check is also done on the ``came_from`` parameter during the login process. Shortener ~~~~~~~~~ If you use the shortener service to create link on application on another domain name, you should add this domain name in the vars in ``vars/shortener/allowed_hosts``. Admin ~~~~~ We provide a view for the admin interface, to be able to clear the cache per OGC server. If for an unknown reason you have not the same host in the ``Host`` header and ``came_from`` parameter, you should add the domain of the ``came_from`` parameter in the vars in ``vars/admin_interface/allowed_hosts``. .. _integrator_authentication_oauth2: .. include:: authentication_oauth2.rst .. _integrator_authentication_oidc: .. include:: authentication_oidc.rst