[Qgis-developer] Authentification use from Python

Larry Shaffer larrys at dakotacarto.com
Thu Mar 3 13:11:40 PST 2016


Hi Stefan,

Sorry for the delay in reply. OAuth should be able to be implemented as an
authentication method plugin for the new system, thereby making it
available for WxS connections, as well as other HTTP connections.

I have a proposed talk and workshop on auth method plugins for the QGIS
conference in Girona (no word yet on whether they are accepted).

In the meantime, you could review existing auth method plugins and
formulate some psuedo-code on the steps needed to intercept the request and
work with OAuth:

https://github.com/qgis/QGIS/tree/master/src/auth

This is the base plugin class:

https://github.com/qgis/QGIS/blob/master/src/core/auth/qgsauthmethod.h

The last thing I did was add auth method plugin support to the system,
which allows a C++ plugin to be built, then dropped into an existing 2.14
install, etc.

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota

On Sat, Feb 27, 2016 at 1:32 PM, Stefan Keller <sfkeller at gmail.com> wrote:

> Hi,
>
> In a Python plugin [1] we implemented HTTP "Basic Authentication" and
> "NTLM authentication".
>
> Now I'm still looking for a solution using OAuth 2.0 for build-in WxS
> (WMS/WMTS, WFS) as well as for Python plugins.
> This seems to be also of some interest for other QGIS users [2].
>
>
> The only code related to OAuth2 I found is in the CartoDB plugin [3].
> But this does not help WxS nor my Python plugin.
>
> Also Paolo's pointer to LizMap relates not to QGIS Python plugin but
> to restricted access to lizmap online AFAIK.
>
> I heard about the authentication configuration system with master password
> [4].
> But we still need more information when the API is available.
>
> 2016-01-12 23:36 GMT+01:00 Larry Shaffer <larrys at dakotacarto.com>:
> > Until then, the continued Python access to the auth system credentials
> means
> > security is not good for the user. It should be considered for
> deprecation
> > or just complete removal in 2.14 release.
>
> Any news on this, and on OAuth implementations for WxS and Python plugins?
>
> :Stefan
>
> [1] http://plugins.qgis.org/plugins/connector/
> [2]
> https://groups.google.com/forum/#!topic/australian-qgis-user-group/agn7ehIPd3M
> [3] http://plugins.qgis.org/plugins/QgisCartoDB/
> [4] https://github.com/qgis/QGIS/pull/1838
>
>
> 2016-01-12 23:36 GMT+01:00 Larry Shaffer <larrys at dakotacarto.com>:
> > Hi Bernhard,
> >
> > Please note that the Python support for direct access to the credentials
> via
> > the auth method config *may* be completely removed for security reasons.
> >
> > Ideally, the expansion of credentials within a given auth method config
> > would only be done within the core application and connection methods
> (HTTP,
> > etc.) would be offered through a Python API. In this way an authcfg token
> > can be passed in and the connection established without access to
> > credentials.
> >
> > However, such support and an API are not currently available. It is
> simple
> > enough to add to QgsNetworkAccessManager for HTTP[S] connections, but
> not so
> > simple for other types of connections, e.g. database via a library or
> > client. Once completed this means a plugin would not be able to access
> the
> > credentials and pass them on to a different connection method, e.g.
> Python
> > HTTP lib, etc.
> >
> > Once such an API is available (or even now, with some work), plugins
> could
> > be 'authorized' by the user for access to credentials using revocable
> access
> > tokens or signed/revokable certificates.
> >
> > Until then, the continued Python access to the auth system credentials
> means
> > security is not good for the user. It should be considered for
> deprecation
> > or just complete removal in 2.14 release.
> >
> > Regards,
> >
> > Larry Shaffer
> > Dakota Cartography
> > Black Hills, South Dakota
> >
> > QGIS Support/Development | Boundless
> > lshaffer at boundlessgeo.com
> >
> > On Tue, Jan 12, 2016 at 8:14 AM, Bernhard Ströbl <
> bernhard.stroebl at jena.de>
> > wrote:
> >>
> >> Hi Luigi,
> >>
> >> many thanks! That was the key.
> >>
> >> I now have
> >> <code>
> >> am = QgsAuthManager.instance()
> >> myAuthMethodConfig = QgsAuthMethodConfig()
> >> am.loadAuthenticationConfig(mykey,myAuthMethodConfig,True)
> >> myAuthMethodConfig.configMap()
> >> </code>
> >>
> >> Bernhard
> >>
> >>
> >> Am 12.01.2016 um 15:58 schrieb Luigi Pirelli:
> >>>
> >>> Hi Bernhard
> >>>
> >>> be inspired by Boundless qgis-geoserver-plugin
> >>>
> >>>
> >>>
> https://github.com/boundlessgeo/qgis-geoserver-plugin/blob/master/src/geoserverexplorer/gui/gsexploreritems.py#L502
> >>>
> >>> I hope it's enough
> >>>
> >>> cheers
> >>> Luigi Pirelli
> >>>
> >>>
> >>>
> **************************************************************************************************
> >>> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
> >>> * LinkedIn: https://www.linkedin.com/in/luigipirelli
> >>> * Stackexchange:
> http://gis.stackexchange.com/users/19667/luigi-pirelli
> >>> * GitHub: https://github.com/luipir
> >>> * Mastering QGIS:
> >>> https://www.packtpub.com/application-development/mastering-qgis
> >>>
> >>>
> **************************************************************************************************
> >>>
> >>>
> >>> On 12 January 2016 at 12:47, Bernhard Ströbl <bernhard.stroebl at jena.de
> >
> >>> wrote:
> >>>>
> >>>> Hi all,
> >>>>
> >>>> my goal is that my users do not save their PostgreSQL passwords in
> clear
> >>>> text but that they use the new Authentification system to do so. For
> my
> >>>> plugins I would need access to the PostgreSQL username and password,
> >>>> though.
> >>>> Is this generally possible in spite of security considerations as
> >>>> mentioned
> >>>> in the QGEP? If yes, how would I do it?
> >>>>
> >>>> what I have so far is:
> >>>> <code>
> >>>> am = QgsAuthManager.instance()
> >>>> myAuthMethodConfig = am.availableAuthMethodConfigs()[mykey]
> >>>> myAuthMethodConfig.configMap() # returns an empty dict :-(
> >>>> </code>
> >>>>
> >>>> QGIS 2.12.2
> >>>>
> >>>> any help appreciated
> >>>>
> >>>> regards
> >>>>
> >>>> Bernhard
> >>>>
> >>>> [1]
> >>>>
> >>>>
> https://github.com/dakcarto/QGIS-Enhancement-Proposals/blob/auth-system/qep-14-authentication-system.rst
> >>>>
> >>>>
> >>>> __________ Information from ESET Mail Security, version of virus
> >>>> signature
> >>>> database 12855 (20160112) __________
> >>>>
> >>>> The message was checked by ESET Mail Security.
> >>>> http://www.eset.com
> >>>>
> >>>>
> >>>> _______________________________________________
> >>>> Qgis-developer mailing list
> >>>> Qgis-developer at lists.osgeo.org
> >>>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> >>>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> >>>
> >>>
> >>>
> >>> __________ Information from ESET Mail Security, version of virus
> >>> signature database 12856 (20160112) __________
> >>>
> >>> The message was checked by ESET Mail Security.
> >>> http://www.eset.com
> >>>
> >>>
> >>
> >> --
> >> Bernhard Ströbl
> >> Anwendungsbetreuer GIS
> >>
> >> Kommunale Immobilien Jena
> >> Am Anger 26
> >> 07743 Jena
> >>
> >> Tel.: 03641 49- 5190
> >> E-Mail: bernhard.stroebl at jena.de
> >> Internet: www.kij.de
> >>
> >>
> >> Kommunale Immobilien Jena
> >> Eigenbetrieb der Stadt Jena
> >> Werkleiter: Karl-Hermann Kliewe
> >>
> >>
> >> __________ Information from ESET Mail Security, version of virus
> signature
> >> database 12856 (20160112) __________
> >>
> >>
> >> The message was checked by ESET Mail Security.
> >> http://www.eset.com
> >>
> >>
> >> _______________________________________________
> >> Qgis-developer mailing list
> >> Qgis-developer at lists.osgeo.org
> >> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> >> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> >
> >
> >
> > _______________________________________________
> > Qgis-developer mailing list
> > Qgis-developer at lists.osgeo.org
> > List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> > Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20160303/4eece08f/attachment.html>


More information about the Qgis-developer mailing list