[Qgis-developer] Authentification use from Python

Stefan Keller sfkeller at gmail.com
Mon Mar 14 11:48:29 PDT 2016


Hi Larry and Luigi

Thanks for your answers.

2016-03-04 9:16 GMT+01:00 Luigi Pirelli <luipir at gmail.com>:
> so Stefan... prepare your trip to the Qgis International conference in
> Girona (Es) :)

You're putting high social pressure on me :-) but it's hard for me to
travel during academic semester time.
It's somehow weird that public institutions are pushing this.

Anyway: Speaking of OAuth 2.0. Are you also aware of OpenID Connect?
It's on top of OAuth and specifies a RESTful HTTP API with JSON and
it's supported by quite some big companies.

:Stefan

[1] https://en.wikipedia.org/wiki/OpenID_Connect


2016-03-04 9:16 GMT+01:00 Luigi Pirelli <luipir at gmail.com>:
> Hi Larry
>
> your 4h  workshop on new Qgis Auth System is "unufficially" approved
> (you'll receive official confirmation soon)... I suppose most of
> developers working with public institutions will are interested in it.
>
> so Stefan... prepare your trip to the Qgis International conference in
> Girona (Es) :)
>
> cheers
> Luigi Pirelli
>
> **************************************************************************************************
> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
> * LinkedIn: https://www.linkedin.com/in/luigipirelli
> * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
> * GitHub: https://github.com/luipir
> * Mastering QGIS:
> https://www.packtpub.com/application-development/mastering-qgis
> **************************************************************************************************
>
>
> On 3 March 2016 at 22:11, Larry Shaffer <larrys at dakotacarto.com> wrote:
>> Hi Stefan,
>>
>> Sorry for the delay in reply. OAuth should be able to be implemented as an
>> authentication method plugin for the new system, thereby making it available
>> for WxS connections, as well as other HTTP connections.
>>
>> I have a proposed talk and workshop on auth method plugins for the QGIS
>> conference in Girona (no word yet on whether they are accepted).
>>
>> In the meantime, you could review existing auth method plugins and formulate
>> some psuedo-code on the steps needed to intercept the request and work with
>> OAuth:
>>
>> https://github.com/qgis/QGIS/tree/master/src/auth
>>
>> This is the base plugin class:
>>
>> https://github.com/qgis/QGIS/blob/master/src/core/auth/qgsauthmethod.h
>>
>> The last thing I did was add auth method plugin support to the system, which
>> allows a C++ plugin to be built, then dropped into an existing 2.14 install,
>> etc.
>>
>> Regards,
>>
>> Larry Shaffer
>> Dakota Cartography
>> Black Hills, South Dakota
>>
>> On Sat, Feb 27, 2016 at 1:32 PM, Stefan Keller <sfkeller at gmail.com> wrote:
>>>
>>> Hi,
>>>
>>> In a Python plugin [1] we implemented HTTP "Basic Authentication" and
>>> "NTLM authentication".
>>>
>>> Now I'm still looking for a solution using OAuth 2.0 for build-in WxS
>>> (WMS/WMTS, WFS) as well as for Python plugins.
>>> This seems to be also of some interest for other QGIS users [2].
>>>
>>>
>>> The only code related to OAuth2 I found is in the CartoDB plugin [3].
>>> But this does not help WxS nor my Python plugin.
>>>
>>> Also Paolo's pointer to LizMap relates not to QGIS Python plugin but
>>> to restricted access to lizmap online AFAIK.
>>>
>>> I heard about the authentication configuration system with master password
>>> [4].
>>> But we still need more information when the API is available.
>>>
>>> 2016-01-12 23:36 GMT+01:00 Larry Shaffer <larrys at dakotacarto.com>:
>>> > Until then, the continued Python access to the auth system credentials
>>> > means
>>> > security is not good for the user. It should be considered for
>>> > deprecation
>>> > or just complete removal in 2.14 release.
>>>
>>> Any news on this, and on OAuth implementations for WxS and Python plugins?
>>>
>>> :Stefan
>>>
>>> [1] http://plugins.qgis.org/plugins/connector/
>>> [2]
>>> https://groups.google.com/forum/#!topic/australian-qgis-user-group/agn7ehIPd3M
>>> [3] http://plugins.qgis.org/plugins/QgisCartoDB/
>>> [4] https://github.com/qgis/QGIS/pull/1838
>>>
>>>
>>> 2016-01-12 23:36 GMT+01:00 Larry Shaffer <larrys at dakotacarto.com>:
>>> > Hi Bernhard,
>>> >
>>> > Please note that the Python support for direct access to the credentials
>>> > via
>>> > the auth method config *may* be completely removed for security reasons.
>>> >
>>> > Ideally, the expansion of credentials within a given auth method config
>>> > would only be done within the core application and connection methods
>>> > (HTTP,
>>> > etc.) would be offered through a Python API. In this way an authcfg
>>> > token
>>> > can be passed in and the connection established without access to
>>> > credentials.
>>> >
>>> > However, such support and an API are not currently available. It is
>>> > simple
>>> > enough to add to QgsNetworkAccessManager for HTTP[S] connections, but
>>> > not so
>>> > simple for other types of connections, e.g. database via a library or
>>> > client. Once completed this means a plugin would not be able to access
>>> > the
>>> > credentials and pass them on to a different connection method, e.g.
>>> > Python
>>> > HTTP lib, etc.
>>> >
>>> > Once such an API is available (or even now, with some work), plugins
>>> > could
>>> > be 'authorized' by the user for access to credentials using revocable
>>> > access
>>> > tokens or signed/revokable certificates.
>>> >
>>> > Until then, the continued Python access to the auth system credentials
>>> > means
>>> > security is not good for the user. It should be considered for
>>> > deprecation
>>> > or just complete removal in 2.14 release.
>>> >
>>> > Regards,
>>> >
>>> > Larry Shaffer
>>> > Dakota Cartography
>>> > Black Hills, South Dakota
>>> >
>>> > QGIS Support/Development | Boundless
>>> > lshaffer at boundlessgeo.com
>>> >
>>> > On Tue, Jan 12, 2016 at 8:14 AM, Bernhard Ströbl
>>> > <bernhard.stroebl at jena.de>
>>> > wrote:
>>> >>
>>> >> Hi Luigi,
>>> >>
>>> >> many thanks! That was the key.
>>> >>
>>> >> I now have
>>> >> <code>
>>> >> am = QgsAuthManager.instance()
>>> >> myAuthMethodConfig = QgsAuthMethodConfig()
>>> >> am.loadAuthenticationConfig(mykey,myAuthMethodConfig,True)
>>> >> myAuthMethodConfig.configMap()
>>> >> </code>
>>> >>
>>> >> Bernhard
>>> >>
>>> >>
>>> >> Am 12.01.2016 um 15:58 schrieb Luigi Pirelli:
>>> >>>
>>> >>> Hi Bernhard
>>> >>>
>>> >>> be inspired by Boundless qgis-geoserver-plugin
>>> >>>
>>> >>>
>>> >>>
>>> >>> https://github.com/boundlessgeo/qgis-geoserver-plugin/blob/master/src/geoserverexplorer/gui/gsexploreritems.py#L502
>>> >>>
>>> >>> I hope it's enough
>>> >>>
>>> >>> cheers
>>> >>> Luigi Pirelli
>>> >>>
>>> >>>
>>> >>>
>>> >>> **************************************************************************************************
>>> >>> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
>>> >>> * LinkedIn: https://www.linkedin.com/in/luigipirelli
>>> >>> * Stackexchange:
>>> >>> http://gis.stackexchange.com/users/19667/luigi-pirelli
>>> >>> * GitHub: https://github.com/luipir
>>> >>> * Mastering QGIS:
>>> >>> https://www.packtpub.com/application-development/mastering-qgis
>>> >>>
>>> >>>
>>> >>> **************************************************************************************************
>>> >>>
>>> >>>
>>> >>> On 12 January 2016 at 12:47, Bernhard Ströbl
>>> >>> <bernhard.stroebl at jena.de>
>>> >>> wrote:
>>> >>>>
>>> >>>> Hi all,
>>> >>>>
>>> >>>> my goal is that my users do not save their PostgreSQL passwords in
>>> >>>> clear
>>> >>>> text but that they use the new Authentification system to do so. For
>>> >>>> my
>>> >>>> plugins I would need access to the PostgreSQL username and password,
>>> >>>> though.
>>> >>>> Is this generally possible in spite of security considerations as
>>> >>>> mentioned
>>> >>>> in the QGEP? If yes, how would I do it?
>>> >>>>
>>> >>>> what I have so far is:
>>> >>>> <code>
>>> >>>> am = QgsAuthManager.instance()
>>> >>>> myAuthMethodConfig = am.availableAuthMethodConfigs()[mykey]
>>> >>>> myAuthMethodConfig.configMap() # returns an empty dict :-(
>>> >>>> </code>
>>> >>>>
>>> >>>> QGIS 2.12.2
>>> >>>>
>>> >>>> any help appreciated
>>> >>>>
>>> >>>> regards
>>> >>>>
>>> >>>> Bernhard
>>> >>>>
>>> >>>> [1]
>>> >>>>
>>> >>>>
>>> >>>> https://github.com/dakcarto/QGIS-Enhancement-Proposals/blob/auth-system/qep-14-authentication-system.rst
>>> >>>>
>>> >>>>
>>> >>>> __________ Information from ESET Mail Security, version of virus
>>> >>>> signature
>>> >>>> database 12855 (20160112) __________
>>> >>>>
>>> >>>> The message was checked by ESET Mail Security.
>>> >>>> http://www.eset.com
>>> >>>>
>>> >>>>
>>> >>>> _______________________________________________
>>> >>>> Qgis-developer mailing list
>>> >>>> Qgis-developer at lists.osgeo.org
>>> >>>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> >>>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> >>>
>>> >>>
>>> >>>
>>> >>> __________ Information from ESET Mail Security, version of virus
>>> >>> signature database 12856 (20160112) __________
>>> >>>
>>> >>> The message was checked by ESET Mail Security.
>>> >>> http://www.eset.com
>>> >>>
>>> >>>
>>> >>
>>> >> --
>>> >> Bernhard Ströbl
>>> >> Anwendungsbetreuer GIS
>>> >>
>>> >> Kommunale Immobilien Jena
>>> >> Am Anger 26
>>> >> 07743 Jena
>>> >>
>>> >> Tel.: 03641 49- 5190
>>> >> E-Mail: bernhard.stroebl at jena.de
>>> >> Internet: www.kij.de
>>> >>
>>> >>
>>> >> Kommunale Immobilien Jena
>>> >> Eigenbetrieb der Stadt Jena
>>> >> Werkleiter: Karl-Hermann Kliewe
>>> >>
>>> >>
>>> >> __________ Information from ESET Mail Security, version of virus
>>> >> signature
>>> >> database 12856 (20160112) __________
>>> >>
>>> >>
>>> >> The message was checked by ESET Mail Security.
>>> >> http://www.eset.com
>>> >>
>>> >>
>>> >> _______________________________________________
>>> >> Qgis-developer mailing list
>>> >> Qgis-developer at lists.osgeo.org
>>> >> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> >> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Qgis-developer mailing list
>>> > Qgis-developer at lists.osgeo.org
>>> > List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> > Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>
>>
>>
>> _______________________________________________
>> Qgis-developer mailing list
>> Qgis-developer at lists.osgeo.org
>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer


More information about the Qgis-developer mailing list