Open edX Third-Party Authentication Module Now Available

[John Cox]

Hi all. Google and edX are pleased to announce the addition of a third-party authentication module to Open edX.

With this module, you can let your users sign in to your Open edX deployment with their accounts on external services. This is both more convenient and more secure for end users than creating a new password on your Open edX deployment. The module is deactivated by default, and using it is entirely optional.

It comes with full implementations for Google and LinkedIn, and was designed from the ground up to be extensible and testable. If you are interested in adding new external authentication providers (for example, if you want to use your University’s SSO system), please reach out to us.

If you want to use the module, we’ve written a getting started guide that covers turning the feature on and configuring it.

Enjoy,

John (for the edX Identity Working Group)

[Trinh Nguyen]

Hi John,

This is really great! I'm thinking about (actually working on) authenticate my users with a PowerSchool system as an Identity Provider via SAML2 standard. Are the Google and LinkedIn providers using SAML2?

Thank you for your effort!

Trinh 

[John Cox]

On Wednesday, May 7, 2014 5:34:35 PM UTC-7, Trinh Nguyen wrote:

Hi John,

This is really great! I'm thinking about (actually working on) authenticate my users with a PowerSchool system as an Identity Provider via SAML2 standard. Are the Google and LinkedIn providers using SAML2?

Google and LinkedIn are both Oauth 2.0. The underlying library we use, python-social-auth, supports a host of OpenID, Oauth 1.0/2.0, and BrowserID providers out of the box, and there are extension points for other protocols.

We'd love for people to add additional protocols to the third_party_auth module -- please reach out to me if you're interested in writing a SAML extension.

[Trinh Nguyen]

Yes, I'm working on it right now. My work is based on the pysaml2 (https://github.com/rohe/pysaml2) and https://bitbucket.org/lgs/djangosaml2.

[Ned Batchelder]

John, this is amazing work, thanks so much for it!

Trinh, it's exciting to already see people interested in writing new authentication providers.  Please be sure to keep us updated on your progress.

--Ned.

[John Cox]

On Wednesday, May 7, 2014 6:09:51 PM UTC-7, Trinh Nguyen wrote:

Yes, I'm working on it right now. My work is based on the pysaml2 (https://github.com/rohe/pysaml2) and https://bitbucket.org/lgs/djangosaml2.

Excellent!

I just wrote a deeper technical article on extending the third-party auth module: http://johnmcox.blogspot.com/2014/05/understanding-edx-third-party.html. It's intended for people who want to write extensions, like adding SAML support. Please reach out to me if it doesn't answer your questions.

[Trinh Nguyen]

Thanks John! That's really helpful!

[Armando Fox]

John, this is great stuff.

I have a clarifying question.  

Like Stanford, Berkeley (and others) use Shibboleth for SSO.  I understand Stanford had gotten Shibboleth auth working with edX, since they used it to restrict access to some internal-only courses to Stanford folks.

Is Stanford's Shibboleth implementation a provider that talks to your module? Or is it a separate effort?

Either way, assuming we can make it so that Shibboleth becomes one of the supported auth providers using your module, and assuming many universities rely on Shibboleth (as I believe is the case), and assuming we could get edX to deploy both your module and the Shib provider as part of the edx.org and edge.edx.org hosted deployments:

...how could we allow multiple institutions to take advantage of this without each institutions' secrets and servernames having to be added to the deployed edx code base? 

(that is: institutions X,Y,Z all use auth providers that are rolled into edx.org, but each institution has its own server names and secrets for the auth providers; how can we decouple the process of "adding another university" to the provider dictionary from having to make source changes that affect the deployed code?)

This might be a conversation to have with edX, but having working 3rd party auth in the core production deployment would be huge.

[John Cox]

On Friday, May 9, 2014 9:10:16 PM UTC-7, Armando Fox wrote:

John, this is great stuff.

I have a clarifying question.  

Like Stanford, Berkeley (and others) use Shibboleth for SSO.  I understand Stanford had gotten Shibboleth auth working with edX, since they used it to restrict access to some internal-only courses to Stanford folks.

Is Stanford's Shibboleth implementation a provider that talks to your module? Or is it a separate effort?

Separate, but I'd love it if someone added Shibboleth support to third_party_auth. If anyone's interested in doing that, reach out to me and I can advise.

 

Either way, assuming we can make it so that Shibboleth becomes one of the supported auth providers using your module, and assuming many universities rely on Shibboleth (as I believe is the case), and assuming we could get edX to deploy both your module and the Shib provider as part of the edx.org and edge.edx.org hosted deployments:

...how could we allow multiple institutions to take advantage of this without each institutions' secrets and servernames having to be added to the deployed edx code base? 

(that is: institutions X,Y,Z all use auth providers that are rolled into edx.org, but each institution has its own server names and secrets for the auth providers; how can we decouple the process of "adding another university" to the provider dictionary from having to make source changes that affect the deployed code?)

This might be a conversation to have with edX, but having working 3rd party auth in the core production deployment would be huge.

Definitely agreed on the value of third_party_auth on edx.org.

I don't work on edx.org, so I don't know answers to operational questions about it. I think they manage secrets via the lms.auth.json file technique mentioned in the docs linked upthread, and I think that file is checked into a repo other than edx-platform. Someone who works on edx.org could tell you for sure, and they could also tell you what the deployment plans are for the third_party_auth module. Maybe one of them could weigh in on this thread?

[Jason Bau]

Hi all,

The current Stanford shibboleth code in edx-platforn predated John's work and so does not integrate with it.  I've been tracking John's project closely and have had discussions with him re: how to (re)implement Shib to fit into the auth framework.  This is something I'm interested in doing, though (as John knows), it hasn't bubbled to the top of my priority queue, and might not for some time.

Armando, if your interest is to enable Shibboleth auth now, I can certainly share how we're currently configuring the older external_auth app to do that.

Also, as Trinh brought up in this same thread, pysaml2 should also be able to handle Shibboleth auth, so perhaps that would be another fruitful avenue to explore.

Thanks,

Jason

[Armando Fox]

i have a Tech Adv Ctee call with edx this week and will bring this up! thx!

[Center for Workforce Development]

I'm definitely interested in how Shibboleth is used currently with edX and how to integrate that into the third party module too. I'm currently implementing this functionality into my edX fork and need help.

[Marco Re]

John and Jason and all,

 I'm really interested about this topic. I think that it should be great if Jason can write a wiki page on github to share how  Stanford integrate shibboleth!

I'm also available for share the effort to reimplement Shib to fit into the new auth third-party framework 

Thanks

Marco

[Carson Gee]

I setup a wiki page for configuring the other external authentication methods ( CAS and SSL client certificates) at https://github.com/edx/configuration/wiki/Setting-Up-External-Authentication.  We use shibboleth through CAS so I don't have it documented there, but it would nice to have it.

[Center for Workforce Development]

Jason,

Can you send me instructions on how I can get Shibboleth running using the https://github.com/edx/edx-platform/tree/master/common/djangoapps/external_auth implementation?

I wasn't sure if I needed to install the Service Provider (SP) https://shibboleth.net/products/service-provider.html or work with FastCGI https://wiki.shibboleth.net/confluence/display/SHIB2/Integrating+Nginx+and+a+Shibboleth+SP+with+FastCGI.

Any help would be appreciated.

Zach

[Jason Bau]

Yeah, I'll add stuff to the wiki that Carson pointed to over the course of this week or so.

But basically, our servers run _both_ nginx and apache.  Nginx is good at proxying, so it has a small set of URLs that it proxies over to Apache + mod_shib to handle.  We just installed apache and shib from Ubuntu apt-get -- no custom compiling required.

Jason

[Jason Bau]

I've put up some preliminary docs here https://github.com/edx/configuration/wiki/Setting-Up-External-Authentication#shibboleth

Happy to answer questions, and I anticipate the will be some.

Jason

[Marco Re]

Thanks Jason! This is very helpful!

Marco

[Center for Workforce Development]

Jason,

I worked with my IT department to establish a SSO with our IdP and verified through a phpinfo(); call that the Apache environment variables are returning values successfully.

After following your wiki Shibboleth setup it looks like calling https://domain.edu/shib-login/ does proxy the url from Nginx to Apache correctly but I'm getting the following errors.

We setup our Apache Shibboleth SSL to be port 5253 instead of default 443, so it looks like <VirtualHost *:5253> under /etc/apache2/sites-available/lms file.

Issues:

• Bad Request
  

          Your browser sent a request that this server could not understand.
          Reason: You're speaking plain HTTP to an SSL-enabled server port.
          Instead use the HTTPS scheme to access this URL, please.

Hint: https://domain.edu

          Why am I getting this error and how can I correct it?

          Here is the session information that I'm getting from the /about page when I click to register for the Shibboleth protected course.  I highlighted the session that I think might be causing this problem.

# Result Protocol Host URL Body Caching Content-Type Process Comments Custom

1 200 HTTPS domain.edu /courses/CUCWD/SFT106/2014_Spring/about 6,044 text/html; charset=utf-8 tmproxy:4136

2 200 HTTPS domain.edu /jsi18n/ 730 text/javascript tmproxy:4136

3 304 HTTPS domain.edu /static/images/header-logo.png 0 no-cache; Expires: Thu, 01 Jan 1970 00:00:01 GMT tmproxy:4136

4 304 HTTPS domain.edu /static/images/homepage-bg.png 0 no-cache; Expires: Thu, 01 Jan 1970 00:00:01 GMT tmproxy:4136

5 304 HTTPS domain.edu /static/images/ebook-graphic-1.png 0 no-cache; Expires: Thu, 01 Jan 1970 00:00:01 GMT tmproxy:4136

6 200 HTTPS ssl.google-analytics.com /__utm.gif?utmwv=5.5.1&utms=5&utmn=296241371&utmhn=domain.edu&utmcs=UTF-8&utmsr=3252x952&utmvp=1599x830&utmsc=24-bit&utmul=en-us&utmje=1&utmfl=13.0%20r0&utmdt=About%20SFT106%20%7C%20EducateWorkforce&utmhid=1625699527&utmr=0&utmp=%2Fcourses%2FCUCWD%2FSFT106%2F2014_Spring%2Fabout&utmht=1400898908132&utmac=UA-45218911-1&utmcc=__utma%3D183739634.865522244.1400898891.1400898891.1400898891.1%3B%2B__utmz%3D183739634.1400898891.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)%3B&utmu=q~ 35 private, no-cache, no-cache=Set-Cookie, proxy-revalidate; Expires: Wed, 19 Apr 2000 11:43:00 GMT image/gif tmproxy:4136

7 200 HTTPS www.google-analytics.com /collect?v=1&_v=j21&a=1625699527&t=pageview&_s=1&dl=https%3A%2F%2Fdomain.edu%2Fcourses%2FCUCWD%2FSFT106%2F2014_Spring%2Fabout&ul=en-us&de=UTF-8&dt=About%20SFT106%20%7C%20EducateWorkforce&sd=24-bit&sr=3252x952&vp=1599x830&je=1&fl=13.0%20r0&_utma=183739634.865522244.1400898891.1400898891.1400898891.1&_utmz=183739634.1400898891.1.1.utmcsr%3D(direct)%7Cutmccn%3D(direct)%7Cutmcmd%3D(none)&_utmht=1400898908151&_u=MQAC~&cid=865522244.1400898891&tid=UA-45218911-1&z=714310998 35 private, no-cache, no-cache=Set-Cookie, proxy-revalidate; Expires: Mon, 07 Aug 1995 23:30:00 GMT image/gif tmproxy:4136

8 403 HTTPS domain.edu /change_enrollment 31 text/html; charset=utf-8 tmproxy:4136

9 302 HTTPS domain.edu /course_specific_register/CUCWD/SFT106/2014_Spring/?course_id=CUCWD/SFT106/2014_Spring&enrollment_action=enroll 5 text/html; charset=utf-8 tmproxy:4136

10 301 HTTP domain.edu /shib-login/?course_id=CUCWD/SFT106/2014_Spring&enrollment_action=enroll 185 text/html tmproxy:4136

11 200 HTTPS domain.edu /shib-login/?course_id=CUCWD/SFT106/2014_Spring&enrollment_action=enroll 595 tmproxy:4136

12 200 HTTPS domain.edu /favicon.ico 2,530 no-cache; Expires: Thu, 01 Jan 1970 00:00:01 GMT image/x-icon tmproxy:4136

•  When I add in port 5253 like so (https://domain.edu:5253/shib-login/) and hit Return, and I get my IdP login which is correct and directly after I successfully login I get this Shibboleth error.  

           Shibboleth

           

           ERROR

          An error occurred while processing your request. Please contact your helpdesk or user ID office for assistance.

          This service requires cookies. Please ensure that they are enabled and try your going back to your desired resource and trying to login again.

          Use of your browser's back button may cause specific errors that can be resolved by going back to your desired resource and trying to login again.

          Error Message: No peer endpoint available to which to send SAML response

          

          I noticed that my test PHP phpinfo(); page was getting this error when I initially setup the /etc/apache/sites-available/lms file as seen here https://github.com/edx/configuration/blob/c06e27b9e0b7e933f6a8bad73101e2337d47775e/playbooks/roles/apache/templates/lms.j2#L5-L49 even before setting up of proxying the urls from Nginx to Apache.

Please let me know what to do to resolve both of these issues mentioned.  Also, have you ever had to setup multiple IdP before from one SP.  I would like to setup multiple SSO for my site.  Is there an article that you can refer me too for Shibboleth SP configuration for multiple IdP directories.  I appreciate your wiki notes very much.  Thanks again for all your support! 

Zach

[Jason Bau]

I think it might be useful if you could post the non-secret parts of your shib (shibboleth2.xml) / apache (sites-available/lms) / nginx (sites-available/lms) in a gist.  It'll be easier to debug that way.

The Shib community runs a wiki where shib-specific questions FAQs can be answered: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration

They also have community mailing lists listed here: https://shibboleth.net/community/lists.html where ppl more expert than myself are around.

Jason

[Jason Bau]

At a glance, from your error messages, it seems like in 1) your NGINX is be proxying via HTTP to 5253 but apache on that port is listening with HTTPS.  If this is localhost, there's no reason this traffic needs to be encrypted and you can have apache listen with just HTTP.

I think 2) is also a related problem, having to do with how you specified http/https and ports to shib.  There's a good explanation of that particular error here: https://wiki.cam.ac.uk/raven/Shibboleth_FAQs#.27Invalid_assertion_consumer_service_URL.27_or_.27No_peer_endpoint_available_to_which_to_send_SAML_response.27, but it basically seems like there's a mismatch between Shib URL endpoints listed in the SP Metadata you supplied to your IdP when you were setting things up, and your SP's current configurations (which tell the IdP where to return the assertion for the current auth request).  It could be that your changed your Shib http/https or port configuration between when you gave the data to the IdP and now.  Try going to domain.edu/Shibboleth.sso/Metadata and seeing if the values for AssertionConsumerService->Location make sense.

I remember that I when tweaked Apache's ServerName setting, that influenced the URLs for AssertionConsumerService, so that may be the knob you want.  Otherwise you'll have to figure out a different way to configure the AssertionConsumerService URLs by consulting the shib docs.

WRT multiple IdPs, I haven't personally configured this, but I don't believe it's too hard.  You can just use different Shib "applications'.  e.g. in the apache conf and shibboleth2.xml checked into the edx/configuration repo the shib applicationId is "class", so grepping that can get you started.

Jason

[Center for Workforce Development]

Jason,

https://gist.github.com/ztraboo/4e213e744096db1bb83d (/etc/shibboleth/shibboleth2.xml)

https://gist.github.com/ztraboo/ba03227c678c4ca834e2 (/etc/apache2/sites-available/lms)

https://gist.github.com/ztraboo/adc69bdd39c24d953a1e (/etc/apache2/ports.conf)

https://gist.github.com/ztraboo/324e1b599d21a8aa4876 (/etc/apache2/conf.d/shib.conf)

https://gist.github.com/ztraboo/a424fb63e2ba85316939 (/edx/app/nginx/sites-available/lms)

Here are my configuration files.  Please look them over and let me know what you think may be causing the two issues mentioned previously.  

We could previously confirm that Shibboleth was running using an Apache test.php file but after we include these lines https://gist.github.com/ztraboo/ba03227c678c4ca834e2#file-apache2-lms-L9-L59 it suddenly stopped working.  Below is where I describe original Shibboleth configuration with SP and IdP using Apache only before we add edX specific configuration with Nginx proxy setup.

The test file was located at https://gist.github.com/ztraboo/ba03227c678c4ca834e2#file-apache2-lms-L64 (/var/www/secure/) and with the following setup:

- /var/www/secure/test.php

<?php phpinfo(); ?>

- Setup Shibboleth secure for this directory.

https://gist.github.com/ztraboo/324e1b599d21a8aa4876#file-apache2-conf-d-L23-L30

We were able to test that Shibboleth was running by going to https://domain.edu:5253/secure/test.php but we did have to include the port number to get to the IdP login screen.  Once we successfully logged in we were redirected to the /test.php page where a standard Apache phpinfo values were output and we could see the Shibboleth environment variables no problem.  Thanks for quickly replying Jason.  

Zach

[Jason Bau]

I think what's going on is that there's a protocol and port mismatch between the metadata for your SP stored on your IdP (which likely has port 5253 and https) and what is needed to make Shib work with the nginx proxy (which should be ordinary https (implied port 443, without actually specifiying it)).

The way Stanford's setup works is that apache's port (8088) is actually completely unreachable from anything but localhost.  We have firewall rules to ensure that.  Thus, any traffic that hits apache is proxied via nginx.  Even though our apache is running on 8088, it should to tell the outside world that it is actually running on 443.  (My rationale is explained later.)  Here's a snippet from our Shibboleth metadata  (https://class.stanford.edu/Shibboleth.sso/Metadata)

    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://class.stanford.edu/Shibboleth.sso/SAML2/POST" index="0"/>

you can see that there isn't any explicit port specification.

The place we do this is in the ServerName configuration for apache.  Our ServerName stanza in apache/sites-available/lms is 

<VirtualHost *:8080>
    ServerName https://class.stanford.edu
    ServerAlias *.class.stanford.edu
    UseCanonicalName On

which seems to match what you have as well.  So I don't think that needs to change.

Because you said that  https://domain.edu:5253/secure/test.php is working for you, I suspect that your IdP thinks that the SP is at https://domain.edu:5253 rather than https://domain.edu, probably because of previously submitted Metadata when you were first setting things up.  If your apache conf explicitly set ServerName like in the stanza above, Shib will default to reporting that it's on the apache port that's listening (so 5253 in your case) and generate Metadata that way--and I suspect this version is what your IdP has.  It would make sense that it raises Error Message: No peer endpoint available to which to send SAML response , because now your SP asks the IdP to return the auth assertions on port 443, which isn't what the IdP "agreed to" during setup.

The way to fix this is to resubmit your Metadata.  You can check your Metadata at https://domain.edu/Shibboleth.sso/Metadata with your current settings, and you want to make sure that it's https and has no explicit port specification.  Then you want to submit this Metadata to your IdP through whatever process they have.  

Note this setup just means that all shib requests are proxied from nginx to apache instead of reaching apache directly, which I think is fine and doesn't limit what you want to do with Shib.

Finally, I want to set the user's browser URL to be https://domain.edu rather than https://domain.edu:5253 when authentication succeeds (which is why ServerName has no port), because the browser will then be asked to set a logged-in session cookie.  Since the server domain is used to scope this cookie, and I think it's good hygiene to have the server port at this point be what the rest of the edX application is on as well (which is implicit 443).  (It seems that cookie scopes may not actually include port, so using 5253 might work, but I like keeping hygiene).

Jason

[Jason Bau]

One final thing to add: if you're proxying I believe you need apache to listen on http rather than https, or to configure nginx to proxy with https (I haven't tried the latter and so don't know if it is possible)

Jason

Definitely agreed on the value of third_party_auth on <a href="http://edx.org" target="_blank" onmousedown="this.href='http://www.google.com/url?q\75http%3A%2F%2Fedx.org\46sa\75D\46sntz\0751\46usg\75AFQjCNHi5Mnxw08dCV73o_22du8T1cGhWw';return true;" onclick="this.href='http://www.google.com/url?q\75http%3A%2F%2Fedx.org\46sa\75D\46sntz\07

...

[Center for Workforce Development]

Jason,

You can view my SP https://domain.edu/Shibboleth.sso/Metadata response here (https://gist.github.com/ztraboo/a54cd9a1c68891d715ed#file-sp-shibboleth-sso-metadata-L43-L48).  We do have port 5253 in all <md:AssertionConsumerService> bindings.  I noticed that Standford's Shibboleth metadata  (https://class.stanford.edu/Shibboleth.sso/Metadata) doesn't have this port. 

I read over the https://wiki.cam.ac.uk/raven/Shibboleth_FAQs#.27Invalid_assertion_consumer_service_URL.27_or_.27No_peer_endpoint_available_to_which_to_send_SAML_response.27 article and I'm still trying to understand the additional support link https://wiki.cam.ac.uk/raven/SP_Metadata to resolve the "Invalid assertion consumer service URL" or "No peer endpoint available to which to send SAML response" IdP response.  I think this is the hardest thing for us to comprehend.  Any additional advice here?  Can you Gist Standford's shibboleth2.xml file? 

We noticed that we could also access our site using Apache with the new VirtualHost port 5253 like so (e.g. https://domain.edu:5253/register/ - LMS registration page) and it would pull up our LMS site pages.  We think this may be due to the configuration setting here https://gist.github.com/ztraboo/ba03227c678c4ca834e2#file-apache2-lms-L3-L59 with WSGI.  Is it correct to expose the LMS site using Apache at this port (for traffic other than Shibboleth) or should all LMS traffic first go through NGINX while Shibboleth calls should only proxy from Nginx to Apache port 5253?  I'm basically saying that all LMS traffic should route through NGINX server and if it's a Shibboleth request to proxy to Apache. 

Here is my web traffic results for the Registration page:

#    Result    Protocol    Host    URL    Body    Caching    Content-Type    Process    Comments    Custom   

2    200    HTTP    Tunnel to    eduworkforce-dev.ces.clemson.edu:443    0            tmproxy:3736                   https://domain.edu/register/ (Nginx)
5    200    HTTP    Tunnel to    eduworkforce-dev.ces.clemson.edu:5253    0            tmproxy:3736                 https://domain.edu:5253/register/ (Apache)

Zach

...

[Center for Workforce Development]

Jason,

I also forgot to mention that I got rid of the first issue by updating this line with https instead of http.
https://gist.github.com/ztraboo/a424fb63e2ba85316939#file-nginx-lms-L119

This was my first error with this setup:

• Bad Request
  

          Your browser sent a request that this server could not understand.
          Reason: You're speaking plain HTTP to an SSL-enabled server port.
          Instead use the HTTPS scheme to access this URL, please.

Hint: https://domain.edu

Zach

...

[Jason Bau]

I'm not sure what's causing the port to appear on your Shib metadata (from the looks of things, we have very similiar configs)  but I'd advise that you try to get rid of it.  Our shibboleth2.xml is exactly

https://github.com/edx/configuration/blob/master/playbooks/roles/shibboleth/templates/shibboleth2.xml.j2

with

sp_entity_id: 'https://class.stanford.edu/shibboleth'

idp_entity_id: 'https://idp.stanford.edu/'.

and our apache config is exactly

https://github.com/edx/configuration/blob/master/playbooks/roles/apache/templates/lms.j2

If experimentation doesn't work, I'd ask on the Shib community email lists how.

I actually think exposing Apache to external machines is not good practice, because user can stumble on the same site served over different URLs and get confused.  They can also use apache to access other parts of edx-platform that hasn't been tried on apache, which might cause errors.  By making all requests to hit apache go through nginx proxying, you limit what apache serves to only Shib and very few login/reg urls, which have been working for us.  So I'd try to use iptables or some other network security to make sure 5253 only responds to localhost.  This means that all your Shib is proxied through nginx, but we haven't had trouble with that.  This also allows you to proxy via http rather than https, which might simplify your apache config and/or give somewhat better perf.

Jason

Jason

I wasn't sure if I needed to install the Service Provider (SP) https://shibboleth.net/products/service-provider.html or work with FastCGI <a href="https://wiki.shibboleth.net/confluence/display/SHIB2/Integrating+Nginx+and+a+Shibboleth+SP+with+FastCGI" target="_blank" onmousedown="this.href='https://www.google.com/url?q\75https%3A%2F%2Fwiki.shibbolet

...

[David Pollack]

Are there any plans to add the third party auth module config to the ansible setup via server-vars.yml?  After poking around for a while, I ended up making some small changes to configuration/playbooks/roles/edxapp/defaults/main.yml to enable the third party authorization module with the variables $edxapp_enable_third_party_auth and $edxapp_third_party_auth, but if something more official was planned.  I'm just beginning with openedx and just because I got something to work doesn't mean that it is the way that I should do it.

I've put up some preliminary docs here <a href="https://github.com/edx/configuration/wiki/Setting-Up-Extern

...

[Jason Bau]

Pull request!

[Yarko Tymciurak]

Yes, please: pull request!

That's a good way for community to code review / comment at this point also.

[David Pollack]

As you wish:

https://github.com/edx/configuration/pull/1126

This worked for me.  I was a bit hesitant to make a pull request because I thought instead of creating a list of associative arrays in the $edxapp_third_party_auth variabl, you would want to make each item it's own variable.

[Trinh Nguyen]

Hi,

It happened that when I clicked on the Google or LinkedIn sign up buttons, LMS redirects me to this link and said "Page not found":

http://mydomain.org/auth/login/google-oauth2/?auth_entry=register

I've already:

+ ENABLE_THIRD_PARTY_AUTH (/edx/app/edxapp/lms.env.json)

+ Filled in all the Google & LinkedIn app keys and secrets (/edx/app/edxapp/lms.auth.json)

+ paver update_db

What am I missing here?

Thanks,

Trinh

--

http://about.me/dangtrinh

[David Pollack]

With google you have to enter the redirect page on the developer console. Did you do that?

[Trinh Nguyen]

Yes,

It is: http://mydomain.org/auth/complete/google-oauth2/

[David Pollack]

https://github.com/edx/edx-platform/blob/master/common/djangoapps/third_party_auth/pipeline.py

http://johnmcox.blogspot.de/2014/05/understanding-edx-third-party.html?m=1

Did you change the first file to change all the oauth entry points?

I don't know enough about django or oauth but I would say your answer probably lies somewhere in a hard coded variable in the third_party_author folder.

On Jul 8, 2014 2:37 AM, "Trinh Nguyen" <dangt...@gmail.com> wrote:

[Trinh Nguyen]

Thank you very much David. I will look into that file.

--

http://about.me/dangtrinh

[John Cox]

You should not have to make changes to the code in third_party_auth in order to configure the module as long as you're using the provided Google and LinkedIn implementations.

Two questions:

1. Does the 'mydomain.org' part of the URL you entered into the Google console for the redirect URL exactly match the domain name, TLD, and port number of the server where you're running the code? I've seen people get tripped up by putting in the wrong domain, or forgetting to put in the port number on localhost.

2. When you hit http://mydomain.org/auth/complete/google-oauth2/ in your browser, substituting in whatever values you're using for the domain/TLD/port, what are the page contents and status code you get back?

[Trinh Nguyen]

Hi John,

1.  I'm trying to enable the feature on or production server running at port 80. So, I guess that part was set up correctly.

It is: http://unschool.org/auth/complete/google-oauth2/

2. It said "Page not found":

​

Btw, I'm still running the edx-platform at the "Fri May 16" commit.

Thanks,

Trinh

--

http://about.me/dangtrinh

[John Cox]

Curious -- the 404 would lead me to believe that you've got the module disabled, but the presence of the sign in buttons means it's enabled, and for some reason its urlconf (https://github.com/edx/edx-platform/blob/master/common/djangoapps/third_party_auth/urls.py) isn't taking effect.

What you should be seeing is that hitting /auth/complete/google-oauth2/ in your browser 302s to /. I'm not sure why this isn't happening in your configuration; I just checked head and it's working correctly there with auth enabled and the Google provider configured.

My leading theory is that some customizations in your deployment are breaking dispatching for third_party_auth, but not knowing your deployment I can't say definitively what that might be.

[Trinh Nguyen]

I deployed the Open EdX production stack following the configuration repo 1/2 year ago. I only made changes to these things:

+ The theme

+ Enable edx-sga

+ Add 'social.apps.django_app.default' to the end of INSTALLED_APPS of lms & cms envs/common.py

[John Cox]

My knowledge of your deployment is limited so I can't speak authoritatively, but 3 thoughts:

1. It sounds like you're running third_party_auth, which was merged in 2 months ago, with config files from 6 months ago. If that's correct, your problems could be due to skew between newer code and older configuration files. Maybe re-apply your changes on top of head for both configuration and edx-platform to eliminate skew?

2. third_party_auth manages its Django settings, including INSTALLED_APPS, for you. See https://github.com/edx/edx-platform/blob/master/common/djangoapps/third_party_auth/settings.py. It sounds like you're managing some third_party_auth-related Django settings yourself instead of or in addition to third_party_auth/settings.py. I'd recommend not doing that, since you could accidentally violate invariants and get all sorts of bad behavior. For example, if you're missing the third_party_auth module itself from INSTALLED_APPS, third_party_auth/urls.py won't run and /auth/* URLs would 404.

3. AFAIK cms has not been updated to work with third_party_auth. That'd be a great project for someone to take on.

[Trinh Nguyen]

Thanks John for your suggestions. I will look into the code base.

--

http://about.me/dangtrinh

[Trinh Nguyen]

You were right John. I removed the  'social.apps.django_app.default' from the lms common settings and it works now.

The reason for me to add that app to the lms settings is because of a bug 2 month ago: https://github.com/edx/edx-platform/issues/3639. I didn't enable third-party-auth at that time.

Anyway, it's good to figured out why.

Thanks again.

[Nilesh Londhe]

I am thankful for this great community around edX.  Thanks John Cox and Trinh Nguyen for your work on edX third party auth. 

I have set up aspen.1 release on a single instance like this.

 sudo apt-get update -y
 sudo apt-get upgrade -y
 sudo reboot

 sudo su -
 OPENEDX_RELEASE=aspen.1 wget https://raw.githubusercontent.com/edx/configuration/master/util/install/vagrant.sh -O - | bash

Then followed instructions at http://johnmcox.blogspot.com/2014/05/getting-started-with-edx-third-party.html  to enable google auth

I created auth on google console and I edited /edx/app/edx_ansible/edx_ansible/playbooks/roles/edxapp/defaults/main.yml like this. 

# Settings for enabling and configuring third party authorization
EDXAPP_ENABLE_THIRD_PARTY_AUTH: true
EDXAPP_THIRD_PARTY_AUTH: {
 "Google": {
        "SOCIAL_AUTH_GOOGLE_OAUTH2_KEY": "15435345345-1usdffdv57hn979n3js90v7n1b.apps.googleusercontent.com",
        "SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET": "SDF34L7Ulinksndf-q5"
    }
}

Then I ran update.

sudo /edx/bin/update edx-platform release

Google Social Auth seems to work but fails at the very last stage. 

http://domain.edu/auth/complete/google-oauth2/?state=8owY8hrBOOFcTUehpYepQEzXGLC59KNe&code=4/FycnDCCavs12APaeGijdqFIzDoWKQk4UM06KxRWEA18.skN3WFWrEewTEnp6UAPFm0GIDTV2lQI

It shows a 500 error.  What am I missing?

[swapnil vishnoi]

Hello NIlesh,

Have you tried to add django admin setting and go to thirdparty authentication module and edit google-oauth2 than go to other setting " and add

{ "USE_DEPRECATED_API": true }" in other setting module. hope this will help you.

[Mike Realm]

Hello Swapnil

Our Open edX is having the same problem error 500 after login of Google.

Can you show more details about your suggestion, since I cannot find a way to add "{ "USE_DEPRECATED_API": true }" in django admin ?

thanks,


swapnil vishnoi於 2016年2月22日星期一 UTC+8下午6時49分53秒寫道：

[pki...@faulknertech.com]

I am trying to configure authentication to an implementation of Identity Server using OIDC or OpenId. Specifics are difficult to find.

On Wednesday, May 7, 2014 at 8:48:48 PM UTC-4, John Cox wrote:

On Wednesday, May 7, 2014 5:34:35 PM UTC-7, Trinh Nguyen wrote:

Hi John,

This is really great! I'm thinking about (actually working on) authenticate my users with a PowerSchool system as an Identity Provider via SAML2 standard. Are the Google and LinkedIn providers using SAML2?

Google and LinkedIn are both Oauth 2.0. The underlying library we use, python-social-auth, supports a host of OpenID, Oauth 1.0/2.0, and BrowserID providers out of the box, and there are extension points for other protocols.

We'd love for people to add additional protocols to the third_party_auth module -- please reach out to me if you're interested in writing a SAML extension.

[Stan V]

My suggestion would be to look through the underlying standard package code and documentation: https://python-social-auth-docs.readthedocs.io/en/latest/index.html

Once you're comfortable with the concept of its middleware, pipelines, etc. - you can run targeted debug and see how it works in EDX and what needs to be configured for your specific use case 

[Paul Kimmel]

Thanks Stan: I have tried modifying the lms.env.json and lms.auth.json and followed dozes of pages worth of discussions. I get the 4 standard oauth types {google, facebook}  in the third party auth but I can't get out identity server to show up there. I successfully configured google. The docs are pretty queit on the subject of oidc.

I tried writing an oidc package, but the it 500 hundreds when I add it to the config?!

A little more help would be greatly appreciated.

--
You received this message because you are subscribed to the Google Groups "General Open edX discussion" group.
To view this discussion on the web visit https://groups.google.com/d/msgid/edx-code/0b872414-4263-4ba4-a0ec-270ef3f27c47%40googlegroups.com.

[Paul Kimmel]

Stan:

Got the third party auth configuring individual providers--no 500. My OIDC provider doesn't show up though. Is that configured in a different list or in a different place in the lms.env.json file?

Paul

[Stan V]

Paul, I reviewed what I've done for my POC for Keycloak OIDC some time ago:

1) coded my own method as a close copy of the Google one, put it into "mycustom/keycloak/KeycloakOpenIdConnect" file in the EDX Platform

2) Added this parameters that make their way into lms.env.json

EDXAPP_THIRD_PARTY_AUTH_BACKENDS: ['mycustom.keycloak.KeycloakOpenIdConnect', 'third_party_auth.lti.LTIAuthBackend']

EDXAPP_SOCIAL_AUTH_OAUTH_SECRETS: { keycloak-openidconnect: '<code censored>' }

3) After the app start with the new configuration above, navigate to the Django Admin, e.g., http://myurl:18000/admin/third_party_auth/oauth2providerconfig/ Click on “Add Provider Configuration … ” at the top right Check “Enabled”, enter the name – it shows on the icon in the default implementation, check “Visible” Select Backend name from the dropdown: “keycloak-openidconnect” should be available, enter the same exact string into the Provider slug Enter Client ID “myid” – same as defined in the Keycloak Realm Client setup, leave the Secret blank and enter Kecloak URL into Other Settings: { "BASE_URL": "http://myurl:8080" } 

This "BASE_URL" is a Settings parameter I use in my custom provider program, the Client ID would also be Keycloak specific. I eventually coded a management method to automate this vs. going through the Admin console.

I think that's pretty much all I've done (lots of debugging along the way across multiple packages)

Stan

[Stan V]

No intention to confuse, I just copied some code I found in my files. The actual parameter names in the config file would be slightly different as the Configuration builds the images in Ansible and maps values across, but that stuff is easy to trace in the code

[kos giannop]

Hi, thanks for the great work!

My organization uses SSO system (CAS2). Does this module support that?

Could it somehow support that if needed?

Thanks

On Thursday, 8 May 2014 03:17:16 UTC+3, John Cox wrote:

Hi all. Google and edX are pleased to announce the addition of a third-party authentication module to Open edX.

With this module, you can let your users sign in to your Open edX deployment with their accounts on external services. This is both more convenient and more secure for end users than creating a new password on your Open edX deployment. The module is deactivated by default, and using it is entirely optional.

It comes with full implementations for Google and LinkedIn, and was designed from the ground up to be extensible and testable. If you are interested in adding new external authentication providers (for example, if you want to use your University’s SSO system), please reach out to us.

If you want to use the module, we’ve written a getting started guide that covers turning the feature on and configuring it.

Enjoy,

John (for the edX Identity Working Group)

[Liong Hung Wong]

Stan,

May I know where can I get "the copy of the Google one"? Also, could you please share with me the "mycustom/keycloak/KeycloakOpenIdConnect" file?

Regards,

Wong LH

[Deepesh Mahule]

Hi John,

Hope you are doing good, we are looking for the solution for one of our open edX saml problem.

Our IDP support Http post  binding and the request is being issue from our LMS is with redirect binding.

Is there any way that we can change our python code to issue HTTP Post request.

Appreciate your response.

Thanks,

Deepesh M