Plone.restapi: how to manage login with different pas plugins?

cekk · November 29, 2018, 9:35pm

Hi,
plone.restapi documentation says that it should work with any pas plugin, but i can't find any example of this.

I mean, how this should work? After login with a different plugin, we need to generate a jwt token with jwt plugin for subsequent api calls?

I'd like to use google auth (maybe with pas.plugins.authomatic that already work fine on a "normal" site) on plone.restapi + volto. Is it possible or it's a dumb question?

pbauer · November 29, 2018, 10:00pm

I actually implemented something similar today. It is much simpler than I thought. We needed to allow authentication with restapi and check provided credentials against content in Plone.

The @login endpoint of plone.restapi asks all pas-plugins (IAuthenticationPlugin) if the provided login and password are ok. Our custom PAS-Plugin (PortKnoxAuthenticationPlugin) does that check in authenticateCredentials and if the check succeeds it returns (login, login). With this info PAS auto-creates a ploneuser instance and returns that it to the @login-endpoint of plone.restapi.

The endpoint then delegates creation of a token to its own pas-plugin JWTAuthenticationPlugin which also stores the token.

The next request can then use that token and you become the same Plone-user as long as the token is valid. Our own plugin is then only used for listing and finding users (enumerateUsers) which is used suprisigly often (e.g. in api.user.get_roles())

cekk · December 4, 2018, 10:59pm

For what i've seen and i understand, i think that your use-case was the easiest one because your plugin need username and password fields like the login endpoint..lucky you

In my case, i need the features of pas.plugins.authomatic (login with an external provider and create an user if not present in the db) and allow to generate a jwt token for the api calls.

some of my problems are:

login endpoint only handle username and password fields (as far as i know).
to login with pas.plugins.authomatic i need to pass for a Plone view that redirects me on an external Google page, and then i go back to Plone to complete the auth. If I want to use Volto and don't exit from my app, i should do only ajax calls

I don't know if authomatic is the right choice for this purpose..I wanted to reuse some already working plugins, but maybe it's easier to build a new one for my needs.

dieter · December 4, 2018, 11:28pm

That this can work, you must obviously be ready to handle (at least) redirects caused by the API calls and emulate a browser sufficiently that the "external Google page"'s expectations are satisfied. If you can satisfy these conditions, then there should be no other big problems.

If your "restapi" calls are part of normal user interaction inside the browser, then a previous login in the standard browser way should be sufficient to authorize the API calls.

If your "restapi" calls are in a special context, you might be able to use a special user. E.g., I often use a Zope "Manager" (authenticated outside Plone) for such tasks.

bsuttor · March 2, 2021, 2:43pm

Hello @cekk,
Have you finally find a way to login and generate jwt token with pas.plugins.authomatic and p.restapi?
We need to connect external app with an openid connect protocol (which looks like OAuth2 protocol), and we also use pas.plugins.authomatic.

cekk · March 5, 2021, 1:24pm

We (@mamico) started a spike with this branch in plone.restapi that should do what we need but i haven't had time to test it yet.

You can do the same in your policy package because it listen to the logged-in event and generates the token.

I don't know if this could fits your needs