Social Authentication¶

Last Updated: September 2019

Tethys Portal supports authenticating users with Google, Facebook, LinkedIn and HydroShare via the OAuth 2.0 method. The social authentication and authorization features have been implemented using the Python Social Auth module and the social buttons provided by the Social Buttons for Bootstrap. Social login is disabled by default, because enabling it requires registering your tethys portal instance with each provider.

Enable Social Login¶

Use the following instructions to setup social login for the providers you desire.

Caution

These instructions assume that you have generated a new settings file after upgrading to Tethys Platform 1.2.0 or later. If this is not the case, please review the Social Auth Settings section.

Google¶

Create a Google Developer Account

Follow these instructions to register your project and create a client ID: Setting Up OAuth 2.0. Provide the following as you setup OAuth2:

Provide Authorized JavaScript Origins
As a security precaution, Google will only accept authentication requests from the hosts listed in the Authorized JavaScript Origins box. Add the domain of your Tethys Portal to the list. Optionally, you may add a localhost domain to the list to be used during testing. For example, if the domain of your Tethys Portal is www.example.org, you would add the following entries:
https://www.example.org
http://localhost:8000
Provide Authorized Redirect URIs
You also need to provide the callback URI for Google to call once it has authenticated the user. This follows the pattern http://<host>/oauth2/complete/google-oauth2/. For a Tethys Portal at domain www.example.org:
https://www.example.org/oauth2/complete/google-oauth2/
https://localhost:8000/oauth2/complete/google-oauth2/
Note

Some Google APIs are free to use up to a certain quota of hits. Be sure to familiarize yourself with the terms of use for each service.

Open settings.py script located in $TETHYS_SRC/tethys_portal/settings.py

Add the social_core.backends.google.GoogleOAuth2 backend to the AUTHENTICATION_BACKENDS setting:
AUTHENTICATION_BACKENDS = (
    ...
    'social_core.backends.google.GoogleOAuth2',
    'django.contrib.auth.backends.ModelBackend',
)
Copy the Client ID and Client secret into the SOCIAL_AUTH_GOOGLE_OAUTH2_KEY and SOCIAL_AUTH_GOOGLE_AUTH2_SECRET settings, respectively:
SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = '...'
SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = '...'

References¶

For more detailed information about using Google social authentication see the following articles:

Facebook¶

Create a Facebook Developer Account

You will need a Facebook developer account to register your Tethys Portal with Facebook. To create an account, visit https://developers.facebook.com and sign in with a Facebook account.

Create a Facebook App

Point to My Apps and select Create App.

Fill out the form and press Create App ID button.

Setup OAuth

Scroll down and locate the tile titled Facebook Login.

Press the Setup button on the tile (or Settings if setup previously).

If your Tethys Portal were hosted at www.example.com, you would enter the following for the Valid OAuth Redirect URIs field:
https://www.example.org/oauth2/complete/facebook/
Note

Localhost domains are automatically enabled when the app is in development mode, so you don't need to add them for Facebook OAuth logins.

Press the Save Changes button.

Make the app public you wish by changing the toggle switch in the header from Off to On.

Note

The Facebook app must be public to allow Facebook authentication to non-localhost Tethys Portals.

Expand the Settings menu on the left and select Basic. Note the App ID and App Secret.
Open settings.py script located in $TETHYS_SRC/tethys_portal/settings.py

Add the social_core.backends.facebook.FacebookOAuth2 backend to the AUTHENTICATION_BACKENDS setting:
AUTHENTICATION_BACKENDS = (
    ...
    'social_core.backends.facebook.FacebookOAuth2',
    'django.contrib.auth.backends.ModelBackend',
)
Copy the App ID and App Secret to the SOCIAL_AUTH_FACEBOOK_KEY and SOCIAL_AUTH_FACEBOOK_SECRET settings, respectively:
SOCIAL_AUTH_FACEBOOK_KEY = '...'
SOCIAL_AUTH_FACEBOOK_SECRET = '...'

References¶

For more detailed information about using Facebook social authentication see the following articles:

LinkedIn¶

Create a LinkedIn Developer Account

You will need a LinkedIn developer account to register your Tethys Portal with LinkedIn. To create an account, visit https://developer.linkedin.com/my-apps and sign in with a LinkedIn account.

Create a LinkedIn Application

Navigate back to https://www.linkedin.com/developers/apps, if necessary and press the Create App button.

Fill out the form and press Create App.

Open the Auth tab and note the Client ID and Client Secret for Step 5.
Setup OAuth

Add the call back URLs under the OAuth 2.0 settings section. For example, if your Tethys Portal is hosted at the domain www.example.org:
https://www.example.org/oauth2/complete/linkedin-oauth2/
http://localhost:8000/oauth2/complete/linkedin-oauth2/

Open settings.py script located in $TETHYS_SRC/tethys_portal/settings.py

Add the social_core.backends.linkedin.LinkedinOAuth2 backend to the AUTHENTICATION_BACKENDS setting:
AUTHENTICATION_BACKENDS = (
    ...
    'social_core.backends.linkedin.LinkedinOAuth2',
    'django.contrib.auth.backends.ModelBackend',
)
Copy the Client ID and Client Secret to the SOCIAL_AUTH_LINKEDIN_OAUTH2_KEY and SOCIAL_AUTH_LINKEDIN_OAUTH2_SECRET settings, respectively:
SOCIAL_AUTH_LINKEDIN_OAUTH2_KEY = '...'
SOCIAL_AUTH_LINKEDIN_OAUTH2_SECRET = '...'

References¶

For more detailed information about using LinkedIn social authentication see the following articles:

LinkedIn: Authenticating with OAuth 2.0

HydroShare¶

Create a HydroShare Account

You will need a HydroShare account to register your Tethys Portal with HydroShare. To create an account, visit https://www.hydroshare.org.

Create and setup a HydroShare Application

Navigate to https://www.hydroshare.org/o/applications/register/.

Name: Give this OAuth app a name. It is recommended to use the domain of your Tethys Portal instance as the name, like: www.my-tethys-portal.com

Client id: Leave unchanged. Note this value for step 3.

Client secret: Leave unchanged. Note this value for step 3.

Client type: Select "Confidential".

Authorization grant type: Select "Authorzation code".

Redirect uris: Add the call back URLs. The protocol (http or https) that matches your Tethys Portal settings should be included in this url. For example:
if your Tethys Portal was located at the domain ``https://www.my-tethys-portal.com``:
    https://www.my-tethys-portal.com/oauth2/complete/hydroshare/

if your Tethys Portal was on a local development machine:
    http://localhost:8000/oauth2/complete/hydroshare/
    or
    http://127.0.0.1:8000/oauth2/complete/hydroshare/
Press the "Save" button.

Open settings.py script located in $TETHYS_SRC/tethys_portal/settings.py

Add the tethys_services.backends.hydroshare.HydroShareOAuth2 backend to the AUTHENTICATION_BACKENDS setting:
AUTHENTICATION_BACKENDS = (
    'tethys_services.backends.hydroshare.HydroShareOAuth2',
    ...
    'django.contrib.auth.backends.ModelBackend',
)
Assign the Client id and Client secret to the SOCIAL_AUTH_HYDROSHARE_KEY and SOCIAL_AUTH_HYDROSHARE_SECRET settings, respectively:
SOCIAL_AUTH_HYDROSHARE_KEY = '...'
SOCIAL_AUTH_HYDROSHARE_SECRET = '...'

Work with HydroShare in your app

Once user has logged in Tethys through HydroShare OAuth, your app is ready to retrieve data from HydroShare on behalf of this HydroShare user using HydroShare REST API Client (hs_restclient). A helper function is provided to make this integration smoother.

# import helper function
from tethys_services.backends.hs_restclient_helper import get_oauth_hs

# your controller function
def home(request)

    # put codes in a 'try..except...' statement
    try:
        # pass in request object
        hs = get_oauth_hs(request)

        # your logic goes here. For example: list all HydroShare resources
        for resource in hs.getResourceList():
            print(resource)

    except Exception as e:
        # handle exceptions
        pass

(Optional) Link to a testing HydroShare instance
The production HydroShare is located at https://www.hydroshare.org/. In some cases you may want to link your Tethys Portal to a testing HydroShare instance, like hydroshare-beta. Tethys already provides OAuth backends for hydroshare-beta and hydroshare-playground. To activate them, you need to go through steps 1-3 for each backend (replace www.hydroshare.org with the testing domain urls accordingly).

At step 3:
1. Append the following classes in AUTHENTICATION_BACKENDS settings:
  
  hydroshare-beta:
  tethys_services.backends.hydroshare_beta.HydroShareBetaOAuth2
  
  hydroshare-playground:
  tethys_services.backends.hydroshare_playground.HydroSharePlaygroundOAuth2
2. Assign the Client ID and Client Secret to the following variables:
  
  hydroshare-beta:
  SOCIAL_AUTH_HYDROSHARE_BETA_KEY
  
  SOCIAL_AUTH_HYDROSHARE_BETA_SECRET
  
  hydroshare-playground:
  SOCIAL_AUTH_HYDROSHARE_PLAYGROUND_KEY
  
  SOCIAL_AUTH_HYDROSHARE_PLAYGROUND_SECRET
Note

To prevent any unexpected behavior in section (4), a Tethys account SHOULD NOT be associated with multiple HydroShare social accounts.

References¶

For more detailed information about using HydroShare social authentication see the following articles:

https://github.com/hydroshare/hydroshare/wiki/HydroShare-REST-API#oauth-20-support

Social Authentication¶

Enable Social Login¶

Google¶

References¶

Facebook¶

References¶

LinkedIn¶

References¶

HydroShare¶

References¶

Social Auth Settings¶