Last Updated: October 2019
Tethys Portal supports authenticating users with Google, Facebook, LinkedIn and HydroShare via the OAuth 2.0 method. The social authentication and authorization features have been implemented using the Python Social Auth module and the social buttons provided by the Social Buttons for Bootstrap. Social login is disabled by default, because enabling it requires registering your tethys portal instance with each provider.
Enable Social Login¶
Use the following instructions to setup social login for the providers you desire.
Beginning with Tethys Platform 3.0 you must configure the social auth settings in the
portal_config.yml file. See Tethys Portal Configuration for more details on how to create and configure this file. For instructions on how to configure social auth for previous versions of Tethys Platform please refer to the documentation specific to your version.
Create a Google Developer Account
Follow these instructions to register your project and create a client ID: Setting Up OAuth 2.0. Provide the following as you setup OAuth2:
As a security precaution, Google will only accept authentication requests from the hosts listed in the
www.example.org, you would add the following entries:https://www.example.org http://localhost:8000
Provide Authorized Redirect URIs
You also need to provide the callback URI for Google to call once it has authenticated the user. This follows the pattern
http://<host>/oauth2/complete/google-oauth2/. For a Tethys Portal at domain
portal_config.ymlfile located in
social_core.backends.google.GoogleOAuth2backend to the
AUTHENTICATION_BACKENDSsetting:AUTHENTICATION_BACKENDS: ... - social_core.backends.google.GoogleOAuth2
Client secretinto the
SOCIAL_AUTH_GOOGLE_AUTH2_SECRETsettings, respectively:OAUTH_CONFIGS: SOCIAL_AUTH_GOOGLE_OAUTH2_KEY: '...' SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET: '...'
Create a Facebook Developer Account
You will need a Facebook developer account to register your Tethys Portal with Facebook. To create an account, visit https://developers.facebook.com and sign in with a Facebook account.
Create a Facebook App
My Appsand select
Fill out the form and press
Create App IDbutton.
Scroll down and locate the tile titled Facebook Login.
Setupbutton on the tile (or
Settingsif setup previously).
If your Tethys Portal were hosted at
www.example.com, you would enter the following for the Valid OAuth Redirect URIs field:https://www.example.org/oauth2/complete/facebook/
Localhost domains are automatically enabled when the app is in development mode, so you don't need to add them for Facebook OAuth logins.
Make the app public you wish by changing the toggle switch in the header from
The Facebook app must be public to allow Facebook authentication to non-localhost Tethys Portals.
Settingsmenu on the left and select
Basic. Note the
portal_config.ymlfile located in
social_core.backends.facebook.FacebookOAuth2backend to the
AUTHENTICATION_BACKENDSsetting:AUTHENTICATION_BACKENDS: ... - social_core.backends.facebook.FacebookOAuth2
App Secretto the
SOCIAL_AUTH_FACEBOOK_SECRETsettings, respectively:OAUTH_CONFIGS: ... SOCIAL_AUTH_FACEBOOK_KEY: '...' SOCIAL_AUTH_FACEBOOK_SECRET: '...'
For more detailed information about using Facebook social authentication see the following articles:
Create a HydroShare Account
You will need a HydroShare account to register your Tethys Portal with HydroShare. To create an account, visit https://www.hydroshare.org.
Create and setup a HydroShare Application
Navigate to https://www.hydroshare.org/o/applications/register/.
Name: Give this OAuth app a name. It is recommended to use the domain of your Tethys Portal instance as the name, like: www.my-tethys-portal.com
Client id: Leave unchanged. Note this value for step 3.
Client secret: Leave unchanged. Note this value for step 3.
Client type: Select "Confidential".
Authorization grant type: Select "Authorzation code".
Redirect uris: Add the call back URLs. The protocol (http or https) that matches your Tethys Portal settings should be included in this url. For example:if your Tethys Portal was located at the domain ``https://www.my-tethys-portal.com``: https://www.my-tethys-portal.com/oauth2/complete/hydroshare/ if your Tethys Portal was on a local development machine: http://localhost:8000/oauth2/complete/hydroshare/ or http://127.0.0.1:8000/oauth2/complete/hydroshare/
Press the "Save" button.
portal_config.ymlfile located in
tethys_services.backends.hydroshare.HydroShareOAuth2backend to the
AUTHENTICATION_BACKENDSsetting:AUTHENTICATION_BACKENDS: - tethys_services.backends.hydroshare.HydroShareOAuth2 ...
Client secretto the
SOCIAL_AUTH_HYDROSHARE_SECRETsettings, respectively:OAUTH_CONFIGS: ... - SOCIAL_AUTH_HYDROSHARE_KEY: '...' - SOCIAL_AUTH_HYDROSHARE_SECRET: '...'
Work with HydroShare in your app
Once user has logged in Tethys through HydroShare OAuth, your app is ready to retrieve data from HydroShare on behalf of this HydroShare user using HydroShare REST API Client (hs_restclient). A helper function is provided to make this integration smoother.# import helper function from tethys_services.backends.hs_restclient_helper import get_oauth_hs # your controller function def home(request) # put codes in a 'try..except...' statement try: # pass in request object hs = get_oauth_hs(request) # your logic goes here. For example: list all HydroShare resources for resource in hs.getResourceList(): print(resource) except Exception as e: # handle exceptions pass
(Optional) Link to a testing HydroShare instance
The production HydroShare is located at https://www.hydroshare.org/. In some cases you may want to link your Tethys Portal to a testing HydroShare instance, like hydroshare-beta. Tethys already provides OAuth backends for hydroshare-beta and hydroshare-playground. To activate them, you need to go through steps 1-3 for each backend (replace www.hydroshare.org with the testing domain urls accordingly).
At step 3:
Append the following classes in
Client Secretto the following variables:
To prevent any unexpected behavior in section (4), a Tethys account SHOULD NOT be associated with multiple HydroShare social accounts.
For more detailed information about using HydroShare social authentication see the following articles:
Social Auth Settings¶
Beginning with Tethys Platform 3.0.0 the social auth settings are configured in the
portal_config.yml file. The following is a summary of all the settings that would need to be added for the various supported social auth backends.
Social authentication requires Tethys Platform 1.2.0 or later. For instructions on how to configure social auth for previous versions of Tethys Platform please refer to the documentation specific to your version.
AUTHENTICATION_BACKENDS: - social.backends.google.GoogleOAuth2 - social.backends.facebook.FacebookOAuth2 - social.backends.linkedin.LinkedinOAuth2 - tethys_services.backends.hydroshare.HydroShareOAuth2 OAUTH_CONFIGS: SOCIAL_AUTH_GOOGLE_OAUTH2_KEY: '' SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET: '' SOCIAL_AUTH_FACEBOOK_KEY: '' SOCIAL_AUTH_FACEBOOK_SECRET: '' SOCIAL_AUTH_FACEBOOK_SCOPE: ['email'] SOCIAL_AUTH_LINKEDIN_OAUTH2_KEY: '' SOCIAL_AUTH_LINKEDIN_OAUTH2_SECRET: '' SOCIAL_AUTH_HYDROSHARE_KEY: '' SOCIAL_AUTH_HYDROSHARE_SECRET: ''