Fairdata SSO Authentication#
Metax API endpoints support user authentication via Fairdata SSO using SSO session cookies.
Configuration variables#
To enable SSO authentication support, add the following variables to the Metax .env
file:
Variable | Type | Usage |
---|---|---|
ENABLE_SSO_AUTH | boolean | Enable SSO authentication. Defaults to false. |
SSO_HOST | string | Host where SSO requests will be sent to, e.g. https://sso.<fairdata-domain>.fi |
SSO_SESSION_COOKIE | string | Name of the SSO session cookie. |
SSO_SECRET_KEY | string | Secret key used for verifying the SSO session token. |
SSO_METAX_SERVICE_NAME | string | Service name Metax uses to identify itself for SSO, e.g. METAX . |
External service configuration#
To allow external services to use the SSO session for cross-site Metax requests, they need to be listed in CORS_ALLOWED_ORIGINS
, and CORS_ALLOW_CREDENTIALS
has to be enabled. For unsafe requests (POST
, PUT
, etc.), the origin also has to be listed in CSRF_TRUSTED_ORIGINS
. The CSRF token can be retrieved from /v3/auth/user
after SSO login and needs to be included as X-CSRFToken
header in each unsafe request.
Note
The CSRF token is only valid during the SSO session and needs to be retrieved again after a new login. Also, the value is masked for security reasons which makes it look different on each /v3/auth/user
request.
The related .env
variables are:
Variable | Type | Usage |
---|---|---|
CORS_ALLOWED_ORIGINS | comma-separated list | List of origins allowed to make cross-site requests, e.g. https://service.<fairdata-domain>.fi |
CORS_ALLOW_CREDENTIALS | boolean | Allow cookies to be included in cross-site requests. Defaults to false. |
CSRF_TRUSTED_ORIGINS | comma-separated list | List of trusted origins for unsafe requests, e.g. service.<fairdata-domain>.fi |
Development server#
To be able to access the SSO session cookies, Metax needs to be running HTTPS and has to be in the same domain as SSO cookies. For example, add
to /etc/hosts
and run
poetry run python manage.py runserver_plus 0:8100 \
--cert-file <path-to-fd-dev.csc.fi.crt.pem> \
--key-file <path-to-fd-dev.csc.fi.key.pem>
Example configuration for local Etsin and Qvain#
For local Etsin/Qvain development, the following values can be used in Metax .env
file.
# SSO configuration
ENABLE_SSO_AUTH=true
SSO_SECRET_KEY=<e.g. SSO.key from etsin-qvain app_config_dev>
SSO_SESSION_COOKIE=fd_dev_csc_fi_fd_sso_session
SSO_HOST=https://sso.fd-dev.csc.fi
# SSO does not yet have METAX service defined but QVAIN can be used instead
SSO_METAX_SERVICE_NAME=QVAIN
# External service configuration
CSRF_TRUSTED_ORIGINS=etsin.fd-dev.csc.fi,qvain.fd-dev.csc.fi
CORS_ALLOWED_ORIGINS=https://etsin.fd-dev.csc.fi,https://qvain.fd-dev.csc.fi
CORS_ALLOW_CREDENTIALS=true
Testing requests from Etsin and Qvain#
After updating configuration and restarting the development server, it should be possible to make requests to Metax from the browser in Etsin or Qvain. Note that cookies are not sent for cross-origin requests by default and "unsafe" methods (e.g. POST) require a CSRF token in the X-CSRFToken
header.
Example of creating a dataset from external service, can be run in Qvain javascript console.
const metaxUrl = "https://metaxv3.fd-dev.csc.fi:8100";
// Get CSRF token required for POST requests
const resp = await fetch(`${metaxUrl}/v3/auth/user`, {
credentials: "include", // required for the SSO cookie to be sent
});
const data = await resp.json();
// Create dataset
const resp2 = await fetch(`${metaxUrl}/v3/datasets`, {
method: "POST",
body: JSON.stringify({
data_catalog: "urn:nbn:fi:att:data-catalog-ida",
title: {
en: "Test dataset",
},
}),
headers: {
"X-CSRFToken": data.metax_csrf_token,
"Content-Type": "application/json",
},
credentials: "include",
});
console.log((await resp2.json()).id); // print id of created dataset