Enable to use userId as OAuth2 sub

.env.dev

@@ -91,7 +91,8 @@ OAUTH2_AUTH_URL=http://localhost:8083/o/authorize
 OAUTH2_TOKEN_URL=http://wagtail:8000/o/token/
 OAUTH2_CALLBACK_URL=http://localhost:3000/client/authn/oauth2-provider/callback
 OAUTH2_INTROSPECTION_URL=http://wagtail:8000/o/introspect/
-OAUTH2_INTROSPECTION_SUB_KEY=username
+OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE=true
+OAUTH2_INTROSPECTION_SUB_KEY=userId
 OAUTH2_USER_PROFILE_URL=http://wagtail:8000/profile
 
 

CHANGELOG.md

@@ -9,6 +9,15 @@
   ```
 - Stop using environment variable `LAYMAN_GS_ROLE_SERVICE`, it has no effect to Layman anymore. Layman now uses [role service](doc/security.md#role-service) identified by new environment variable [LAYMAN_ROLE_SERVICE_URI](doc/env-settings.md#LAYMAN_ROLE_SERVICE_URI). The service is called `layman_role_service` on GeoServer.
 - Set new environment variable [LAYMAN_ROLE_SERVICE_URI](doc/env-settings.md#LAYMAN_ROLE_SERVICE_URI)
+- If you are using Wagtail as OAuth2 provider
+  - Set new environment variable [OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE](doc/env-settings.md#OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE):
+    ```
+    OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE=true
+    ```  
+  - Change environment variable [OAUTH2_INTROSPECTION_SUB_KEY](doc/env-settings.md#OAUTH2_INTROSPECTION_SUB_KEY):
+    ```
+    OAUTH2_INTROSPECTION_SUB_KEY=userId
+    ```
 ### Migrations and checks
 #### Schema migrations
 - [#165](https://github.com/LayerManager/layman/issues/165) Add column `role_name` to table `rights` in prime DB schema. Add constraint that exactly one of columns `role_name` and `id_user` is not null.
@@ -38,6 +47,7 @@
   - GET Workspace [Layers](doc/rest.md#get-workspace-layers)/[Maps](doc/rest.md#get-workspace-maps)
   - GET [Layers](doc/rest.md#get-layers)/[Maps](doc/rest.md#get-maps)/[Publications](doc/rest.md#get-publications)
 - [#165](https://github.com/LayerManager/layman/issues/165) Name of [users](doc/models.md#username) and [public workspaces](doc/models.md#public-workspace) are from now on restricted to a maximum length of 59 characters.
+- [940](https://github.com/LayerManager/layman/issues/940) Enable to use `userId` as OAuth2 "sub" instead of `username`. This is recommended option for Wagtail. See [OAUTH2_INTROSPECTION_SUB_KEY](doc/env-settings.md#OAUTH2_INTROSPECTION_SUB_KEY) for more details.
 - [941](https://github.com/LayerManager/layman/issues/941) Wagtail database is now persistent when restarting Layman or Wagtail.
 - All changes from [v1.22.1](#v1221), [v1.22.2](#v1222) and [v1.22.3](#v1223).
 - [#960](https://github.com/LayerManager/layman/issues/960) Handle WMS requests with HTTP error more efficiently in timgen.

Makefile

@@ -271,6 +271,9 @@ postgresql-psql:
 postgresql-psql-test:
 	docker compose -f docker-compose.deps.yml run -e PGPASSWORD=docker --entrypoint "psql -U docker -p 5432 -h postgresql layman_test" --rm postgresql
 
+postgresql-bash-exec:
+	docker compose -f docker-compose.deps.yml exec -e PGPASSWORD=docker postgresql "bash"
+
 redis-cli-db:
 	docker compose -f docker-compose.deps.yml exec redis redis-cli -h redis -p 6379 -n 0
 

doc/env-settings.md

@@ -85,7 +85,10 @@ URL of LTC OAuth2 callback endpoint to be called after successful OAuth2 authori
 URL of OAuth2 Introspection endpoint.
 
 ### OAUTH2_INTROSPECTION_SUB_KEY
-Name of the key in OAuth2 introspection response whose value is OAuth2 subject (also known as "sub"). Value `username` is suitable for Wagtail. If not set or set to empty string, `sub` is used, that is suitable option for Liferay.
+Name of the key in OAuth2 introspection response whose value is OAuth2 subject (also known as "sub"). Value `userId` is suitable for Wagtail (together with setting [OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE](#OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE) to `true`). If not set or set to empty string, `sub` is used, that is suitable option for Liferay.
+
+### OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE
+Set to `true` if you want [OAUTH2_INTROSPECTION_SUB_KEY](#OAUTH2_INTROSPECTION_SUB_KEY) to be read from [OAUTH2_USER_PROFILE_URL](#OAUTH2_USER_PROFILE_URL) instead of [OAUTH2_INTROSPECTION_URL](#OAUTH2_INTROSPECTION_URL). Default value is `false`. Value `true` is suitable for Wagtail.
 
 ### OAUTH2_USER_PROFILE_URL
 URL of User Profile endpoint used to obtain user's ID, name, email, etc.

src/layman/authn/oauth2/__init__.py

@@ -72,6 +72,14 @@ def authenticate():
                 # current_app.logger.info(f"r_json={r_json}")
                 if r_json['active'] is True and r_json.get('token_type', 'Bearer') == 'Bearer':
                     valid_resp = r_json
+                    if settings.OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE:
+                        response = requests.get(USER_PROFILE_URL, headers={
+                            'Authorization': f'Bearer {access_token}',
+                        }, timeout=settings.DEFAULT_CONNECTION_TIMEOUT)
+                        response.raise_for_status()
+                        user_profile_json = response.json()
+                        # current_app.logger.info(f"user_profile_json={user_profile_json}")
+                        valid_resp[INTROSPECTION_SUB_KEY] = user_profile_json[INTROSPECTION_SUB_KEY]
                     break
             except ValueError:
                 continue

src/layman_settings.py

@@ -216,6 +216,7 @@ class EnumWfsWmsStatus(Enum):
 OAUTH2_INTROSPECTION_URL = os.getenv('OAUTH2_INTROSPECTION_URL', None)
 OAUTH2_INTROSPECTION_SUB_KEY = os.getenv('OAUTH2_INTROSPECTION_SUB_KEY') or 'sub'
 OAUTH2_USER_PROFILE_URL = os.getenv('OAUTH2_USER_PROFILE_URL', None)
+OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE = os.getenv('OAUTH2_INTROSPECTION_USE_SUB_KEY_FROM_USER_PROFILE', 'false') == 'true'
 OAUTH2_CLIENTS = [
     d for d in read_clients_dict_from_env()
     if len(d['id']) > 0