-
Notifications
You must be signed in to change notification settings - Fork 99
Add Login.gov as Authentication
This guide provides step-by-step instructions on how to integrate Login.gov as the authentication provider for a Flask application with API routes. Using datagov-harvest-admin as an example here.
- A Flask application with API routes.
- A Login.gov account and access to the Login.gov Developer Dashboard.
- Python 3.6+ and Flask installed.
- requests library for handling HTTP requests.
- Log in to the Login.gov Developer Dashboard.
- Register a new application and obtain the following credentials:
Client_ID Issuer Auth_URL Token_URL REDIRECT_URI
- Set the redirect URI to a route in your Flask application that will handle the OAuth callback.
Ensure you have the necessary Python packages installed
In your Flask application, add the necessary configuration for Login.gov.
@app.route('/login')
def login():
...
@app.route('/callback')
def callback():
...
def login_required(f):
...
@app.route('/api/data')
@login_required
Run command
$ openssl req -nodes -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.crt -config <(
cat <<EOF
[req]
prompt = no
default_md = sha256
distinguished_name = dn
[ dn ]
C=US
ST=District of Columbia
L=Washington
O=General Services Administration
OU=Technology Transformation Service
emailAddress=test@gsa.gov
CN=test.data.gov
EOF
)
Replace the CN value [domain-name-for-service-provider]
with the corresponding domain names of the apps, so that the certificates are recognizable. This command will generate two files: private.pem
as the private key and public.crt
as the public certificate.
Add apps on sandbox login.gov dashboard:
upload file public.crt
to have the app updated with the new public certificate. Changes made to Active apps take effect right away.
Location: DatagovDevSecOps > secrets. The files are version controlled. Upload the certificate files as new version. This should be done before the next step so that other team members have access to the certificates to perform the next step.
Run cf command cf env datagov-harvest
to get the credential value for service datagov-harvest-secrets
. For example
{
"CF_SERVICE_AUTH": "[...]",
...
"OPENID_PRIVATE_KEY": "LS0[...]0tLQo="
}
Save it as file secrets.json
in your local.
replace the value for OPENID_PRIVATE_KEY
in file secrets.json
.
Run cf command cf uups datagov-harvest-secrets -p secrets.json
to update the cf service datagov-harvest-secrets
. Restart the datagov-harvest app to pick up the updated OPENID_PRIVATE_KEY
value.
These steps need to be done 3 times to complete private key update for app in cf spaces development
, staging
and prod
.
This step has to be done together with login.gov dashboard certificate update. If one is done without the other, it means down time for the app login function. So when login.gov support notifies the task has been scheduled/resolved, it is time to do this step.
private certificates go to .env
file.
- Once an app gets promoted to login.gov production server, we lost access to manage it, so any change including SP public certificate change needs to go through login.gov supporting channel. This might get improved in the future when login.gov production server supports developer self-management.
- Production CKAN applications should NOT use login.gov sandbox environment. Sandbox has no ATO, is not cleared for official use.