diff --git a/.remarkrc b/.remarkrc index 0a92b38ee..e002189ee 100644 --- a/.remarkrc +++ b/.remarkrc @@ -9,7 +9,6 @@ "skipLocalhost": true, "skipUrlPatterns": [ "https://security.stackexchange.com", - "https://help.liferay.com", "https://github.com/LayerManager/layman/issues/", "http://www.plantuml.com/plantuml/proxy" ] diff --git a/CHANGELOG.md b/CHANGELOG.md index fc80d5296..95cdc217d 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -47,6 +47,7 @@ - GET [Layers](doc/rest.md#get-layers)/[Maps](doc/rest.md#get-maps)/[Publications](doc/rest.md#get-publications) - [#165](https://github.com/LayerManager/layman/issues/165) Name of [users](doc/models.md#username) and [public workspaces](doc/models.md#public-workspace) are from now on restricted to a maximum length of 59 characters. - [940](https://github.com/LayerManager/layman/issues/940) Use `userId` as OAuth2 "sub" instead of `username`. This is suitable for Wagtail. +- [940](https://github.com/LayerManager/layman/issues/940) Stop supporting Liferay as OAuth2 provider. - [941](https://github.com/LayerManager/layman/issues/941) Wagtail database is now persistent when restarting Layman or Wagtail. - All changes from [v1.22.1](#v1221), [v1.22.2](#v1222) and [v1.22.3](#v1223). - [#960](https://github.com/LayerManager/layman/issues/960) Handle WMS requests with HTTP error more efficiently in timgen. diff --git a/doc/env-settings.md b/doc/env-settings.md index ea0844ebc..a3ff38265 100644 --- a/doc/env-settings.md +++ b/doc/env-settings.md @@ -61,7 +61,7 @@ List of dotted paths to Python modules to be used for authentication. Paths are Secret name of HTTP header used for authentication internally (e.g. when generating private map thumbnail). Only combination of lowercase characters and numbers must be used for the value. At demo configuration, the HTTP header is automatically removed by Nginx on every request to Layman REST API or to GeoServer WMS/WFS/OWS. ### OAUTH2_CLIENT_ID -Client ID of Layman's Test Client registered at OAuth2 provider (e.g. Wagtail or Liferay). +Client ID of Layman's Test Client registered at OAuth2 provider (e.g. Wagtail). ### OAUTH2_CLIENT<n>_ID Client ID of another Layman's client registered at OAuth2 provider. The **n** must be integer starting from `1`. In case of more clients other than LTC, list of **n**s must be uninterrupted series of integers. diff --git a/doc/oauth2/index.md b/doc/oauth2/index.md index 6f03c3890..7fa77f90f 100644 --- a/doc/oauth2/index.md +++ b/doc/oauth2/index.md @@ -32,9 +32,8 @@ From [RFC6749](https://tools.ietf.org/html/rfc6749#section-1.1): Layman acts as *resource server*. On every request to REST API, Layman accepts OAuth2 [access token](https://tools.ietf.org/html/rfc6749#section-1.4) from a *client* and validates access token against *authorization server* to authenticate *resource owner* (i.e. end-user). The access token is validated token against *authorization server* by OAuth2 mechanism called [Token Introspection](https://oauth.net/2/token-introspection/) (RFC 7662). Furthermore, Layman is responsible for fetching user-related metadata from *authorization server* using provider-specific endpoint. ### Authorization Server -There are currently two supported *authorization servers* (OAuth2 providers): +There is currently one supported *authorization server* (OAuth2 provider): - [Django OAuth2 Toolkit](https://django-oauth-toolkit.readthedocs.io/en/latest/) as plugin of [Wagtail CRX](https://docs.coderedcorp.com/wagtail-crx/), this is preferred option -- [Liferay Portal](https://help.liferay.com/hc/en-us/articles/360018176491-OAuth-2-0) Supporting [other OAuth2 providers](https://en.wikipedia.org/wiki/List_of_OAuth_providers) (e.g. Google or Facebook) should be quite straightforward in the future. @@ -130,26 +129,3 @@ Check following environment variables of LTC: - OAUTH2_TOKEN_URL: URL of [Token Endpoint](https://tools.ietf.org/html/rfc6749#section-3.2). In case of Django OAuth Toolkit (Wagtail), it's something like `:///o/token` - OAUTH2_CALLBACK_URL: URL of [Redirection Endpoint](https://tools.ietf.org/html/rfc6749#section-3.1.2), the value is `:///auth/oauth2-provider/callback`. - OAUTH2_USER_PROFILE_URL: URL of Layman's [GET Current User](../rest.md#get-current-user) - -### Liferay Settings -Every *client* must be registered in Liferay as *application*, as described in [Liferay documentation](https://help.liferay.com/hc/en-us/articles/360018176491-OAuth-2-0#creating-an-application). For LTC, fill in following settings: -- **Website URL** should point to application's home page, e.g. `http://localhost:3000/`. -- **Callback URIs** must contain URL of OAuth2 [Redirection Endpoint](https://tools.ietf.org/html/rfc6749#section-3.1.2). In case of LTC, the value is the same as LTC setting OAUTH2_CALLBACK_URL. -- **Client Profile**: Web Application -- **Allowed Authorization Types**: - - Authorization Code - - Refresh Token -- **Supported Features**: - - Token Introspection - -Furthermore, check "read your personal user data" (liferay-json-web-services.everything.read.userprofile) in **Scopes** tab. This scope will enable `/api/jsonws/user/get-current-user` endpoint to provide user-related metadata to Layman. - -By default, only Liferay users with Administrator role have enough privileges to use OAuth2 authorization. To enable other roles to use OAuth2 (e.g. User role), you need to -- add **View** permission for **Authorize Screen URL** to desired roles - - **Authorize Screen URL** can be found in *Configuration > System Settings > OAuth 2 > Authorize Screen* - - to open permissions of default Authorize Screen URL `/?p_p_id=com_liferay_oauth2_provider_web_internal_portlet_OAuth2AuthorizePortlet&p_p_state=maximized`, visit [this URL](http://localhost:8080/?p_p_id=com_liferay_portlet_configuration_web_portlet_PortletConfigurationPortlet&p_p_state=pop_up&_com_liferay_portlet_configuration_web_portlet_PortletConfigurationPortlet_mvcPath=%2Fedit_permissions.jsp&_com_liferay_portlet_configuration_web_portlet_PortletConfigurationPortlet_portletConfiguration=true&_com_liferay_portlet_configuration_web_portlet_PortletConfigurationPortlet_portletResource=com_liferay_oauth2_provider_web_internal_portlet_OAuth2AuthorizePortlet&_com_liferay_portlet_configuration_web_portlet_PortletConfigurationPortlet_resourcePrimKey=com_liferay_oauth2_provider_web_internal_portlet_OAuth2AuthorizePortlet) - - see [Workaround #1](https://issues.liferay.com/browse/OAUTH2-202) for details -- add **View** and **Create token** permissions for each registered OAuth2 application to desired roles - - to open permissions, visit *Configuration > OAuth 2 Administration*, click on three dots for desired application and select *Permissions* - -After registration, add **Client ID** and **Client Secret** pair to Layman's setting OAUTH2_CLIENTS.