Extension Google Sign-In Authentication

Extension Basics

Title	Google Sign-In Authentication
Name	ckanext-google_user
Type	Public extension
Description	Google Sign-In authentication integration allowing users to log into CKAN using their Google accounts
CKAN versions	~2.9, ~2.10, ~2.11 Show details These CKAN Versions are exactely matched: 2.10.0 2.10.1 2.10.2 2.10.3 2.10.4 2.10.5 2.10.6 2.10.7 2.10.8 2.11.0 2.11.1 2.11.2 2.11.3 2.12.0 2.9.0 2.9.1 2.9.10 2.9.11 2.9.2 2.9.3 2.9.4 2.9.5 2.9.6 2.9.7 2.9.8 2.9.9
Download-Url (zip)	https://github.com/DataShades/ckanext-google_user.git#egg=ckanext-google_user
Download-Url commit date	2025-10-10
Url to repo	https://github.com/DataShades/ckanext-google_user
Category	Authentication & Security

Background Infos

Description (long)	Show details Extension that integrates Google Sign-In authentication into CKAN, allowing users to authenticate using their Google accounts instead of traditional username/password credentials. Implements a custom authenticator (GoogleSignInAuthenticator) that plugs into CKAN’s authentication system via who.ini configuration. Requires Google OAuth 2.0 credentials (Client ID and Secret) obtained from Google API Console. Simplifies user onboarding by leveraging existing Google accounts, eliminates password management burden, and provides secure authentication through Google’s OAuth infrastructure. Users can sign in with a single click using their Google credentials.
Version	0.0.1
Version release date	2025-10-10
Contact name	(not set)
Contakt email	(not set)
Contact Url	(not set)

Installation Guide

Configuration hints	Requirements: - CKAN 2.5+ - Google OAuth 2.0 credentials (Client ID and Secret) - Python 2.7+ - Google API Python client library Google OAuth Setup: Create Google OAuth Credentials: Go to Google Developers Console: https://console.developers.google.com/apis/credentials Create OAuth Client ID: Click “Create Credentials” → “OAuth client ID” Application type: Web application Name: CKAN Google Sign-In Configure Authorized Redirect URIs: Add your CKAN callback URL: http://your-ckan-site.com/user/google_callback https://your-ckan-site.com/user/google_callback Save credentials: Copy the Client ID (format: xxxxx.apps.googleusercontent.com) Copy the Client Secret Installation: Activate CKAN virtualenv: . /usr/lib/ckan/default/bin/activate Install extension: pip install ckanext-google_user Or from source: git clone https://github.com/DataShades/ckanext-google_user.git cd ckanext-google_user python setup.py develop Install Python dependencies: pip install -r requirements.txt Key dependencies: google-auth google-auth-oauthlib google-auth-httplib2 Add plugin to ckan.plugins in production.ini: ckan.plugins = … google_user … Configure Google OAuth credentials in production.ini: Google OAuth Client ID (from Google Console) ckanext.google_user.client_id = 128970851846-otatl76tvrh52fn0r0hi7707225o055j.apps.googleusercontent.com Google OAuth Client Secret (from Google Console) ckanext.google_user.client_secret = tLmWfCrUcUvsIY08Gsj0oQn1 Configure who.ini authentication: Edit /etc/ckan/default/who.ini Add GoogleSignInAuthenticator to [authenticators] section: [authenticators] plugins = auth_tkt ckan.lib.authenticator:UsernamePasswordAuthenticator ckanext.google_user.authenticator:GoogleSignInAuthenticator Note: Keep existing authenticators, add Google as additional option Restart CKAN: sudo service apache2 reload Configuration: Required Settings: Google OAuth Client ID (from Google API Console) ckanext.google_user.client_id = YOUR_CLIENT_ID.apps.googleusercontent.com Google OAuth Client Secret (from Google API Console) ckanext.google_user.client_secret = YOUR_CLIENT_SECRET Optional Settings: Custom login button text (default: “Sign in with Google”) ckanext.google_user.button_text = Login with Google Auto-create user accounts (default: true) ckanext.google_user.auto_create_user = true Email domain whitelist (comma-separated, optional) ckanext.google_user.allowed_domains = example.com,mycompany.org Usage: User Login Flow: User visits CKAN login page Clicks “Sign in with Google” button Redirected to Google Sign-In page Authorizes CKAN to access basic profile info Redirected back to CKAN Automatically logged in (account created if first login) User Account Creation: Username generated from Google email Display name from Google profile Email from Google account User automatically created on first login (if auto_create_user = true) Authentication Flow: User initiates Google login Extension redirects to Google OAuth endpoint Google authenticates user Google returns authorization code Extension exchanges code for access token Extension retrieves user profile from Google Extension creates/updates CKAN user User logged into CKAN session Security Features: OAuth 2.0 secure authentication No password storage required Token-based session management Optional email domain whitelisting HTTPS recommended for production Customization: Customize Login Button: Add to your theme’s CSS: .google-signin-button { background-color: #4285f4; color: white; padding: 10px 20px; border-radius: 3px; } Customize User Creation: Extend the plugin to customize user creation logic: Override username generation Set custom user attributes Assign default organization/group membership Set user roles based on Google profile Domain Whitelisting: Restrict to specific email domains: ckanext.google_user.allowed_domains = company.com,partner.org Only users with @company.com or @partner.org emails can authenticate. Troubleshooting: “OAuth error” on login: Verify Client ID and Secret are correct Check redirect URI matches Google Console configuration Ensure callback URL is accessible: /user/google_callback Verify HTTPS if configured in Google Console User account not created: Check ckanext.google_user.auto_create_user = true Verify CKAN has database write permissions Check logs for user creation errors Verify email domain allowed (if whitelist configured) “Invalid credentials” error: Regenerate Client Secret in Google Console Update production.ini with new secret Restart CKAN Redirect loop after Google login: Check who.ini configuration is correct Verify GoogleSignInAuthenticator is properly registered Clear browser cookies Check CKAN session configuration Google authentication not appearing: Verify plugin is in ckan.plugins list Check who.ini has authenticator registered Restart Apache/CKAN Clear template cache Development: Clone repository: git clone https://github.com/DataShades/ckanext-google_user.git cd ckanext-google_user Install for development: python setup.py develop pip install -r dev-requirements.txt Create test.ini from template Run tests: nosetests –nologcapture –with-pylons=test.ini Run with coverage: pip install coverage nosetests –nologcapture –with-pylons=test.ini –with-coverage –cover-package=ckanext.google_user –cover-inclusive –cover-erase –cover-tests Security Considerations: Always use HTTPS in production Keep Client Secret confidential Regularly rotate OAuth credentials Monitor for suspicious login activity Consider 2FA for admin accounts Use domain whitelisting for internal deployments Google API Console URLs: Credentials: https://console.developers.google.com/apis/credentials OAuth Consent Screen: https://console.developers.google.com/apis/credentials/consent API Dashboard: https://console.developers.google.com/apis/dashboard Development Status: Beta (4) License: AGPL v3.0 or later Keywords: CKAN, Google, OAuth, authentication, sign-in, SSO Related Extensions: - ckanext-oauth2: Generic OAuth2 provider support - ckanext-saml2: SAML authentication - ckanext-ldap: LDAP/Active Directory integration
Plugins to configure (ckan.ini)	# google_user=ckanext.google_user.plugin:Google_UserPlugin
CKAN Settings (ckan.ini)	# ckanext.google_user.client_id = 128970851846-otatl76tvrh52fn0r0hi7707225o055j.apps.googleusercontent.com # ckanext.google_user.client_secret = tLmWfCrUcUvsIY08Gsj0oQn1 # ckanext.google_user.button_text = Login with Google # ckanext.google_user.auto_create_user = true # ckanext.google_user.allowed_domains = example.com,mycompany.org
DB migration to be executed	(not set)

<< back to Extensions