Extension OpenID Connect PKCE Authentication

Extension Basics

Title	OpenID Connect PKCE Authentication
Name	ckanext-oidc-pkce
Type	Public extension
Description	OpenID Connect with PKCE flow authenticator
CKAN versions	~2.9, ~2.10, ~2.11 Show details These CKAN Versions are exactely matched: 2.10.0 2.10.1 2.10.2 2.10.3 2.10.4 2.10.5 2.10.6 2.10.7 2.10.8 2.11.0 2.11.1 2.11.2 2.11.3 2.12.0 2.9.0 2.9.1 2.9.10 2.9.11 2.9.2 2.9.3 2.9.4 2.9.5 2.9.6 2.9.7 2.9.8 2.9.9
Download-Url (zip)	https://github.com/DataShades/ckanext-oidc-pkce.git#egg=ckanext-oidc-pkce
Download-Url commit date	2025-08-18
Url to repo	https://github.com/DataShades/ckanext-oidc-pkce
Category	Authentication & Security

Background Infos

Description (long)	Show details OpenID Connect with PKCE (Proof Key for Code Exchange) flow authenticator for CKAN. Developed and tested with Okta but should work with other OIDC providers. Adds extra login route at /user/login/oidc-pkce allowing external SSO authentication while keeping CKAN’s original authentication system unchanged. Supports automatic user creation from SSO with configurable ID mapping, password munging for SSO-only accounts, and flexible redirect paths. Implements IOidcPkce interface for customizing login response handling. Does not modify existing login page - up to site administrators to hide original login if only SSO is allowed.
Version	0.4.1
Version release date	2025-08-18
Contact name	DataShades
Contakt email	(not set)
Contact Url	(not set)

Installation Guide

Configuration hints	Installation: 1. Install the package: pip install ckanext-oidc-pkce 2. Add ‘oidc_pkce’ to ckan.plugins in your config file 3. Configure SSO settings (see config_env_vars) # Access SSO login at: /user/login/oidc-pkce # Required Configuration: ckanext.oidc_pkce.base_url - URL of SSO application (e.g. https://12345.example.okta.com) ckanext.oidc_pkce.client_id - ClientID of SSO application # Optional Configuration: ckanext.oidc_pkce.client_secret - Client secret (only if app defines one, default: empty) ckanext.oidc_pkce.auth_path - Authorization endpoint path (default: /oauth2/default/v1/authorize) ckanext.oidc_pkce.token_path - Token endpoint path (default: /oauth2/default/v1/token) ckanext.oidc_pkce.userinfo_path - Userinfo endpoint path (default: /oauth2/default/v1/userinfo) ckanext.oidc_pkce.redirect_path - Local callback path (default: /user/login/oidc-pkce/callback) ckanext.oidc_pkce.error_redirect - Error redirect URL (default: empty, redirects to came_from or login) ckanext.oidc_pkce.scope - Token scope expecting at least sub, email, name (default: openid email profile) ckanext.oidc_pkce.use_same_id - Use SSO ID as CKAN user ID for new users (default: false) ckanext.oidc_pkce.munge_password - Override password for SSO users to force SSO-only login (default: false) # Environment Variables: Can override config with: CKANEXT_OIDC_PKCE_BASE_URL, CKANEXT_OIDC_PKCE_CLIENT_ID, CKANEXT_OIDC_PKCE_CLIENT_SECRET
Plugins to configure (ckan.ini)	oidc_pkce
CKAN Settings (ckan.ini)	# CKANEXT_OIDC_PKCE_BASE_URL = https://12345.example.okta.com # CKANEXT_OIDC_PKCE_CLIENT_ID = clientid # CKANEXT_OIDC_PKCE_CLIENT_SECRET = clientsecret # ckanext.oidc_pkce.auth_path = /oauth2/default/v1/authorize # ckanext.oidc_pkce.token_path = /oauth2/default/v1/token # ckanext.oidc_pkce.userinfo_path = /oauth2/default/v1/userinfo # ckanext.oidc_pkce.redirect_path = /user/login/oidc-pkce/callback # ckanext.oidc_pkce.error_redirect = # ckanext.oidc_pkce.scope = openid email profile # ckanext.oidc_pkce.use_same_id = false # ckanext.oidc_pkce.munge_password = false
DB migration to be executed	(not set)

<< back to Extensions