This application enables authentication integrations for Maxar's OpenMaps environments. Specifically, this provides a simple API for mediating access to private web applications via external identity providers.
- Python 3.7+
- OAuth or OIDC credentials when using an identity provider.
This application is typically used with Nginx's auth_request directive. For example:
location = /index {
proxy_pass http://auth:8000;
}
location = /callback {
proxy_pass http://auth:8000;
}
location = /valid {
internal;
proxy_pass http://auth:8000;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location / {
proxy_pass http://protected-app;
auth_request /valid;
}
All listed setting may be set via an environment variable of the same name, or by using a file with the setting's contents and appending _FILE to the setting name. Any file defaults with /path/to/openmaps-auth is the location where you've cloned this repository.
A JSON list of applications used when generating links on the index; defaults to:
[{"link": "/", "text": "MapEdit"}]
Base path for all URLs, default is the empty string ("").
Authentication backend to use, defaults to None. Set this to the desired external identity provider:
login-govokta-openidconnectopenstreetmapopenstreetmap-oauth2
The following must also be configured when setting a backend:
OPENMAPS_AUTH_KEYOPENMAPS_AUTH_SECRETOPENMAPS_AUTH_OIDC_ENDPOINT: when using Okta or for a Login.gov development endpoint.
The callback URL used to set LOGIN_REDIRECT_URL; defaults to callback.
When set, enables authentication with TLS client certificates; defaults to False unless both the STEP_PROVISIONER and STEP_PROVISIONER_PASSWORD_FILE are configured. Requires having a Smallstep certificate authority running and configured for use (e.g., step ca bootstrap --ca-url https://my-step-ca). In addition, the Smallstep CLI, the step command, is required to be installed on the host. Smallstep tool configuration and general TLS concepts are beyond the scope of this document.
Here's an example of additional Nginx configuration to enable authentication with TLS certificates:
ssl_client_certificate /path/to/ca-for-clients.pem;
ssl_verify_client optional;
...
location = /valid {
internal;
proxy_pass http://auth:8000;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header X-TLS-Client-Cert $ssl_client_escaped_cert;
proxy_set_header X-TLS-Client-Verify $ssl_client_verify;
}
location = /login {
proxy_pass http://auth:8000;
proxy_set_header X-TLS-Client-Cert $ssl_client_escaped_cert;
proxy_set_header X-TLS-Client-Verify $ssl_client_verify;
}
HTTP header for client certifcate in PEM format, and URL encoded like Nginx's $ssl_client_escaped_cert variable; defaults to X-TLS-Client-Cert.
HTTP header for client certifcate verification status like Nginx's $ssl_client_verify variable; defaults to X-TLS-Client-Verify.
The duration of issued client certificates, defaults to 744h.
The maximum number of valid client certificates allowed to be issued to user, defaults to 3.
Defaults to True; when set, verify that the certificate's serial number is recorded in the database. This allows the application to infer a certificate's validity without CRLs or OCSP queries. Set to False to allow certificates not created with this application.
The index URL to used to set LOGOUT_REDIRECT_URL and SOCIAL_AUTH_LOGIN_REDIRECT_URL; defaults to index.
The OAuth consumer key or OIDC client identifier when using a social authentication backend.
The logging level for this application, defaults to INFO.
Set this to change OIDC endpoint URL from the default.
The OAuth consumer secret or OIDC private RSA key in PEM format.
The title to use in the generated pages, defaults to Maxar OpenMaps.
When using social or TLS authentication, domains allowed to login.
When using social or TLS authentication, email addresses allowed to login.
Defaults to False; when set, a cookie from the configured OpenStreetMap instance will be added to the user's session.
A JSON dictionary of additional lists, maps, or tag elements to add to the generated preferences file. Defaults to:
{
"tags": {
"default.osm.tile.source.url": "https://tile.openstreetmap.org/{zoom}/{x}/{y}.png",
}
}Defaults to http://localhost:8111/callback.
The name of the OAuth1 application to create for OSM users; defaults to JOSM - Java OpenStreetMap Editor.
The version of JOSM for the generated preferences file, defaults to 18303.
The XML namespace for the root <preferences> element in the generated JOSM preferences file, defaults to http://josm.openstreetmap.de/preferences-1.0.
Base URL for accessing OpenStreetMap authentication endpoints, defaults to the value of OSM_BASE_URL.
Base URL to access OpenStreetMap at, defaults to https://www.openstreetmap.org.
URL used to login to OpenStreetMap, defaults to {OSM_BASE_URL}/login.
URL used to create new OpenStreetMap users, defaults to {OSM_BASE_URL}/user/new.
URL used for OAuth1 access tokens; defaults to {OSM_AUTH_URL}/oauth/access_token.
URL used for OAuth1 authorization; defaults to {OSM_AUTH_URL}/oauth/authorize.
URL used for OAuth1 request tokens; defaults to {OSM_AUTH_URL}/oauth/request_token
URL used for OAuth2 access tokens; defaults to {OSM_AUTH_URL}/oauth2/token.
URL used for OAuth2 authorization; defaults to {OSM_AUTH_URL}/oauth2/authorize.
Cookie used by OpenStreetMap to store its session, defaults to _osm_session.
A JSON list of OSM user email addresses that will be granted the administrator role when created, defaults to [].
When enabled, all OSM users will be granted the administrator role when created, defaults to False.
The country to use for all OSM users created instead of inferring from browser request headers, defaults to None.
URL used to query OpenStreetMap user details, defaults to {OSM_AUTH_URL}/api/0.6/user/details.
When using OpenStreetMap as an authentication backend, the domain to use for user email addresses since they're not provided by OSM; defaults to openstreetmap.arpa.
The default home latitude to use for created OSM users, defaults to None.
The default home longitude to use for created OSM users, defaults to None.
The default zoom level to use for created OSM users, defaults to 14.
The languages to use for all created OSM users instead of inferring from request headers, defaults to None.
Replace any spaces in the OSM user name with this value.
Make the OSM user name lower case.
The organization to use for all created OSM users, defaults to None.
The path used by Smallstep CA tools, defaults to /path/to/openmaps-auth/.step.
The path used for Smallstep CA certificate files, defaults to ${STEPPATH}/certs.
Path to the Smallstep CLI binary, defaults to step.
The name of the Smallstep CA provisioner to use; only JWK (JSON Web Key) is supported at this time.
File with the password for the Smallstep CA provisioner specified in STEP_PROVISIONER.
The path used for Smallstep CA secret files (e.g., private keys and P12 files), defaults to ${STEPPATH}/secrets.
Defaults to None.
Defaults to django.core.cache.backends.redis.RedisCache; only valid when the CACHE_URL setting is provided.
Defaults to the value of SESSION_COOKIE_AGE.
Defaults to the value of SESSION_COOKIE_DOMAIN.
Defaults to False.
Defaults to openmapscsrf.
Defaults to the value of SESSION_COOKIE_PATH.
Defaults to the value of SESSION_COOKIE_SAMESITE.
Defaults to False.
Defaults to [].
Defaults to False.
Defaults to sqlite:////path/to/openmaps-auth/db.sqlite3.
Defaults to True in development, False in production.
The logging level to set in Django's LOGGING configuration; defaults to INFO.
Defaults to en-us.
Defaults to openmaps_auth.urls.
Please change this to a unique value in production.
Defaults to None.
Defaults to 1209600.
Defaults to None.
Defaults to True.
Defaults to /.
Defaults to Lax.
Defaults to False.
When CACHE_URL is set, defaults to django.contrib.sessions.backends.cache; django.contrib.sessions.backends.db otherwise.
Defaults to False.
Defaults to None.
Defaults to False.
Defaults to django.contrib.sessions.serializers.JSONSerializer.
Defaults to 1.
Defaults to /path/to/openmaps-auth/static.
Defaults to {OPENMAPS_AUTH_BASE_PATH}/static/.
Defaults to UTC.
Defaults to True.
Defaults to True.
Defaults to True.
Defaults to False.
Defaults to False.