Social Login with GSIS
This document describes the process of authenticating public officials and authorized users through the gov.gr infrastructure using the Social Auth GSIS library. It includes the required actions in backend, as well as indicative implementation scenarios.
Step 1 — Authorization Request
Initially, the client application (e.g., the Delivery Environment, Knowledge Base, Booking) redirects the resource owner (the user) to the authorization server (e.g., GSIS) via the authorization endpoint.
This redirection includes some query parameters that the authorization server uses to identify the application and its purpose.
Parameters:
- response_type: The type of response we expect. For this flow, it is
code. - client_id: The unique identifier of the application (e.g., the Delivery Environment), obtained during its registration with the authorization server.
- redirect_uri: The URL to which the user will be redirected after approving or denying the authorization.
- scope: The resources for which access is being requested. Optional.
- state: A randomly generated string created by the application to prevent CSRF (Cross-Site Request Forgery) attacks.
Example URL:
https://test.gsis.gr/oauth2server/oauth/authorize?client_id=T2RMOJ24915&redirect_uri=https%3A%2F%2Fcrmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io%2Fauthorize%2F&state=huBPgzBWQjskHz8uqPl4pWe304RIPR3N&response_type=code&scope=read
Step 2 — Authorization Response
If the user gives consent, the authorization server redirects the browser to the redirect_uri, including:
- code: The temporary authorization code generated by the server.
- state: The same string that was sent in the initial request (for CSRF protection).
Example URL:
https://crmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io/authorize/?code=SZGcI1&state=huBPgzBWQjskHz8uqPl4pWe304RIPR3N
Step 3 — Token Request
After the client application receives the authorization code, it can exchange it for an access token by making a POST request to the token endpoint.
Parameters:
- grant_type:
authorization_code(indicates the type of OAuth flow being used). - code: The authorization code received in the previous step.
- client_id: The application's identifier.
- client_secret: The application's secret key, used for verification.
Example POST Request:
POST /token/endpoint HTTP/1.1 Host: authserver.dummy.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=hhdf6hsbhjG66hgtgfGGHJGCHJ&client_id=12345&client_secret=gh5Gdkj743HFG45udbfGfs
Step 4 — Token Response
The authorization server verifies the code and the application's credentials. If everything is valid, it returns an access token along with additional information.
Example JSON Response:
{
"response": {
"access_token": "08a30794-16b4-4817-9c8f-8ed9a7b71b0c",
"token_type": "bearer",
"expires_in": 299,
"scope": "read",
"username": "gsis-660074100",
"first_name": "ΕΥΣΤΡΑΤΙΟΣ",
"last_name": "ΧΑΛΚΕΟΝΙΔΗΣ ΠΑΠΑΔΟΠΟΥΛΟΣ",
"tax_id": "660074100"
},
"redirect_name": "next",
"strategy": "<social_django.strategy.DjangoStrategy>",
"storage": "<social_django.models.DjangoStorage>",
"is_new": false,
"details": {
"username": "gsis-660074100",
"first_name": "ΕΥΣΤΡΑΤΙΟΣ",
"last_name": "ΧΑΛΚΕΟΝΙΔΗΣ ΠΑΠΑΔΟΠΟΥΛΟΣ",
"tax_id": "660074100"
},
"pipeline_index": 3
}
INFORMATION WITH EXAMPLES AND CODE
The process of social authentication and the OAuth protocol used is supported in our projects through the social-auth-gsis library. More information about the library can be found here: social-auth-gsis on PyPI
OAuth is an authorization framework that allows a client application (such as the Delivery Environment, Knowledge Base, Booking) to retrieve information from another system (e.g., GSIS, Google, etc.) using an access token, which is valid for a limited period of time.
We explained the step-by-step process of how this works in practice above.
Usage
To make the GSIS Authentication package work in a Django application, you need to configure both the settings and the URLs.
Settings
To integrate Social Auth GSIS into a Django project, the configuration starts in settings.py:
Add social_django to Installed Apps:
INSTALLED_APPS = [
"social_django",
]
Add Middleware:
Place SocialAuthExceptionMiddleware directly below XFrameOptionsMiddleware:
MIDDLEWARE = [
"django.middleware.clickjacking.XFrameOptionsMiddleware",
"social_django.middleware.SocialAuthExceptionMiddleware",
]
Restrict User Creation Only via Social Auth:
Define the SOCIAL_AUTH_PIPELINE to include only specific steps:
SOCIAL_AUTH_PIPELINE = (
"social_core.pipeline.social_auth.social_details",
"social_core.pipeline.social_auth.social_uid",
"social_core.pipeline.social_auth.auth_allowed",
"social_auth_gsis.pipeline.social_auth.social_user",
"social_core.pipeline.social_auth.associate_user",
"social_core.pipeline.social_auth.load_extra_data",
"social_core.pipeline.user.user_details",
)
The step social_auth_gsis.pipeline.social_auth.social_user is a custom pipeline entry point that connects the authenticated user to a Django user account based on AFM (Tax ID).
Define Credentials and Redirect URLs:
Set different credentials depending on whether the user is a citizen or a public sector employee:
For citizens:
GSIS_KEY=
GSIS_SECRET=
GSIS_REDIRECT_URL=https://test.gov.gr/authorize/
For public sector employees:
GSIS_KEY_PA=
GSIS_SECRET_PA=
GSIS_REDIRECT_URL_PA=https://test.gov.gr/admin/authorize/
Enable Authentication Backends:
AUTHENTICATION_BACKENDS = (
"users.social_auth.DEGSISOAuth2",
"users.social_auth.DEGSISPAOAuth2",
)
These backends inherit from built-in classes like GSISOAuth2 and GSISPAOAuth2. Naming is important because the backend names are used to construct settings variables.
For citizen login:
SOCIAL_AUTH_DE_GSIS_KEY = os.getenv("GSIS_KEY")
SOCIAL_AUTH_DE_GSIS_SECRET = os.getenv("GSIS_SECRET")
For public employee login:
SOCIAL_AUTH_DE_GSIS_PA_KEY = os.getenv("GSIS_KEY_PA")
SOCIAL_AUTH_DE_GSIS_PA_SECRET = os.getenv("GSIS_SECRET_PA")
URLs
To enable GSIS authentication via Social Auth in a Django project, you must add the appropriate URL configurations.
Required Imports and URL Patterns:
urlpatterns = [
path("auth/", include("social_django.urls", namespace="social")),
path(
"authorize/",
social_django_views.complete,
kwargs={"backend": "de_gsis"},
name="authorize",
),
path(
"admin/authorize/",
social_django_views.complete,
kwargs={"backend": "de_gsis_pa"},
name="admin_authorize",
),
]
-
authorize/applies to the citizens
GSIS_REDIRECT_URL=https://delivery.dev.govcrms.apps.gov.gr/authorize/ -
admin/authorize/applies to the public employees
GSIS_REDIRECT_URL_PA=https://delivery.dev.govcrms.apps.gov.gr/admin/authorize/
AZURE ENVIRONMENT
The social authentication process on Azure is similar to the localhost setup.
Notes:
-
If someone attempts authentication with a user having
vat_number=nulland another such user already exists, it won’t work. You must delete the first user or remove thenullvalue from thevat_numberfield and clean up the related record in theUser social authstable. -
For Central and Organization Admins, after entering
credentialsmanually, the user needs to update the URL like:From: (not specified)
To: (not specified)
IMPLEMENTERS
Username: govuser1
Password: Govuser1!
ORGANIZATION ADMINS
Username: govuser2
Password: Govuser2!
CENTRAL ADMIN
Username: govuser3
Password: Govuser3!
Environment Variables (Must be set both locally and in Azure)
Implementer credentials
SOCIAL_AUTH_GSIS_TESTING_KEY=T2RMOJ24915
SOCIAL_AUTH_GSIS_TESTING_SECRET=4DB%z7YM9tGWSTz5pyHc
SOCIAL_AUTH_GSIS_REDIRECT_URL=https://crmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io/authorize/
SOCIAL_AUTH_GSIS_LOGOUT_REDIRECT_URL=https://crmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io
PA credentials as Organization Admin
SOCIAL_AUTH_GSIS_PA_TESTING_KEY=TT8UYR24914
SOCIAL_AUTH_GSIS_PA_TESTING_SECRET=&Vw@hQsKgGGFtDT6Qz*g
SOCIAL_AUTH_GSIS_PA_REDIRECT_URL=https://crmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io/admin/authorize/
SOCIAL_AUTH_GSIS_PA_LOGOUT_REDIRECT_URL=https://crmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io
PA credentials as Central Admin
SOCIAL_AUTH_GSIS_CA_TESTING_KEY=T00010263T01363SL7843LSZB7UU2EAT2ZM
SOCIAL_AUTH_GSIS_CA_TESTING_SECRET='T#xsN%8p0!UBNp^@cFgd'
SOCIAL_AUTH_GSIS_CA_REDIRECT_URL=https://crmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io/admin/authorize/
SOCIAL_AUTH_GSIS_CA_LOGOUT_REDIRECT_URL=https://crmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io
NEW UPDATE FOR SOCIAL AUTHENTICATION PROCEDURE
New environment variables (to be added if not already present in Azure or locally) :
Implementer credentials
SOCIAL_AUTH_GSIS_TESTING_KEY=T2RMOJ24915
SOCIAL_AUTH_GSIS_TESTING_SECRET=4DB%z7YM9tGWSTz5pyHc
SOCIAL_AUTH_GSIS_REDIRECT_URL=https://crmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io/authorize/
SOCIAL_AUTH_GSIS_LOGOUT_REDIRECT_URL=https://crmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io
PA credentials
SOCIAL_AUTH_GSIS_PA_TESTING_KEY=TT8UYR24914
SOCIAL_AUTH_GSIS_PA_TESTING_SECRET=&Vw@hQsKgGGFtDT6Qz*g
SOCIAL_AUTH_GSIS_PA_REDIRECT_URL=https://crmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io/admin/authorize/
SOCIAL_AUTH_GSIS_PA_LOGOUT_REDIRECT_URL=https://crmrg02containerapp05-web.blackgrass-68d61443.westeurope.azurecontainerapps.io
New Credentials for PA (Public Administration) Login
Credentials for govuser2 and govuser3 should no longer be used for social authentication.
Example: Ministry of Finance
User Manager credentials for one-time setup (used once to set up PA users and roles):
Username: YpoikUser023773540
AFM: 023773540
Password: Password1!
Organization Admins:
YpoikUser024199363 / 024199363 / Password1!
YpoikUser024280720 / 024280720 / Password1!
Central Admins:
YpoikUser024557797 / 024557797 / Password1!
YpoikUser300051600 / 300051600 / Password1!