I want to redirect a user from my Django application to another web application. Only permitted users can be allowed access to visit the other web application, this permission is set in the Django User model. I want that other web application to verify whether the visited user has permission by querying the Django application using API endpoint.
But the other web application no longer has the request.user parameter or other way to authenticate the user based on Django User model (don't wan't him to login again). Is there any way like setting a cross-domain session cookie or something, i can achieve it?
I did that recently.
You don't even need the second app to retrieve the users, you can create those users on the fly!
On the first app, have them click a url that will do a very special GET request to the other app.
The GET request will encode a few variables with hmac. Name, emails, or any other values you need using a particular SECRET_KEY that both server will share.
In the second app, you can decode that request with the same SECRET_KEY and log in your user.
See : https://docs.python.org/3/library/hmac.html
Related
We developed web apps in django framework. We have an enterprise Identity Provider which is PingFederate. The main home page (which is different from our site) from chrome browser and edge browser directly recognizes the user and logs them in all the internal websites. We are also on the same network share same domain. We also want to integrate SSO and want to authenticate our users directly with asking password. I researched every where and got to know the authentication is happening by kerbose authentication. Somehow the edge or chrome is sending some token or id or some TGT ticket to the Identity Provider then they will authenticate and send the username back to the client browser. Can any one please help me how to solve this.
Thanks in advance.
I solved this problem and wrote an article about it. Please feel free to see that article.
https://medium.com/#manishkumar.bobbili3/how-i-integrated-ping-identity-with-django-web-framework-for-single-sign-on-sso-9be21b953bc5
It sounds like you want to integrate with the PingFederate solution to use it as the identity provider and allow the users of your web apps to login through SSO. If that is the case, you would need to work with whoever responsible for PingFedereate if it is another team.
Checklist with the PingFederate Admin
You would need to know if you need to choose the directory will be used to log the users in.
Which user attributes you would need to get back in the SAML response.
Will you sign the SAML request using your app or not.
Will you start the SSO cycle from your app, which I believe you would, and you will be using SP initiated in this case.
Otherwise, it will be the other way around and will be using IDP Initiated.
SP Initiated - User will call the app URL first and then redirected
to Ping URL and be sent back to the app.
IDP Initiated - User will call PingFederate URL and will be sent to the app after authentication.
I will list the steps in here in case it is your team who is also responsible for PingFederate solution:
Changes in PingFederate as SP (service provider) connection
Create a new IDP (Identity Provider) Adapter for the login page if needed.
IDP adapter will be using a Password Credential Validator to do the authentication and also has the configuration for which HTML pages to present to the user.
Create the SP connection in Ping with the stuff in the check list.
The connection here will use the adapter in the step above to present the login page
Then check the user credentials and establish the SSO session if successful.
Assemble the SAML response with all the required attributes.
Sign the response and send it to the application endpoint configured inside the connection.
Changes in the web app as the service provider for the user
The application will need to send the SAML request to the endpoint of the new connection in Ping.
Wait for the response on the dedicated endpoint.
Verify the SAML response signature using the PingFederate server's public key.
Create the local app session and move on.
If you will be using OpenToken, this will change to have another interaction of Adapter-to-Adapter. Just reply with that if this is the case.
I have several apps that connect to a central OAuth2 server (this is the only login method). When a user hits Log out, I want him to be logged out of all the apps and the OAuth server.
All the apps are Django at the moment but that might change, so I'm looking for the most cross-framework way to do it. I must also keep in mind that all the apps might handle sessions differently (some server-side, some client-side).
All logouts must be handled by POST requests as the good practice recommends.
The strategy I have in mind:
On the app, the user clicks on Log out
This Log out link points towards the logout page on the OAuth server, on which a POST request to /logout is issued immediately (or after a countdown).
The session is killed on the OAuth server and the user is logged out of it.
A ?next=... parameter redirects the user back to app A.
The app pulls the user status from OAuth server (server- or client-side) : if logged out from the OAuth server, then logout from the app also.
New apps would just have to implement this pulling mecanism along with the logout link pointing towards the OAuth server logout page, so there's nothing to configure in the OAuth server for new apps.
Do I miss something?
you may want to follow this draft, https://openid.net/specs/openid-connect-session-1_0.html
I'm working on a Django application with users through Django's auth, on the other side there is an Oauth2.0 server that already has all users and their permissions registered. My goal now is to integrate the Django app with the Oauth2.0 server so we won't have to administrate the users ourselves. This would make it so the when the users want to log into our app they are redirected to the Oauth2.0 login site and then redirected to the home of our app once they login successfully.
I think I understand how Oauth2.0 works but I have a couple of questions I couldn't find anywhere else.
Is the scenario I'm describing possible? As in the users would no longer have to be registered in our app and a 3rd party Auth server would provide access to our app or not.
Once I get the access token after the user login where is it safe to keep the access token? I was thinking I could save to AT as a session variable so as to keep the end user's session linked to his account which is external to our Django app.
Every time the user makes a request I would check the AT I'm keeping, if the verification is OK our app responds with the view, otherwise the user is redirected to the login. Is this flow correct or am I not understanding how this integration would work?
What would happen in the case the user is given more permissions but I hold an old token? How do I handle these cases?
I would suggest using a third-party application, like django-allauth. You can simply disable creating local accounts, and enable a single custom social provider that interacts with your OAuth2.0 authorization server.
As noted here, the process of creating your own custom OAuth provider isn't documented, but shouldn't be too difficult.
Once I get the access token after the user login where is it safe to keep the access token?
Allauth will store the access token in the database. If you want to put it in the session too, you can, but there's no point unless you want the client to make requests to the resource server directly.
Every time the user makes a request I would check the AT I'm keeping, if the verification is OK our app responds with the view, otherwise the user is redirected to the login. Is this flow correct or am I not understanding how this integration would work?
That's fine. If your authorization server has no way to invalidate issued access tokens, though, you can just assume that the access token is good up until the expiration date.
What would happen in the case the user is given more permissions but I hold an old token? How do I handle these cases?
Just use the access token normally. If the resource server indicates that it's invalid, prompt the user to log in again. You will get a new access token for that user that reflects their current permissions.
I have a Django and django rest framework project where I want a mobile to be able to request a token and then use that token for x minutes before they're disconnected. I do not want to create a user for each mobile device, I just want a one time password.
I tried using the auth system built into drf, however it required a user.
So I was thinking about just using the onetimepass package to generate a one time token.
You can create a view that generates a time-based OTP and then use it in a custom auth module to authenticate against a single user. You can also use JWT with an expiry time to authenticate against a single user.
I have an existing, working Django application that implements numerous Django-REST-framework APIs.
I've just added user authentication with Django-rest-framework-JWT and now I'm trying to learn it up. I have verified that it does issue me a token if I do the following curl:
curl -X POST -d "username=myuser&password=mypassword" http://localhost:3050/api-token-auth/
But I have a series of questions that I don't see being addressed in the documents. Please answer the following questions:
How do I invalidate the token using curl? I need to do so when the user logs out.
Where are these tokens stored in the DB? After implementing django-rest-framework-jwt, I don't see any new tables in my Django Admin interface
I would like to allow my users to login with their usernames or their emails. So I would like to wrap the api-token-auth endpoint in a custom endpoint that checks if the given string is an email or username. If email, I will lookup the username. Then call the api-token-auth. How should that endpoint look? I don't know how to wrap this api-token-auth method.
When using JWT for authentication you'd usually store the token in the browser's localstorage or sessionstorage. To logout you just remove the token. There's nothing else to invalidate.
One of the benefits of using this kind of approach for authentication is that tokens are not persisted in the database, so you don't have to query a session store for anything when authenticating.
This should be possible with a custom Django Authentication Backend as well.