I am just learning python and django and I put up a pretty decent website to manage a database and also a search page. The new requirement that I am a bit confused now is that the authentication should be done through an external provider (unknown yet, but probably LDAP or Kerberos Tickets).
My idea was to authenticate the users through this service and if successful add the user to my django created database with syncdb (where I have permissions and groups) and then bypass this user as authenticated to enable them to perform actions in the site.
Does that sound reasonable? Is there an 'accepted' approach to this kind of authentication? I am not sure if I will have to write my own authentication view.
Thanks.
Django has support for hooking up other authentication backends.
I believe that you will have to write your own authentication backend or use a third party backend if you are authenticating through some common interface such as LDAP.
The docs explain how to write an authentication backend here: https://docs.djangoproject.com/en/1.5/topics/auth/customizing/
If you plan on using LDAP, I suggest that you take a look at django-auth-ldap (https://pypi.python.org/pypi/django-auth-ldap).
This sounds quite reasonable. There are several ways to achieve this: use a third party library like django-social-auth which handles using third party applications to authenticate users via the Django user model. The other way to do this is to write your own custom backend that uses OAuth2 protocol to authenticate users via a third party application (e.g. Twitter) and saves/authorizes them as a Django user for your application. This might sound difficult but it's quite easy. I wrote an example Django application to demonstrate this functionality as well as provide a tutorial for custom backend authentication. This app/tutorial uses Django 1.5: djangoauth.thecloutenproject.com/
Related
I am trying to be sure that I understand it correctly:
Is OAuth a bridge for only third party authenticator those so common like Facebook, Google? And using it improves user experience in secure way but not adding extra secure layer to Django login framework? Or only Authorization Code grant type is like that? Can I take it like this?
What is OAuth?
According to RFC 6749:
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf.
Essentially, it is an authorization protocol used to share permissions between multiple applications.
If you decide to implement OAuth, your application will be the one to allow other services to programmatically view your users' data and act on their behalf, if needed.
Whenever an application requires access to another service that you use, it probably uses OAuth to perform those actions. (e.g. When games used to ask us to allow posting on Facebook on our behalf.)
What OAuth is not?
By looking at your question, I feel like there's a misunderstanding of OAuth.
OAuth is not a bridge for third-party authentication methods. If you are looking for this type of authentication mechanism, you should take a look into Single Sign-On (SSO). For Django, you can use django-simple-sso.
Does it enhance security?
Depending on the use case, yes, it can enhance security.
If your application needs to exchange information with other services, it is a good practice to limit what these third-party services are able to do in your app, feature and time-wise.
Let's say, for example, that your user needs to give permission to another application to gather information from yours:
If you were to use the old-fashioned e-mail and password combination method, these credentials would be exposed in case of this third-party service had a data breach.
Using OAuth on the other hand is much more secure, as the credentials stored in the server would not contain the user's password and have very specific roles, apart from being easily revoked.
If you have a Django app I would say that you don't have to implement OAuth - you should be fine with any login functionality Django offers.
OAuth is commonly used when different services talk to each other. These don't have to be third-party services, they can belong to the same party. For example, when you have a Single Page Application or a Mobile App that want to call your backend API to get some data. Then it's better to use OAuth as it is a standard and it helps you to implement authorization in a secure way.
When you think about "login with Google/Facebook", what you actually want is an SSO solution (Single Sign-On). That solution is very often implemented with OpenID Connect (OIDC), which is a protocol built on top of OAuth. Still, you can use just OIDC to log a user in with Google, get an ID Token, and then be able to authenticate the user to your Django app based on the ID Token from Google. You don't need OAuth for that (in the sense, that you don't need to get access tokens from Google, you don't need your own Authorization Server, and you can rely on cookie-based sessions).
I created a bunch of RESTful API using Python, Flask and mongodb, mostly GET and POST.
I am planning to use this API in my mobile app, also to one of two trusted developers in the android applications they make.
I would like to know what's the possible & easiest way to secure the API to only the applications I authorize.
I don't want to use login or password. Is there any way i can authenticate using headers securely? or is there any alternative ?
Thanks in advance.
I think especially for a scalable use I would use Flask-Restless together with Flask-JWT token authentication with token.
Here is a pretty nice example > https://github.com/graup/flask-restless-security
I am not sure I understand how you planning to authenticate without any user, or you just trying to lock app to use specific domain only?
I have an iOS app that uses an API powered by Django REST framework to store, update, fetch data from a database. I need to provide the two more following functionalities which stores the user data at the server:
Login with Email
Login with Facebook
There appears to be two different authentication systems that I can use:
Django User Authentication System
Django Rest Framework Authentication
How should I handle this in my API?
When you are using Django REST framework with iOS, unless you are using a browser, the standard Django authentication system is out of the question. This is exposed through the DRF authentication system as SessionAuthentication and it relies on your application being able to transfer cookies and the CSRF token with the request, which typically isn't possible.
In most situations where you are using the Django authentication system already, and you can trust your app storing passwords, you would use something like BasicAuthentiction. Most people can't though, or they don't trust their application ecosystem, so they use a token-based authentication system like TokenAuthentication or OAuth2Authorization (in combination with an OAuth provider). You can read more about each authentication type in this answer on Stack Overflow.
But in your situation, you are basically restricted to just using something like OAuth 2. This is because you need to associate a user with a token, and most authentication systems require you to provide a username and password. For social accounts, this usually isn't the case, and they would not normally be able to log in. OAuth 2 works in combination with the standard Django login, so you are not restricted to just a username and password. I've written more about how this works in this detailed Stack Overflow answer.
I am developing an Android application with a GAE backend, for sessions etc.
I want to use Google Cloud Endpoint and develop an API with custom authentication user model. I dont want to use the google's oauth. I want to implement a simple email/pass user authentication model with a session based token. I have no experience on GAE whatsoever. I have worked in python and it's frameworks(django, flask, etc).
I have looked for a sample project of this kind for past week(with no luck).
Can someone please provide me with sample code/resource on how to implement such an endpoint with session management and csrf protection along with ssl?
Ps: If you think cloud endpoints is not a good approach for my application(server backend) then please direct me to a source that may aid me in creating my own RESTful api with JSON encoding + crsf-protection and session management.
I have already seen the following but none of them have a detailed solution:
Custom Authentication for Google Cloud Endpoints (instead of OAuth2)
Google App Engine: Endpoints authentication when custom auth or Open ID is used
AppEngine Cloud Endpoints and custom Users service
You're in for a ride. It's not a simple process, but I've managed to do just what you're looking for--albeit in a slightly hackish way.
First, there's a boilerplate project for GAE (in Python) that implements a custom email/pwd login system using webapp2's extras: http://appengine.beecoss.com/
It follows the guidelines for setting up custom authentication detailed in this blog post: http://blog.abahgat.com/2013/01/07/user-authentication-with-webapp2-on-google-app-engine/
This project will set things up so that your user will start a session upon login. Now, in order to access the user information on this session in your endpoints, you'll follow the instructions to that first StackOverflow link you posted.
The key, after following the previous steps, is to match the session key in your endpoints to the session key in the config file of the boilerplate code. Then, you'll be able to get which user made the request and follow through with the endpoint call if they're validated:
self.get_user_from_cookie()
if not self.user:
raise endpoints.UnauthorizedException('Invalid token.')
It is incredibly ridiculous that this is how it works for custom authentication, so if you're used to Django and would like to implement your app that way, DO IT. It was "too late to turn back now" for me, and I despise Google for only documenting authentication schemes that work for Google account holders only.
OP, just use Django on GAE and save yourself the frustration. I'm sure there's plenty of quick integration with mobile apps that the Django community can provide.
No one wants to force their app users to have Google accounts in order to log in, Google. Stop it.
In my application, users sign in/sign out via openid ( same as stackoverflow ).
I would like to open up my application a bit via oauth to third party applications.
How do I create my app which is openid-consumer to make it oauth-provider?
Is there some standard library etc out there? I am basically working in app engine and python.
edit :
Maybe I did not clearly state my problem. I am using OpenID for authentication. So I do not have user passwords, just their unique federated Identity. My application needs to use third party application. I.e. kind of application that runs inside orkut and facebook. (Do you think opensocial is a a viable option instead of OAuth??)
OAuth python libraries are listed on this page:
http://oauth.net/code/
OAth and OpenID are had native support by app engine sinve 1.3.4. So you can implement transparent and solid authorization/authentication mechanism.