All i wanted to do is to implement Single Sign On, for users with google apps on custom domain. Eg. startup.com has configured their domain, by purchasing google apps for business for their domain. They have gmail address configured at users#startup.com.
I have a django app.
Now in case i want to implement SSO for custom google apps domain, i have couple of options:
Hybrid Open ID + OAuth + SSO
Custom OAuth + SSO.
The documentation for 1. is quite ample and they have shown it.
How about going 2nd way, since i just wanted to log the users with their email ids. I could do it with OAuth as well. How good is it to implement SSO + OAuth together?
Are there any good libraries that help me doing it?
This takes care of what you are looking for: https://github.com/simul14/django-googleappsauth
Take a look at django-social-auth it allows you to use both OpenID and OAuth with Google which should help with you issue.
Related
I am trying to be sure that I understand it correctly:
Is OAuth a bridge for only third party authenticator those so common like Facebook, Google? And using it improves user experience in secure way but not adding extra secure layer to Django login framework? Or only Authorization Code grant type is like that? Can I take it like this?
What is OAuth?
According to RFC 6749:
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf.
Essentially, it is an authorization protocol used to share permissions between multiple applications.
If you decide to implement OAuth, your application will be the one to allow other services to programmatically view your users' data and act on their behalf, if needed.
Whenever an application requires access to another service that you use, it probably uses OAuth to perform those actions. (e.g. When games used to ask us to allow posting on Facebook on our behalf.)
What OAuth is not?
By looking at your question, I feel like there's a misunderstanding of OAuth.
OAuth is not a bridge for third-party authentication methods. If you are looking for this type of authentication mechanism, you should take a look into Single Sign-On (SSO). For Django, you can use django-simple-sso.
Does it enhance security?
Depending on the use case, yes, it can enhance security.
If your application needs to exchange information with other services, it is a good practice to limit what these third-party services are able to do in your app, feature and time-wise.
Let's say, for example, that your user needs to give permission to another application to gather information from yours:
If you were to use the old-fashioned e-mail and password combination method, these credentials would be exposed in case of this third-party service had a data breach.
Using OAuth on the other hand is much more secure, as the credentials stored in the server would not contain the user's password and have very specific roles, apart from being easily revoked.
If you have a Django app I would say that you don't have to implement OAuth - you should be fine with any login functionality Django offers.
OAuth is commonly used when different services talk to each other. These don't have to be third-party services, they can belong to the same party. For example, when you have a Single Page Application or a Mobile App that want to call your backend API to get some data. Then it's better to use OAuth as it is a standard and it helps you to implement authorization in a secure way.
When you think about "login with Google/Facebook", what you actually want is an SSO solution (Single Sign-On). That solution is very often implemented with OpenID Connect (OIDC), which is a protocol built on top of OAuth. Still, you can use just OIDC to log a user in with Google, get an ID Token, and then be able to authenticate the user to your Django app based on the ID Token from Google. You don't need OAuth for that (in the sense, that you don't need to get access tokens from Google, you don't need your own Authorization Server, and you can rely on cookie-based sessions).
I am using Python on the Google App Engine. I have gotten sign-in with google to work to generate an OAuth token. Then, I can use that token to access the user's profile from datastore, but I can't seem to find anything on how to sign in with a username and password to generate an OAuth token. Is there a way to do this?
It looks like your question is 'How to I use my own username and password scheme to generate an OAuth token'. The short answer is that you can't, because Google OAuth only works with Google logins. The Google OAuth token is good for Google APIs, and there's no way to tell Google how to recognize your usernames for the purposes of authentication.
The longer answer is that you can use your own authentication scheme separately from Google sign-in if you want to give users that option. You could use any number of third party libraries to do this or roll your own. These users won't have access to Google's APIs that require authentication though (such as the Users API) so you'll have to devise a way to keep those user's data separate from each other, and use a service account or application default credentials to access any external Google APIs on behalf of those users.
This kind of question does seem to pop up sporadically on Stack Overflow which may provide some other suggestions for how to implement this.
I'm trying to implement a secure google cloud endpoint in python for multi-clients (js / ios / android)
I want my users to be able to log by three ways loginForm / Google / Facebook.
I read a lot of docummentation about that but I didn't realy understood how I have to handle connection flow and session (or something else) to keep my users logged.
I'm also looking for a way to debug my endpoint by displaying objects like Request for exemple.
If someone know a good tutorial talking about that, it will be verry helpfull.
thank you
For request details, add 'HttpServletRequest' (java) to your API function parameter.
For Google authentication, add 'User' (java) to your API function parameter and integrate with Google login on client.
For twitter integration, use Google app-engine OpenID.
For facebook/loginForm, its all on you to develop a custom auth.
Appengine supports federated login in which arbitrary OpenID providers can be added to the list of parties who can authenticate a user. However, some organizations - notably facebook - don't support OpenID. How is it possible to combine the OpenID support provided with GAE with mechanisms that can support OAuth or other login mechanisms?
More details (GAE Python assumed)...
My understanding of the way the OpenID mechanism is intended to work is as follows:
I choose Federated Login from my app's configuration options
This allows me to easily add OpenID providers through the
create_login_url mechanism
There is some Google session management used to track the authenticated
user
I control access to resources using login: required in my
app.yaml
The session management will check if the user is authenticated
before allowing access to these resources
The issue that I have is that I can't see how this approach fits with facebook's OAuth - if the resources are access controlled by Google (per app.yaml), where is it possible to insert facebook authentication?
Notes:
I know that OpenID and OAuth are different - I am only interested in using facebook for authentication right now
I'm sure there are quite a few different ways to deal with this - I'm just wondering if there is some standard approach/best practice
I've done a little bit of digging on this and my conclusion is that it is not possible to integrate the standard Appengine authentication mechanisms (ie those provided 'for free' with Appengine) with facebook's OAuth. More specifically, the app.yaml login controls can only relate to Google's standard mechanisms and there is no way to extend them to incorporate facebook OAuth. The reason for this is that Google's standard mechanisms control the sessions and there is no mechanism to add new session controls which are recognized by the app.yaml login controls.
It is, of course, possible to integrate Google Accounts and other login mechanisms with facebook's OAuth on Appengine, but to do this you need to replicate some of the functionality that Google provide in their standard authentication mechanisms (session mgmt specifically).
I've put up a more general question comparing the different social authentication options possible with Appengine as I think it's interesting/useful, but slightly out of scope in this question: it's here
You could have a look at the Tipfy framework which has a Facebook authentication extension that would allow your users to use their Facebook login to authenticate.
I've got an app currently running on Google App Engine that takes advantage of the close integration with Google Accounts to the extent that it was the only way users would sign in. The sign-in process was this:
User would click sign-in w/ Google Account link, which would just be the output of `users.create_login_url()`
User would sign-in on Google-themed page.
User would be signed-in
Now I'm moving away from App Engine to a host with vanilla Django. I'd like to replicate that login process as much as possible, I guess using OpenID (or OAuth? I'm not sure). I'm not sure exactly how to do so, though. Would I use Django's auth APIs and just use the user's Google Account data to sign them in?
I've followed the instructions here, and now have functional little demo where I get the user's Google Account address. But that really doesn't help me much.
Anyone have experience with this, or have an idea of how one would accomplish this?
Since you can't use the App Engine API to do so (and you probably don't want to write this OpenID auth system by yourself), you better make use of a django app to do so. Have a look at Django packages. I personally have good experience with django-socialregistration, though they provide Facebook/Twitter auth as well. There also OpenID only packages available.