I was wondering what is the best way to authenticate a Google Apps user in an internal web application?
I do not need to access their data like the two-legged authorization seam to do.
I just want a user to use an internal application using their Google Apps credential.
You can use Google Apps as an OpenID provider and the hosted accounts for identity by using OpenID API. This is also known as federated login. Your internal application then becomes an OpenID relying party.
You need to first enable OpenID from your Google Apps control panel -
http://www.google.com/a/cpanel/your-domain/SetupIdp
More details here -
http://code.google.com/googleapps/domain/sso/openid_reference_implementation.html
Related
I am trying to be sure that I understand it correctly:
Is OAuth a bridge for only third party authenticator those so common like Facebook, Google? And using it improves user experience in secure way but not adding extra secure layer to Django login framework? Or only Authorization Code grant type is like that? Can I take it like this?
What is OAuth?
According to RFC 6749:
The OAuth 2.0 authorization framework enables a third-party
application to obtain limited access to an HTTP service, either on
behalf of a resource owner by orchestrating an approval interaction
between the resource owner and the HTTP service, or by allowing the
third-party application to obtain access on its own behalf.
Essentially, it is an authorization protocol used to share permissions between multiple applications.
If you decide to implement OAuth, your application will be the one to allow other services to programmatically view your users' data and act on their behalf, if needed.
Whenever an application requires access to another service that you use, it probably uses OAuth to perform those actions. (e.g. When games used to ask us to allow posting on Facebook on our behalf.)
What OAuth is not?
By looking at your question, I feel like there's a misunderstanding of OAuth.
OAuth is not a bridge for third-party authentication methods. If you are looking for this type of authentication mechanism, you should take a look into Single Sign-On (SSO). For Django, you can use django-simple-sso.
Does it enhance security?
Depending on the use case, yes, it can enhance security.
If your application needs to exchange information with other services, it is a good practice to limit what these third-party services are able to do in your app, feature and time-wise.
Let's say, for example, that your user needs to give permission to another application to gather information from yours:
If you were to use the old-fashioned e-mail and password combination method, these credentials would be exposed in case of this third-party service had a data breach.
Using OAuth on the other hand is much more secure, as the credentials stored in the server would not contain the user's password and have very specific roles, apart from being easily revoked.
If you have a Django app I would say that you don't have to implement OAuth - you should be fine with any login functionality Django offers.
OAuth is commonly used when different services talk to each other. These don't have to be third-party services, they can belong to the same party. For example, when you have a Single Page Application or a Mobile App that want to call your backend API to get some data. Then it's better to use OAuth as it is a standard and it helps you to implement authorization in a secure way.
When you think about "login with Google/Facebook", what you actually want is an SSO solution (Single Sign-On). That solution is very often implemented with OpenID Connect (OIDC), which is a protocol built on top of OAuth. Still, you can use just OIDC to log a user in with Google, get an ID Token, and then be able to authenticate the user to your Django app based on the ID Token from Google. You don't need OAuth for that (in the sense, that you don't need to get access tokens from Google, you don't need your own Authorization Server, and you can rely on cookie-based sessions).
Is it possible to control access to a request handler entirely or some parts therein based on what GSuite for Education/Business group a user belongs to?
It is possible to have code check the GSuite group membership using the Directory API from the Google Apps Admin SDK. You'd probably be interested in one of:
retrieve all groups for a member
retrieve a group's member (if just one or a few groups are to be checked).
You'll need to
Enable the API access in the G Suite Admin console:
G Suite administrators have access to the Admin SDK–a collection
of Application Programming Interfaces (APIs). With these APIs, you can
build customized administrative tools for your G Suite products.
Before you can use the Admin SDK, you need to enable API access in the
Google Admin console.
You must be signed in as a super administrator for this task.
Enable API access
To verify that API access is enabled:
Sign in to your Google Admin console.
Sign in using an administrator account, not your current account some_user#gmail.com.
From the Admin console dashboard, go to Security > API reference.
To see Security on the dashboard, you might have to click More controls at the bottom.
Make sure the Enable API access box is checked.
At the bottom, click Save.
enable the Admin SDK API from the Google Apps APIs group in for your GAE app's API Manager page
install the Google API Client Library in your GAE app (if not already done)
address authentication, posibly using your GAE app's service account. See Google API Client Libraries Authentication Overview. And maybe related App Engine OAuth2.0 authorized cron job to analyze Google Sheet.
(if you want to) restrict app access to only your GSuite domain, see Restrict App Engine access to G Suite accounts on custom domain
code your access control logic using the directory api to obtain group membership info
Is there a way to write the logic for both backend and frontend?
In my current flow, We are using Django rest-framework login, now we need to integrate OpenID connect SSO in our project so guide me how we can integrate OpenID connect SSO with Django-rest framework.
Is there a GitHub example?
I am looking for a sample code.
We can use the implicit flow, I added an example of how to use OIDC with a client-side app.
Front end get access token: http://django-oidc-provider.readthedocs.io/en/develop/sections/examples.html#pure-js-client-using-implicit-flow
You also have to validate ID_TOKEN's in backend:
https://openid.net/specs/openid-connect-implicit-1_0.html#IDTokenValidation
Sample code: https://github.com/ranvijay-sachan/django-rest-login-and-social_auth
I have tested with Google open id connect for any SSO provider you can add below code using python social auth:
how can we integrate any SSO provider using python social auth openid connect?
Here it has user angualr Js with django-rest-framework-jwt
https://github.com/rmemon/Angular-JS-django-rest-framework-jwt
How does one authenticate to a ProtoRPC service?
It seems like a web services infrastructure, but designed for non-browser clients, so how do we authenticate the service's end user?
Thanks!
First of all, ProtoRPC can be used by browser clients, usually through AJAX requests.
Now for authentication on App Engine, there are a few possibilities:
You can use the built in user authentication app engine provides
You can build an authentication mechanism of your own
For the first one there is the regular Google accounts API, openID and OAuth.
If you have users with google accounts, and you don't need to perform actions on user's behalf (which is what OAuth is for), then you can use the regular google authentication.
This requires the client to have a google cookie. If the user is on browser, he can login to google and then he can access your app. If the user is on a mobile client, then for android there is the AccountManager API which gets you a Google token which the client uses to get an App Engine cookie, as explained here http://blog.notdot.net/2010/05/Authenticating-against-App-Engine-from-an-Android-app
I'm not sure if iOS has something similar to AccountManager. If the OS doesn't have the user's credentials then AFAIK you might have to go through some sort of browser authentication.
Appengine supports federated login in which arbitrary OpenID providers can be added to the list of parties who can authenticate a user. However, some organizations - notably facebook - don't support OpenID. How is it possible to combine the OpenID support provided with GAE with mechanisms that can support OAuth or other login mechanisms?
More details (GAE Python assumed)...
My understanding of the way the OpenID mechanism is intended to work is as follows:
I choose Federated Login from my app's configuration options
This allows me to easily add OpenID providers through the
create_login_url mechanism
There is some Google session management used to track the authenticated
user
I control access to resources using login: required in my
app.yaml
The session management will check if the user is authenticated
before allowing access to these resources
The issue that I have is that I can't see how this approach fits with facebook's OAuth - if the resources are access controlled by Google (per app.yaml), where is it possible to insert facebook authentication?
Notes:
I know that OpenID and OAuth are different - I am only interested in using facebook for authentication right now
I'm sure there are quite a few different ways to deal with this - I'm just wondering if there is some standard approach/best practice
I've done a little bit of digging on this and my conclusion is that it is not possible to integrate the standard Appengine authentication mechanisms (ie those provided 'for free' with Appengine) with facebook's OAuth. More specifically, the app.yaml login controls can only relate to Google's standard mechanisms and there is no way to extend them to incorporate facebook OAuth. The reason for this is that Google's standard mechanisms control the sessions and there is no mechanism to add new session controls which are recognized by the app.yaml login controls.
It is, of course, possible to integrate Google Accounts and other login mechanisms with facebook's OAuth on Appengine, but to do this you need to replicate some of the functionality that Google provide in their standard authentication mechanisms (session mgmt specifically).
I've put up a more general question comparing the different social authentication options possible with Appengine as I think it's interesting/useful, but slightly out of scope in this question: it's here
You could have a look at the Tipfy framework which has a Facebook authentication extension that would allow your users to use their Facebook login to authenticate.