I'm building my startup and I'm thinking ahead for shared use of services.
So far I want to allow people who have a user account on one app to be able to use the same user account on another app. This means I will have to build an authentication server.
I would like some opinions on how to allow an app to talk to the authentication server. Should I use curl? Should I use Python's http libs? All the code will be in Python.
All it's going to do is ask the authentication server if the person is allowed to use that app and the auth server will return a JSON user object. All authorization (roles and resources) will be app independent, so this app will not have to handle that.
Sorry if this seems a bit newbish; this is the first time I have separated authentication from the actual application.
Assuming you plan to write your own auth client code, it isn't event-driven, and you don't need to validate an https certificate, I would suggest using python's built-in urllib2 to call the auth server. This will minimize dependencies, which ought to make deployment and upgrades easier.
That being said, there are more than a few existing auth-related protocols and libraries in the world, some of which might save you some time and security worries over writing code from scratch. For example, if you make your auth server speak OpenID, many off-the-self applications and servers (including Apache) will have auth client plugins already made for you.
Your question isn't really a programming problem so much as it is an architecture problem. What I would recommend for your specific situation is to setup an LDAP server for authentication, authorization, and accounting (AAA). Then have your applications use that (every language has modules and libraries for LDAP). It is a reliable, secure, proven, and well-known way of handling such things.
Even if you strictly want to enforce HTTP-based authentication it is easy enough to slap an authentication server in front of your LDAP and call it a day. There's even existing code to do just that so you won't have to re-invent the wheel.
There is also CAS that you might wont to look at,
Related
I'm currently working on a University project that needs to be implemented with a Client - Server model.
I had experiences in the past where I was managing the communication at socket level and that really sucked.
I was wondering if someone could suggest an easy to use python framework that I can use for that purpose.
I don't know what kind of details you may need to answer so I'm just going to describe the project briefly.
Communication should happen over HTTP, possibly HTTPS.
The server does not need to send data back or invoke methods on the clients, it just collects data
Many clients send data concurrently to server, who needs to distinguish the sender, process the data accordingly and put the result in a database.
You can use something like Flask or Django. Both frameworks are fairly easy to implement, Flask is much easier than Django IMO, although Django has a built in authentication layer that you can use, albeit more difficult to implement in a client/server scenario like you need.
I would personally use Flask and JWT (JSON Web Tokens), which will allow you to give a token to each client for authentication with the server, which will also let you differentiate between clients, and you can use HTTPS for your SSL/TLS requirement. It is tons easier to implement this, and although I like django better for what it brings to the table, it is probably overkill to have you learn it for a single assignment.
For Flask with SSL, here is a quick rundown of that.
For JWT with Flask, here is that.
You can use any database system you would like.
If I understood you correctly you can use any web framework in python. For instance, you can use Flask (I use it and I like it). Django is also a popular choice among the python web frameworks. However, you shouldn't be limited to only these two. There are plenty of them out there. Just google for them.
The implementation of the client depends on what kind of communication there will be between the clients and the server - I don't have enough details here. I only know it's unidirectional.
The client can be a browser accessing you web application written in Flask where users send only POST requests to the server. However, even here the communication will bidirectional (the clients need to open the page which means the server sends requests back to the client) and it violates your initial requirement.
Then it can be a specific client written in python sending some particular requests to your server over http/https. For instance, your client can use a requests package to send HTTP requests.
I'm trying to figure out how to build a TCP proxy on GAE (Google App Engine). I would ordinarily do it using twisted networking engine but GAE doesn't allow frameworks. I'm also pretty new to internet and networking technologies in general.
Basically I have a proxy server and I'd like to use GAE as a TCP proxy to relay everything to the primary proxy server. All the GAE front ends are connected to the back end by google fiber, so if I make the back end near the primary proxy server, it should make it super fast regardless of where I'm connecting from.
Unfortunately GAE doesn't allow me to control ports at all and everything that I'm reading either tells me how to configure a TCP proxy on a server that I'm in complete control of or how to configure a proxy where I type the url into a webpage in the browser. Something along the lines of making a personal http://www.hidemyass.com/proxy/ type of website.
I'd like to set it up so I can simply tell chrome to ignore certificate errors (it connects to a dynamic IP using HTTPS so there's no way to sign it but I trust myself) and put the proxy info into chrome.
Edit: I'd prefer to write it in python but I can do any language
Thanks in advance
P.S. Please don't give answers like just use GoAgent or tor or something. They don't fulfill my purpose.
If you're simply trying to proxy HTTP requests like GoAgent does then have a look at the URLFetch documentation for Google App Engine.
URL Fetch Python API Overview
If you're trying to proxy anything else, then Daniel is correct.
This isn't the sort of thing you can use GAE for.
I don't know where you got the idea that GAE "doesn't allow frameworks". Of course it does, anything that speaks WSGI (eg Django, Flask, Pylons) is fine. But GAE is a web platform: it's not an appropriate place to try and write any sort of bare-metal networking platform. Apart from anything else, bandwidth on GAE is fairly expensive.
And also I don't know where you think the GAE "front ends" are, as opposed to the "back ends". GAE is not split that way, AFAIK.
I don't really understand what exactly you are trying to do, but it sounds like a content delivery network (CDN) like Akamai might be more appropriate.
I have been reading at multiple places and it is suggested that the Web Servers should be Stateles with share nothing architecture. This helps them scale better.
That means each request has all the information needed to process the request.
This becomes tricky when you have REST endpoints that needs authentication.
I have been looking at ways Flask extensions do this and Flask Login extension is defined as
Flask-Login provides user session management for Flask. It handles the
common tasks of logging in, logging out, and remembering your users’
sessions over extended periods of time.
This seems like against the philosophy of building a Stateless server, isn't it?
What are better ways to build a Stateless server with authentication provided via HTTP headers with Python or related python libraries?
P.S: Apologies for not posting a programming question here, this is a design issue and I do not know how to solve it and SO seems to have right people to answer such questions. Thanks.
Flask-Login uses flask's built in session management, which by default uses secure/signed cookies, and so is purely client side.
It can support server side sessions if needed though of course, here's an example redis backed session store.
I've the same problem as you have said.
While I have built a simple solution for this but looking for a better one.
What I currently did is to ask the caller (Who send the http request) provide a 'X-User-Info' in the http header, the value is a token. When I received the request, I use this token to get user identity (From redis for instance) and all of the following authorization & permission control are based on this identity.
The authentication does nothing but generate a random token, save it with user info to redis and return the token itself to the caller.
I'm writing an application on GAE that is exposing a RESTlike API to a fixed number of remote servers which may be using any OS/software. At the moment I'm pondering how to identify and authenticate these remote servers painlessly.
I'm trying to avoid having to program too much of this myself for obvious security concerns.
If I'd were on an Apache or nginx I'd use SSL client certificates and let the clients choose whatever they want to contact the API, curl, webapp, whatever.
I understand that, at this time, GAE doesn't provide checking client certificates this way.
Is there any other way to do this in GAE with Py2.7?
If this is not possible or a very big hassle, can anyone point me to another good way to identify and authenticate remote servers in a situation like this?
I can only post two links of what I checked
https://groups.google.com/forum/?fromgroups=#!topic/google-appengine-python/c5PHMrAMAcI
https://sites.google.com/site/oauthgoog/authenticate-google-app-engine-app
plus much more over the last few days. I found some questions which are similar to mine, but none with a satisfying answer, to me at least.
I'd suggest looking into Google Cloud Endpoints, which is currently in the trusted tester phase. I discuss it in more detail in this answer, but the main things you'll get are:
An easy way to define your API
Automatic support for OAuth 2
We're primarily targeting developers building APIs in their application backends, but other "same party" (e.g. you're the API developer and consumer) uses should work equally well.
I'm developing a website (in Django) that uses OpenID to authenticate users. As I'm currently only running on my local machine I can't authenticate using one of the OpenID providers on the web. So I figure I need to run a local OpenID server that simply lets me type in a username and then passes that back to my main app.
Does such an OpenID dev server exist? Is this the best way to go about it?
The libraries at OpenID Enabled ship with examples that are sufficient to run a local test provider. Look in the examples/djopenid/ directory of the python-openid source distribution. Running that will give you an instance of this test provider.
I have no problems testing with myopenid.com. I thought there would be a problem testing on my local machine but it just worked. (I'm using ASP.NET with DotNetOpenId library).
The 'realm' and return url must contain the port number like 'http://localhost:93359'.
I assume it works OK because the provider does a client side redirect.
I'm also looking into this. I too am working on a Django project that might utilize Open Id. For references, check out:
PHPMyId
OpenId's page
Hopefully someone here has tackled this issue.
I'm using phpMyID to authenticate at StackOverflow right now. Generates a standard HTTP auth realm and works perfectly. It should be exactly what you need.
You could probably use the django OpenID library to write a provider to test against. Have one that always authenticates and one that always fails.
Why not run an OpenID provider from your local machine?
If you are a .Net developer there is an OpenID provider library for .Net at Google Code. This uses the standard .Net profile provider mechanism and wraps it with an OpenID layer. We are using it to add OpenID to our custom authentication engine.
If you are working in another language/platform there are a number of OpenID implementation avalaiable from the OpenID community site here.
You shouldn't be having trouble developing against your own machine. What error are you getting?
An OpenID provider will ask you to give your site (in this case http://localhost:8000 or similar) access to your identity. If you click ok then it will redirect you that url. I've never had problems with livejournal and I expect that myopenid.com will work too.
If you're having problems developing locally I suggest that the problem you're having is unrelated to the url being localhost, but something else. Without an error message or problem description it's impossible to say more.
Edit: It turns out that Yahoo do things differently to other OpenID providers that I've come across and disallow redirections to ip address, sites without a correct tld in their domain name and those that run on ports other than 80 or 443. See here for a post from a Yahoo developer on this subject. This post offers a work around, but I would suggest that for development myopenid.com would be far simpler than working around Yahoo, or running your own provider.