We are trying to integrate a Django application with an OpenID Connect (OIDC) provider as a Relying Party. The provider isn't a major vendor, and thus doesn't have custom-built packages, so we are leveraging Authlib. This works, but I'm stressed about the amount of custom code we are having to put in to manage the session and redirects and whatnot.
I have experience in the Ruby and Node.js worlds, and those communities have the general-purpose authentication tools OmniAuth and Passport, respectively. Is there an equivalent for Django?
Closest I've found is mozilla-django-oidc, which I may try — curious if there are others I'm missing. Surprised I haven't come across anything that hooks into the Django authentication system.
Thanks!
Related
The instructions for providing FIWARE based authentication for Wirecloud suggest installing KeyRock (a frontend/backend combo of the Horizon/Keystone GE). Is the frontend (Horizon) really necessary if the only application to be secured is a Wirecloud instance (and possibly some backend services). The point is to avoid, if possible, to have to configure/style/maintain etc. a second frontend. Is it possible to authenticate directly using a Django plugin like this? Pros and cons?
WireCloud is currently linked to the use of django.contrib.auth, any authentication plugin based on it should work. Moreover, the instructions for using KeyRock are using python-social-auth so, in fact, you can use it for authenticating using any of the backends supported by python-social-auth: GitHub, Twitter, OpenId, ...
In that regard, I don't see any problem in the use of the plugin you are proposing (Although I have not tested it).
The advantage of using the KeyRock backend provided by WireCloud is that it enables operators and widgets to propagate the credentials to third-party services using KeyRock for authentication (e.g. Orion Context Broker, Object Storage, ... and in general, any service behind a PEP proxy).
I want to build a RESTful webservice api handle phonegap application request.
I am familiar with Python and Django.
Restful webservice is a social network like Twitter, required to use Mongodb. Everyone can post status photo from mobile app to server and can follow anyone. I have read about django-tastypie to build restful api but I want to use mongodb. About mongodb driver for django I have read mongoengein.
What about commbo django + django-tastypie + mongoengien? Is is suitable for me?
There is this https://github.com/mitar/django-tastypie-mongoengine . Weather the tastypie model is the right choice depends on many factors, but it's ability to create a standards compliant REST that works with backbone.js will continue to encourage use. It's pretty nice to extend as well - taking alot of inspiration from the way you define ModelAdmins in django. Not having to come up with your own authentication system or integrate oauth by hand is appealing (but sometimes an existing authentication is required if you are building this into an old application).
I have tried to implement basic API endpoints with plain mongoengine and ran into many serialization issues (ObjectIDs and many other fields) and inability to get relations or easily or control the inclusion and detail of embedded documents, so it is worth at least putting some time into evaluation and tinkering with Tastypie. Like the mongoengine django admin - you wont find 100% seamless recreation of the SQL version but rolling your own solution here is a high level of effort.
I want to implement a web app with a SOA design. I am thinking of using celery in conjunction with Django to do this. But I have some questions:
Is this the correct way to go in order to implement a SOA design for Django
Assuming that this is the way to go, how would I accomplish authentication within the Django framework. Specifically, I would like authentication to be decoupled with a producer and consumer pattern. That way, a REST api (or anything for that matter) can be used to produce the authentication credentials, and a consumer (within the Django framework) can be used to read and act upon the credentials.
Again, should I do the above with Celery in Django?
A message queue (such as rabbitmq brokered by celery) is a perfectly fine way to handle communication between SOA components. Additionally, if you need real-time communication without sharing databases between services, REST is basically made for this. There are several options for implementing REST services on top of Django, with Tastypie and Django-Rest-Framework being popular choices.
As for passing authentication between components, Django has several options for this. Contrary to popular opinion, the Django authentication framework is extremely flexible, supporting authorization/authentication against anything you can write a backend for. See https://docs.djangoproject.com/en/dev/topics/auth/#writing-an-authentication-backend for documentation on this.
There are numerous examples of this already:
Consume ZenDesk's SSO: http://www.jongales.com/blog/2009/05/12/zendesk-remote-authentication-with-django/
Consume SSO from numerous social networks: django-social-auth or django-allauth
Consume LDAP: http://packages.python.org/django-auth-ldap/
As for publishing auth, there are fewer options, but these include:
SAML: https://opensourcemissions.wordpress.com/2010/08/19/django-saml-2-0-identity-provider/
Oauth: http://djangopackages.com/search/?q=oauth
I strongly suggest using a provider package already built and tested over rolling your own. Implementing SSO is deceptively tricky.
Django is not really built for SOA. In the case of authentication, Django has a well-defined authentication framework that will easily allow you to reuse it across Web, API, etc.
Generally speaking, if you want the flexibility to define your own architecture, Django probably isn't for you. You might want to consider something more minimalist like web.py.
I'm writing a webapp that heavily uses the StackExchange API. I'm currently using OpenID authentication but given the only people that will use the site will be SE members, I've been wondering if there's a library for Django (or Python, in general) that can handle the login process for me.
I'm specifically thinking of something that slots into the process like the django_openid_auth project does.
Look at django-allauth. The supported authentication providers are:
Facebook (both OAuth2 and JS SDK)
Github
Google (OAuth2)
LinkedIn
OpenId
Persona
SoundCloud (OAuth2)
Stack Exchange (OAuth2)
Twitter
You can use django-allauth for signup/login process as it supports Stack Exchange OAuth2.
Since your app heavily uses StackExchange API, you should consider using Py-StackExchange along with django-allauth. Please have a look at FAQ and it's API support for StackExchange.
You have Py-StackExchange, perfect for using from Python. Check out the code at GitHub or its page at StackApps.
Added after Oli's comment
For managing login/registration there are some good working projects. You can read a good review of 4 of the most common libraries at hackerluddite. Django-social-auth and django-allauth are likely the most complete, stable and used.
I'm going to be developing a REST-ful Web Service for a new public website. The idea behind the web service is to have 3rd parties develop fully functional UIs for the business logic.
For security reasons, I'd like to avoid users having to give their passwords for our service to the 3rd party applications. (Perhaps this shouldn't be a big concern?) Instead, I'm looking to implement some sort of login system on our site that provides an auth token to the 3rd party app but keeps the actual password out of their hands.
This made me think that OpenID might be a potential solution here. It seems to me that it should work: the actual password is handled by the OpenID provider and so it doesn't rest with the 3rd party app. I think that the trouble would probably lie with the various passthroughs, but that should be manageable.
However, there's a surprising lack of Googleable info on this, so I'd like SO's opinion. Has anyone implemented a similar system before? Is it even possible? Is it worth the trouble?
I agree completely that what you want is OAuth; I say that having worked on both OAuth and OpenID systems. I've also been in your boat a few times, having to develop a REST web service api.
For a really good ideas on OAuth, and why it is what you want see these attached article:
These are must read, there are four parts read them all:
http://hueniverse.com/oauth/guide/
the RFC, read after reading above as it can be a little daunting for most:
http://oauth.net/core/1.0
And then finally maybe some code. I have a couple projects hosted that are using Java/Groovy to do OAuth. One is a plain old OAuth client, the other is a client for specific interactions with NetFlix.
http://www.blueleftistconstructor.com/projects/
If you are relatively inexperienced with REST (you haven't built a full scale web api yet) I would recommend that you buy (or better get your boss to) "RESTful Web Services" by Richardson & Ruby. It is an O'Reilly book. I can say that it is one of their better books to debut in the past few years.
It might also help to look at some RESTful OAuth based APIs. The NetFlix API is a perfect example: http://developer.netflix.com/docs
Good luck and happy coding!
So far, I've found 1 worthwhile link:
http://markmail.org/message/utf7js473zqv45hv
This conversation mentions something called "OpenID Exchange" which is right up my alley... but the included link is broken and there's not much solid information on Google for it.
Looks like OAuth might be the ticket: http://oauth.net/
We have been working on a project to integrate OpenID Authentication for SOAP web services. You can find our project at http://code.google.com/p/ws-sandhana/.
You can provide Single Sing On to your web services using OpenID authentication and you can enforce the trusted OpenID Providers and required attributes of the users by defining service security policies.
This is an open source implementation on Apache Rampart which is the security module for Apache Axis2 web service engine. You can find our blog at http://sandhana-project.blogspot.com/ for more information.