I am starting a project where there'll be a bunch of microservices in Django. I want to implement a separate Authentication and Authorization system that all the microservices will talk to for end-user auth.
So, my doubts are:
What approach should I take?
I have looked at OPA and it seems promising but I can't seem to figure out the implementation.
I also looked at some other authorization systems like Google's Zanzibar. Is it any good?
Related
We are trying to integrate a Django application with an OpenID Connect (OIDC) provider as a Relying Party. The provider isn't a major vendor, and thus doesn't have custom-built packages, so we are leveraging Authlib. This works, but I'm stressed about the amount of custom code we are having to put in to manage the session and redirects and whatnot.
I have experience in the Ruby and Node.js worlds, and those communities have the general-purpose authentication tools OmniAuth and Passport, respectively. Is there an equivalent for Django?
Closest I've found is mozilla-django-oidc, which I may try — curious if there are others I'm missing. Surprised I haven't come across anything that hooks into the Django authentication system.
Thanks!
I'm considering using a message queue-like system as the backend for a web application that would provide for synchronization between a web server, mobile applications and browsers. Are there any existing turn-key SaaS solutions for this? This solution would preferably understand JSON.
I actually had a particular startup in mind when I asked this question, but I couldn't for the life of me remember the name of the company. But now I remember: Simperium
Additionally, Firebase is similar and perhaps more mature than Simperium.
Parse addresses a similar need (hosted backend) but it's RESTful so not addressing the same issue.
I want to implement a web app with a SOA design. I am thinking of using celery in conjunction with Django to do this. But I have some questions:
Is this the correct way to go in order to implement a SOA design for Django
Assuming that this is the way to go, how would I accomplish authentication within the Django framework. Specifically, I would like authentication to be decoupled with a producer and consumer pattern. That way, a REST api (or anything for that matter) can be used to produce the authentication credentials, and a consumer (within the Django framework) can be used to read and act upon the credentials.
Again, should I do the above with Celery in Django?
A message queue (such as rabbitmq brokered by celery) is a perfectly fine way to handle communication between SOA components. Additionally, if you need real-time communication without sharing databases between services, REST is basically made for this. There are several options for implementing REST services on top of Django, with Tastypie and Django-Rest-Framework being popular choices.
As for passing authentication between components, Django has several options for this. Contrary to popular opinion, the Django authentication framework is extremely flexible, supporting authorization/authentication against anything you can write a backend for. See https://docs.djangoproject.com/en/dev/topics/auth/#writing-an-authentication-backend for documentation on this.
There are numerous examples of this already:
Consume ZenDesk's SSO: http://www.jongales.com/blog/2009/05/12/zendesk-remote-authentication-with-django/
Consume SSO from numerous social networks: django-social-auth or django-allauth
Consume LDAP: http://packages.python.org/django-auth-ldap/
As for publishing auth, there are fewer options, but these include:
SAML: https://opensourcemissions.wordpress.com/2010/08/19/django-saml-2-0-identity-provider/
Oauth: http://djangopackages.com/search/?q=oauth
I strongly suggest using a provider package already built and tested over rolling your own. Implementing SSO is deceptively tricky.
Django is not really built for SOA. In the case of authentication, Django has a well-defined authentication framework that will easily allow you to reuse it across Web, API, etc.
Generally speaking, if you want the flexibility to define your own architecture, Django probably isn't for you. You might want to consider something more minimalist like web.py.
I'm just brainstorming, and don't really know much about these technologies yet. What I want to do is provide an easy and secure for users to prove who they are across multiple web sites, and I want to provide a way for web sites to share certain information with each other (if the user gives them permission). After a little reading, it seems like OpenID and OAuth would be the best way to solve this problem (right?).
After searching, I've found two interesting projects. One is "Step2" which only has Java libraries (not a problem for me, but other, partner websites might not be coded in Java), and looks like it has been abandoned. Another is "OpenID Connect," which doesn't look like it's even been started.
So, I've guess I've got three questions. Is linking OpenID and OAuth what I should be doing? Is there a OpenID+OAuth project that has a lot of support? If not, would it be easy to integrate the two myself?
OpenID is interesting in cases like Stack Overflow where you want to let people log in with external credentials but not with the intent of exchanging data with that external site.
But I don't think you need OpenID for the scenario described... by putting users through the OAuth flow, users are effectively "proving who they are across multiple web sites" as part of the authorization process.
Describe OpenID and OAuth, how works OAuth and what does OAuth.
DotNetOpenAuth is an open source library that supports OpenID, OAuth and
support for your site visitors to login with their OpenIDs.
Document describes OAuth authorization process as well as how to work with OAuth tokens.
Also gives an overview that How to implement Google using OAuth for our web application's.
I'm going to be developing a REST-ful Web Service for a new public website. The idea behind the web service is to have 3rd parties develop fully functional UIs for the business logic.
For security reasons, I'd like to avoid users having to give their passwords for our service to the 3rd party applications. (Perhaps this shouldn't be a big concern?) Instead, I'm looking to implement some sort of login system on our site that provides an auth token to the 3rd party app but keeps the actual password out of their hands.
This made me think that OpenID might be a potential solution here. It seems to me that it should work: the actual password is handled by the OpenID provider and so it doesn't rest with the 3rd party app. I think that the trouble would probably lie with the various passthroughs, but that should be manageable.
However, there's a surprising lack of Googleable info on this, so I'd like SO's opinion. Has anyone implemented a similar system before? Is it even possible? Is it worth the trouble?
I agree completely that what you want is OAuth; I say that having worked on both OAuth and OpenID systems. I've also been in your boat a few times, having to develop a REST web service api.
For a really good ideas on OAuth, and why it is what you want see these attached article:
These are must read, there are four parts read them all:
http://hueniverse.com/oauth/guide/
the RFC, read after reading above as it can be a little daunting for most:
http://oauth.net/core/1.0
And then finally maybe some code. I have a couple projects hosted that are using Java/Groovy to do OAuth. One is a plain old OAuth client, the other is a client for specific interactions with NetFlix.
http://www.blueleftistconstructor.com/projects/
If you are relatively inexperienced with REST (you haven't built a full scale web api yet) I would recommend that you buy (or better get your boss to) "RESTful Web Services" by Richardson & Ruby. It is an O'Reilly book. I can say that it is one of their better books to debut in the past few years.
It might also help to look at some RESTful OAuth based APIs. The NetFlix API is a perfect example: http://developer.netflix.com/docs
Good luck and happy coding!
So far, I've found 1 worthwhile link:
http://markmail.org/message/utf7js473zqv45hv
This conversation mentions something called "OpenID Exchange" which is right up my alley... but the included link is broken and there's not much solid information on Google for it.
Looks like OAuth might be the ticket: http://oauth.net/
We have been working on a project to integrate OpenID Authentication for SOAP web services. You can find our project at http://code.google.com/p/ws-sandhana/.
You can provide Single Sing On to your web services using OpenID authentication and you can enforce the trusted OpenID Providers and required attributes of the users by defining service security policies.
This is an open source implementation on Apache Rampart which is the security module for Apache Axis2 web service engine. You can find our blog at http://sandhana-project.blogspot.com/ for more information.