I created a Django application that integrates with Keycloak's OpenID authentication. So far the only pressing issue I've encounted is the logout function.
When I log out via the Django app, I could implement it such that it logs the user out of the Keycloak as well. However, I could not find a way to perform the reverse. Logging out via Keycloak account management interface does not log the user out from the Django app. This means that the user can still remain authenticated on the Django app even though he is already logged out of Keycloak, which appears to be a security concern.
From what I understood from most other similar StackOverflow post, Keycloak supposedly has a way to call back to web application to logout the user, but however it is not very clearly documented on how to implement it:
https://www.keycloak.org/docs/latest/securing_apps/index.html#admin-url-configuration
Does anyone have any idea how this can be implemented on django?
I used Django 2.1 + mozilla-django-oidc package.
Related
I am building an application that uses django as a backend for data processing and management calls served to a Vue3 SPA. I am using Keycloak for authentication and using keycloak-js and mozilla-django-oidc to handle authentication for each.
Each work separately fine, I can navigate to the django app, login and see the data behind protected views (and get redirected properly if I a not logged in). Likewise I can login to the frontend and get a token and associated data. I can even login to the django app, then navigate to the frontend and calls are made with the correct session information and it all works fine.
The challenge is when I just login to the frontend and make a call to the django app it doesn't recognize it as being an authenticated user request - I am guessing it has something to do with not creating a django session, but am honestly a bit lost at this point.
Is there a way to ingest the token information and have django authenticate the user and start a session when the call is made from the frontend?
I'm creating an app with Django v. 4.0.3 and using third party authentication with Okta. I have used the package django-okta-auth to aid with the connection to Django's built in authentication. The issue I have encountered is when a user logs out and a new user logs in, it is still the original user that is logged into the system.
I have followed this tutorial exactly: https://pypi.org/project/django-okta-auth/
How can I add onto the logout function within the package django-okta-auth to ensure users are logged out correctly? Is this an issue with cookies needing to be cleared upon logout? There will be multiple users using the same browser (not concurrently but after login and out) so this is a necessity in the app.
I'm building up an app that should allow the user to sign up / sign in with Facebook and then he should be able to login (always via Facebook) to the "main" website
To be honest it's a bit more complicated than this. That's because I'm using django-tastypie and django-allauth in the main website to allow sign up, login, and browsing of our API
Basically I want to make the mobile app user browse the tastypie API (accessible only if logged and if you're an user in the main website) and grant him the rights to add rows (like orders)
Here's what I have
A phonegap app with a working Facebook login (I'm working on that right now)
A website with django-allauth and django-tastypie that makes me register as a new user using the allauth's Facebook login
No trace on the main website if the mobile user is doing a sign up via Facebook (this is the problem)
I'm basically confused how I should work with access tokens and how to pass further parameters (I don't need only the Facebook infos to complete the registration, but some custom fields too)
Anyone got experiences on this or would like to expose his workflow?
One common way of doing things is to leave all registration related functionality up to the website. In your phonegap app you can simply point the user to /accounts/login/ using the In-App-Browser (IAB). The IAB has events like loadstart and exit that you should monitor. A simple way of monitoring whether or not the user is successfully logged in is to have him redirected to a specific url, say /accounts/login/complete/, at the end of the login. If you attach a token to that return url (as in /accounts/login/complete/?token=123) you will be able to parse that token in your app. You could simply use the session ID as a token.
A more secure way is to use the django-oauth2-provider app and actually implement a proper oauth handshake. Handling that is almost the same. Using IAB open /oauth/authenticate/, you will be asked to login using allauth, then an oauth2 confirmation dialog appears, after which the oauth grant code is passed to a success URL. You can pick that code up from phonegap and using AJAX calls from within the phonegap app you can fetch the oauth access token. Btw, django-rest-framework has builtin support for django-oauth2-provider (don't know about tastypie).
A completely different approach is to implement a Facebook login in your mobile app, completely independent from the web site. Once logged in you'll be handed over a Facebook access token. Now, you can send this token over to the web site. Given the token, the website can fetch the user (https://graph.facebook.com/me?access_token=...), check whether or not that user is already known, if so return an appropriate token/session for that user, if not, create the user account and also return a token.
I am trying to integrate django sanction into my blog app (django newbie here), but I seem not to be able to "logout" the user after the login process (using Google OAuth2.0).
The entire process seems pain free - i.e I am able to get all user details on my db, and able to access user details on my django templates, but, when I logout and try to log back in, it seems to remember my credentials (cookies?). I am trying to logout from here
p.s: I am developing on localhost - wondering if this is the problem(?)
See here: How to force user logout in django?
quote:
I don't think there is a sanctioned way to do this in Django yet.
The user id is stored in the session object, but it is encoded. Unfortunately, that means you'll have to iterate through all sessions, decode and compare...
I don't understand how you handle authentication when using django and backbone.js.
Lets say I have an app where users can sign up / sign in. Normally in django I'd just use the #login_required decorator with my views to test if a users is authenticated or not. Since backbone is RESTful and uses something like json to communicate with the server, it's my understanding it doesn't have a concept of being logged in.
So how do I create an django backbone app that uses django's auth system so I can still take advantage of permissions, groups and session based auth.
You may find it easier to keep your login and logout code in django normally, and only go to a Backbone-based template once the user is logged in. Many sites work this way.
You will also want to watch for 401 errors coming back from the server when you sync, since this can mean that the user's session has expired. (I assume django sends these.)