Centralized authentication web2py app and drupal site, is it possible? - web-services

I'm writing a web2py app to manage events and other activities which require users's information, such as id and names for certificates, on the other side there's a drupal site that already has the registered users.
I would like the share the drupal users to my web2py app so i don't have to register users again in my app.
Already thought in jainrain and tools alike but the info i need is already in the drupal db

To authenticate against the another web server that supports basic authentication is possible using basic auth module. Just add following to your model file after auth initialization and replace a proper http address to your Drupal ...
from gluon.contrib.login_methods.basic_auth import basic_auth
auth.settings.login_methods.append(
basic_auth('https://basic.example.com'))
For details see this section from documentation:
Other login methods and login forms

Related

Keycloak single logout with Django

I created a Django application that integrates with Keycloak's OpenID authentication. So far the only pressing issue I've encounted is the logout function.
When I log out via the Django app, I could implement it such that it logs the user out of the Keycloak as well. However, I could not find a way to perform the reverse. Logging out via Keycloak account management interface does not log the user out from the Django app. This means that the user can still remain authenticated on the Django app even though he is already logged out of Keycloak, which appears to be a security concern.
From what I understood from most other similar StackOverflow post, Keycloak supposedly has a way to call back to web application to logout the user, but however it is not very clearly documented on how to implement it:
https://www.keycloak.org/docs/latest/securing_apps/index.html#admin-url-configuration
Does anyone have any idea how this can be implemented on django?
I used Django 2.1 + mozilla-django-oidc package.

Django - Change login redirect based on current App

So, I'm adding on another app to a webapp that I'm building for my company, this one involving bill creation for invoices. Unless one has a specific account with my website, they should not be allowed to access this specific app.
I am using Django's built-in authentication system. My LOGIN_REDIRECT_URI is set to redirect to one of my apps. However, I would like for the login redirect to send the user to the app that they were previously in after login. How might I accomplish this?
Thank you in advance!

authentication Django on LDAP server

I would like my web application authenticate users on an ldap server (only for username and password), but that the permissions reside on django.
Not all ldap users must have access to the web application.
In particular, I would like to allow users to see only a few records (for example, suppose there is a model with a city field: some users should only be able to see records whose city field is london, others whose city is milano, etc.).
How can i define django permissions if users are defined on ldap?
How can I define the user's application admin if users are defined on ldap?
Do I need to implement a double authentication? Do I have to define ldap users who can access the web application even on django?
What is the best way to proceed?
Do you have any suggestions?
Examples?
Thanks
pacopyc
Not all LDAP users must have access to the web application.
Create a separate branch in LDAP tree for your application
What is the best way to proceed? Do you have any suggestions?
Take a look at the django-python3-ldap extension:
Define your settings in Django settings.py, then do a LDAP sync users to your local database
python manage.py ldap_sync_users

Authenticate against Drupal users database table from Django application

I'm working with:
A) A large Drupal 7.23 application running at https://sitename.com using a MySQL database with thousands of users, around 30 of which are Staff.
B) A small Django 1.3.7 application running at http://dj.sitename.com using a PostgreSQL database with few (only the Drupal app's staff) users, who need to be able to login to this Django app using their existing Drupal credentials.
The workflow would be something like this:
Staff users are manually created with identical usernames in each of the applications.
A staff user goes to dj.sitename.com and inputs the same username and password of their account that was created at sitename.com, and clicks submit. Django checks the username and password against the users table in the Drupal MySQL database and compares it with the details in the Django users table. If they match, the user is logged in.
When a staff user is already logged into the Drupal app and visits the Django app at dj.sitename.com, they are automatically logged in, and vice-versa.
When a staff user logs out from the Django app, they are logged out from Drupal, too, and vice-versa.
When a user changes their password in either Drupal or Django applications, it is automatically changed in both systems.
What is the simplest way to accomplish this?
You can use the Services module to expose Drupal user login as a HTTP service, which can then be used by your custom Django authentication backend. On successful login, the service will return you the Drupal user object. This object include the roles of the user, so you can use it to validate of the user has access to your application.
I had a similar request and I've detailed my solution in this howto. Both Drupal and Django run on the same server so I can use both TCP to share data between the two platforms and drush to do Drupal operations in Django.
Every login/logout has two steps:
Login: Django login -> (auto) Drupal login
Logout: Drupal logout -> (auto) Django logout
The turn point in the analysis of mine was to generate and use the one-time login after the Django login using Drush. Then, I use that generated url as a destination url of a login success in Django and alter or suppressing the password recovery message to avoid one more click.
from subprocess import check_output
output = check_output(["drush", "-r", settings.DRUPAL_SITE_PATH, "-l", settings.DRUPAL_SITE_NAME, "user-login", drupal_id])
Where drupal_id is the drupal uid of the just logged in django user. I have to keep a field for drupal uid in the django database. Via Drush you can even create an user when it's the first time you login successfully.
To logout you have to logout from Drupal and then logout from Django. You can do it via Rules, calling a django logout path after the event User has logged out is triggered.
What you're describing is single sign-on. You can look into phpSimpleSAML and enable SAML on both Drupal and your Django based app. Drupal has a module available here: https://drupal.org/project/simplesamlphp_auth
I'm guessing some type of SAML module/plugin exists for Django already.

Register & login to django backend from iphone app and mobile browser

We are building a Django backend with an iphone app and also would like to allow login through web/mobile browsers.
The requirement is to be able to register and logon from the website/mobile browser and also through the iphone app. I have also integrated django-registration for registration, login, logout etc.
What would be the preferred approach so that register, login, logout can be doen through the iphone app as well as mobile browser?
The most discussed approach seem to be the following:
Use tastypie for a RESTful API(or any other framework for REST) ( In
this case, I assume that means create an api for register and login)
For iphone, use RESTKIT to call and authenticate the backend to
perform login, registration etc.
Security and ability to only see relevant data for the user is important in our case as the data is highly sensitive.
Any advice is much appreciated and surely will help others too.
Thanks in advance.
Neo
If you have already integrated django-registration on your website, then you don't necessarily need to add tastypie just for login,logout etc.
Check out the documentation for django-registration at https://django-registration.readthedocs.org/en/latest/quickstart.html#setting-up-urls. If you follow the steps for the default setup, that should provide you with URLs for login, logout etc. If the section on "Required Templates" doesn't make sense to you here, read more about django at http://www.djangobook.com/en/2.0/chapter04.html
Once you have these URLs, you can simply make use of the AFNetworking library on iOS to create HTTP requests to login / logout etc.
Typically, a django view for registration will serve GET and POST requests differently. If you make a GET request, it will format the registration form and display the HTML page. If you make a POST request, it will first extract the information required for registration from the request and create a new user. This will happen automatically for the web.
Making use of AFNetworking, you can create a view that shows the form locally and then makes the corresponding POST request once the user wants to register. The same procedure applies for login.