Django + Google SSO openid - django

I would like to have my application http://app.acquee.com/designer to accept a google account as a login. I found a bunch of libs for django but most work on top of existing Django authentication system that I do not use. I have my own set of user tables where I keep user info and privileges.
Any suggestion on how to integrate that with the Google Openid?
Seems I will have to do it manually using python-openid. Or could I use django-openid?
However, with the latter, I don't even know how to issue the discover command.
Regardless, I get stuck on google's step 5, sending a login authentication request (optionally with OAuth parameters) to the provided endpoint address. Can someone provide a sample request? is it a GET/POST? content?
Cheers

You can try https://launchpad.net/django-openid-auth - I'm using it in a commercial project, for both regular Google Accounts and Google Apps accounts. I remember that it was the most convincing one at the time I was doing a review, although I can't give you any details now due to my short memory. Anyway - it's working great.

Related

How to Connect Rails Client to IndentityServer SSO provider

At work we have a system set up running a ThinkTecture IndentityServer SSO provider which currently provides authentication for several .NET and ColdFusion sites. I am currently working on a new site we are supporting in Ruby on Rails and am having difficulty figuring out how to connect it to the SSO. (I'm pretty new to rails, but a long time developer in CF and .NET)
I've looked at the omniauth-oauth2 and oauth2 gems but it seems there are important parts missing from the documentation and explanations I can find. There is a ton of info if I wanted to authenticate using Twitter, Facebook or something similar, but I can't find anything that just addresses the client side for any generic OAuth2 provider.
I'm just looking for someone to point me in the right direction to find information on how I can do this. I don't care if it's specific to IdentityServer or just generic regardless of the provider. Thanks for the help.
Update: Just so you know, I would prefer to use OAuth2 for this connection, but I am not opposed to using any of the other ways that IdentityServer provides, including ADFS, WSFed or Simple HTTP. I can't use OpenID, though, because these accounts are specific to our system and can't be used for other systems.
You really need an open id connect library.
http://openid.net/developers/libraries/
It turns out this is pretty easy, overall. The difficulty is that there is no straight answer to the question. How you connect to IdentityServer entirely depends upon how IdentityServer is set up.
I'm not going to post my exact code, as this will not help anyone who doesn't have IdentityServer set up exactly the same way we do, and as I don't have access to the IdentityServer, I can't say exactly how that is. I will explain the overall solution, though.
The only gem needed for this is JWT
Get key codes from IdentityServer admin (client id, secret key, sign key)
Build login URL according to configuration of IdentityServer
Redirect user to login path generated in the last step
Receive token back from IdentityServer
Decode and verify using the JWT.decode function
From there you just have a JSON string with your data.

Admin SDK for multiple google apps accounts

My team is trying to develop a product for the google apps marketplace and I am having issues with the workflow in the new ADMIN SDK.
With the now deprecated Provisioning API we simply ask for a username and password from the account we are trying to manage.
With the ADMIN SDK it seems as though they would need to go enable the API, create a key and do a lot of manual work for this to happen. This really is a tough option for us as the technical level of our clients is not likely to be able to make this transition.
Is there something like the work flow for the provisioning API where they can enable management from a third party or a recommended workflow for a developer to build an application that can access any number of google apps accounts?
A use case for this is say I want to develop a different option for a console, I want to build a console web app and simply ask for credentials or easy setup routine and allow our users to manage their google apps account in a different way.
Thanks in advance,
Steve
The Admin SDK Directory and Reports APIs work correctly with 2-legged OAuth 1.0a which is what the Google Apps Marketplace currently supports and automates. You do need to turn the Admin SDK on under "Register for additional APIs" from your Vendor Profile page on the marketplace. Also, the Administrative APIs for the domain must be turned on. You'll get a generic error that the domain cannot use the APIs if it's off in which case you can direct the client to the exact CPanel page where they can turn it on.

Google Cross Domain Authentication

I have various sites (on their own domain) with their own authentication systems. What I'm trying to do is combine all the authentication into Google's authentication so the users will only have to log in with their Google credentials. What I'm thinking of is that they would log in with their Google credentials and be redirected to a dashboard which has image links to the other sites. The user should be able to go to any of the sites and be automatically logged in since they were already authenticated. I saw that there's an authentication for Google Apps but is this the same thing for my websites?
What I'm not sure about is how does this happen cross domain? How do the other domains know that the user is already authenticated?
Also, if the user logs out, they should not be able to access any of the sites anymore.
Anyone have any experience implementing something like this? Any resources are much appreciated. I will be implementing this in Coldfusion so Coldfusion resources are a bonus.
Your talking about using Google to login/signup i.e. Using OAuth 2.0.
You will need to register each of your app domains with Google. The user will need to confirm each application to allow access (in your case for signup/login).
Resource on Google Login with ColdFusion by Raymond Camden
The point is you need to establish a certain protocol to build a trust.
Other options are:
Google oauth javascript cross domain

Authorizing an application with Oauth and Python

I am trying to build an application that will use data from multiple social services. The user will need to authorize their accounts to be accessed across these multiple services (e.g. facebook, twitter, foursquare) using oauth.
I don't really need the users to login with these accounts, really it is just allowing their data from the api to be pulled.
I know I need to use oauth, but I am having trouble finding a basic example of how to do this type of thing (a lot of examples exist for logging in with oauth).
I have been trying the python-oath2 library.
Does anyone have any recommendation for a good tutorial or example of doing this type of thing in python, and if possible django.
Thanks.
Why reinvent the wheel? There is a plethora of reusable applications that have this implemented. You can find a comparison here: http://djangopackages.com/grids/g/authentication/
Why not give rauth a try? We use this in production for this exact purpose. Although you don't need to require the user to login with your app via the provider, you're going to redirect to the provider, where they'll be asked to authenticate your application. Assuming they accept (or even if they don't), they'll be redirected back to your application, i.e. via the redirect_uri or oauth_callback, there you'll ensure they authorized your app and then proceed with whatever housekeeping you need to do, e.g. saving some info about the user in your database. Try the examples and also pay particular attention to the Facebook example. Now the Facebook example is intended for authorization with the example web app, but the same pattern can be used for what you're trying to do. (You just won't be having them login in via Facebook, for instance. However, the flow can be and probably should be identical, sans database operations and template login lingo.)

Any way to hack FogBugz On demand to SSO?

I will launch soo a new iPhone app and want to off-load the forums to my actual FogBugz On Demand account.
However, I discover that FOD have no facility to integrate Single sing-on. I use django and have the option to use open-id, but not know if exist a way to make this happend.
Obviously, I could hack a simple forums like the one on FogBugz in django or reuse one, but I just think that aintegrated forum with the bug tracking is the best thing.
Any idea?
FogBugz On Demand now natively includes some authentication methods other than the standard username/password authentication.
Setting up authentication with Google's OAuth is quite simple for companies using Google Apps for work email. Once an administrator enables OAuth following the instructions in this article on Fog Creek Software's help site, logging in is as simple as clicking the OAuth button on the login page. All of the users' settings are retained.
If you’re already managing the rest of your authentication through a SAML 2.0 provider, you can also use your identity provider for FogBugz login. Steps for configuring SSO can be found in this article. This requires a bit more configuration than OAuth, but will work for companies that don't use Google Apps for email.
Of course, if you have any questions about configuring SSO in FogBugz, you can always contact customer support at http://www.fogcreek.com/contact/.
From the FogBugz forum:
http://support.fogcreek.com/default.asp?fogbugz.4.102256.3
I believe this is you there also. The answer provided shouldn't be too difficult to implement.