Django Middleware to enable SSO using Vouch Proxy
Project description
django-vouch-proxy-auth
Django Middleware enabling the use of the Vouch Proxy cookie for single sign-on.
This package subclasses Django's RemoteUserMiddleware
and RemoteUserBackend
.
How it Works
- The middleware checks for the presence of the Vouch Proxy cookie.
- If the cookie exists, it attempts to load a previous validation from Django cache.
- If the validation result is not in the Cache, send the contents of the
VouchCookie
cookie to the Vouch Proxy/validate
endpoint. - If the validation is successful, decode and decompress the cookie and extract the username from the JWT payload.
- Save the username in cache with a short expiration and use the SHA256 sum of the
VouchCookie
as the key. (i.e.VouchCookie_
+sha256sum(VouchCookie)
)
Installation and Usage
pip install django-vouch-proxy-auth
or add django-vouch-proxy-auth
to your requirements file.
To enable the middleware, add django_vouch_proxy_auth.middleware.VouchProxyMiddleware
after Django's AuthenticationMiddleware
.
MIDDLEWARE = [
'django.contrib.auth.middleware.AuthenticationMiddleware',
...
'django_vouch_proxy_auth.middleware.VouchProxyMiddleware'
]
This middleware is also dependent on the VouchProxyUserBackend
Authentication Backend. Add anywhere in your AUTHENTICATION_BACKENDS
.
AUTHENTICATION_BACKENDS = (
'django_vouch_proxy_auth.backends.VouchProxyUserBackend'
)
Finally, you MUST tell the middleware where the /validate
endpoint is. Add the VOUCH_PROXY_VALIDATE_ENDPOINT
to your Django settings.py
file.
VOUCH_PROXY_VALIDATE_ENDPOINT = 'https://login.avacado.lol/validate'
Settings
VOUCH_PROXY_VALIDATE_ENDPOINT
Location of the Vouch Proxy validation endpoint. You MUST provide this value, or the Middleware will raise an ImproperlyConfigured
exception.
VOUCH_PROXY_VERIFY_SSL
Default: True
Set this to False to ignore verification of the Vouch Proxy SSL certificate.
VOUCH_PROXY_COOKIE_NAME
Default: VouchCookie
Change this setting if you are using a custom Vouch Proxy cookie name.
VOUCH_PROXY_CACHE_TIMEOUT
Default: 300
(seconds)
This middleware will cache the username if a successful response from the /validate
query is returned. To reduce the load on Vouch Proxy, the middleware will only validate the cookie every 300 seconds (5 minutes) by default.
Set this value to a positive integer if you want to change the cache timeout.
Set this to 0
if you want Django to query the Vouch Proxy /validate
endpoint on every request.
VOUCH_PROXY_CACHE_PREFIX
Default: defaults to the configured value for VOUCH_PROXY_COOKIE_NAME
plus underscore (i.e. VouchCookie_
)
Set this value if you want to change the prefix for the CacheKey.
VOUCH_PROXY_CACHE_BACKEND
Default: default
Set this value if you want to store cached results in a different cache.
VOUCH_PROXY_DISABLED_PATHS
Default: []
Set this value (as an array) to full paths that you want to disable the middleware.
For example, if you have other middleware that causes conflict:
VOUCH_PROXY_DISABLED_PATHS = ['/oidc/authenticate/', '/oidc/callback/']
VOUCH_PROXY_CREATE_UNKNOWN_USER
Default: True
Set this to False if you do not want the middleware to automatically create a user entry on first login. You must use the
VOUCH_PROXY_FORCE_LOGOUT_IF_NO_COOKIE
Default: False
Set this to True
if you want Django to logout the user if the Vouch Cookie is not present.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-vouch-proxy-auth-0.1.3.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 087d53a3aa55199ffdddb3158b594340f1753a551d792ede1419271f79a30003 |
|
MD5 | 5d97750099e37507716ca3ef21f1c4a9 |
|
BLAKE2b-256 | 6d99116419c8dafec0369abccc6b646b4153b86ef11e5c9594d67dc690a7f91e |
Hashes for django_vouch_proxy_auth-0.1.3-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 1813cf6a6246106afa5131de614596aade1cdc822a20f84ebc5390da9d618df1 |
|
MD5 | 236f22eda54132beae4a17029788d69c |
|
BLAKE2b-256 | 670e74bb0b5278b9279454c01e6d144d9f05ca3b5b80a14c654c67141750077d |