Django Middleware to enable SSO using Vouch Proxy
Project description
django-vouch-proxy-auth
Django Middleware enabling the use of the Vouch Proxy cookie for single sign-on.
This package subclasses Django's RemoteUserMiddleware
and RemoteUserBackend
.
How it Works
- The middleware checks for the presence of the Vouch Proxy cookie.
- If the cookie exists, it attempts to load a previous validation from Django cache.
- If the validation result is not in the Cache, send the contents of the
VouchCookie
cookie to the Vouch Proxy/validate
endpoint. - If the validation is successful, decode and decompress the cookie and extract the username from the JWT payload.
- Save the username in cache with a short expiration and use the SHA256 sum of the
VouchCookie
as the key. (i.e.VouchCookie_
+sha256sum(VouchCookie)
)
Installation and Usage
pip install django-vouch-proxy-auth
or add django-vouch-proxy-auth
to your requirements file.
To enable the middleware, add django_vouch_proxy_auth.middleware.VouchProxyMiddleware
after Django's AuthenticationMiddleware
.
MIDDLEWARE = [
'django.contrib.auth.middleware.AuthenticationMiddleware',
...
'django_vouch_proxy_auth.middleware.VouchProxyMiddleware'
]
This middleware is also dependent on the VouchProxyUserBackend
Authentication Backend. Add anywhere in your AUTHENTICATION_BACKENDS
.
AUTHENTICATION_BACKENDS = (
'django_vouch_proxy_auth.backends.VouchProxyUserBackend'
)
Finally, you MUST tell the middleware where the /validate
endpoint is. Add the VOUCH_PROXY_VALIDATE_ENDPOINT
to your Django settings.py
file.
VOUCH_PROXY_VALIDATE_ENDPOINT = 'https://login.avacado.lol/validate'
Settings
VOUCH_PROXY_VALIDATE_ENDPOINT
Location of the Vouch Proxy validation endpoint. You MUST provide this value, or the Middleware will raise an ImproperlyConfigured
exception.
VOUCH_PROXY_COOKIE_NAME
Default: VouchCookie
Change this setting if you are using a custom Vouch Proxy cookie name.
VOUCH_PROXY_CACHE_TIMEOUT
Default: 300
(seconds)
This middleware will cache the username if a successful response from the /validate
query is returned. To reduce the load on Vouch Proxy, the middleware will only validate the cookie every 300 seconds (5 minutes) by default.
Set this value to a positive integer if you want to change the cache timeout.
Set this to 0
if you want Django to query the Vouch Proxy /validate
endpoint on every request.
VOUCH_PROXY_CACHE_PREFIX
Default: defaults to the configured value for VOUCH_PROXY_COOKIE_NAME
plus underscore (i.e. VouchCookie_
)
Set this value if you want to change the prefix for the CacheKey.
VOUCH_PROXY_CACHE_BACKEND
Default: default
Set this value if you want to store cached results in a different cache.
VOUCH_PROXY_DISABLED_PATHS
Default: []
Set this value (as an array) to full paths that you want to disable the middleware.
For example, if you have other middleware that causes conflict:
VOUCH_PROXY_DISABLED_PATHS = ['/oidc/authenticate/', '/oidc/callback/']
VOUCH_PROXY_CREATE_UNKNOWN_USER
Default: True
Set this to False if you do not want the middleware to automatically create a user entry on first login. You must use the
VOUCH_PROXY_FORCE_LOGOUT_IF_NO_COOKIE
Default: False
Set this to True
if you want Django to logout the user if the Vouch Cookie is not present.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-vouch-proxy-auth-0.1.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | e2b068a51e1bfb4458af07f47a944b508dc623708e5aedf32d5a74c9544013ca |
|
MD5 | 57f5fecf2ef660d237319432a8b8e9a5 |
|
BLAKE2b-256 | f97cfbc21bef565121965fd7b6ab1257147a315cf7449f4ce021c553821e0481 |
Hashes for django_vouch_proxy_auth-0.1.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 352672a4922e01c1e44ad32ab5b71a0d3c6ef376c09b5f089673035653cb4650 |
|
MD5 | 7dbf28998ef7f10fae3625e09b5d2177 |
|
BLAKE2b-256 | b2fbe22578787e2343b9c5a6f57effd63b1a8acc7d9b609fcac2601f47ff71d9 |