Django Middleware to enable SSO using Vouch Proxy
Project description
django-vouch-proxy-auth
Django Middleware enabling the use of the Vouch Proxy cookie for single sign-on.
This package subclasses Django's RemoteUserMiddleware
and RemoteUserBackend
.
How it Works
- The middleware checks for the presence of the Vouch Proxy cookie.
- If the cookie exists, it attempts to load a previous validation from Django cache.
- If the validation result is not in the Cache, send the contents of the
VouchCookie
cookie to the Vouch Proxy/validate
endpoint. - If the validation is successful, decode and decompress the cookie and extract the username from the JWT payload.
- Save the username in cache with a short expiration and use the SHA256 sum of the
VouchCookie
as the key. (i.e.VouchCookie_
+sha256sum(VouchCookie)
)
Installation and Usage
pip install django-vouch-proxy-auth
or add django-vouch-proxy-auth
to your requirements file.
To enable the middleware, add django_vouch_proxy_auth.middleware.VouchProxyMiddleware
after Django's AuthenticationMiddleware
.
MIDDLEWARE = [
'django.contrib.auth.middleware.AuthenticationMiddleware',
...
'django_vouch_proxy_auth.middleware.VouchProxyMiddleware'
]
This middleware is also dependent on the VouchProxyUserBackend
Authentication Backend. Add anywhere in your AUTHENTICATION_BACKENDS
.
AUTHENTICATION_BACKENDS = (
'django_vouch_proxy_auth.backends.VouchProxyUserBackend'
)
Finally, you MUST tell the middleware where the /validate
endpoint is. Add the VOUCH_PROXY_VALIDATE_ENDPOINT
to your Django settings.py
file.
VOUCH_PROXY_VALIDATE_ENDPOINT = 'https://login.avacado.lol/validate'
Settings
VOUCH_PROXY_VALIDATE_ENDPOINT
Location of the Vouch Proxy validation endpoint. You MUST provide this value, or the Middleware will raise an ImproperlyConfigured
exception.
VOUCH_PROXY_VERIFY_SSL
Default: True
Set this to False to ignore verification of the Vouch Proxy SSL certificate.
VOUCH_PROXY_COOKIE_NAME
Default: VouchCookie
Change this setting if you are using a custom Vouch Proxy cookie name.
VOUCH_PROXY_CACHE_TIMEOUT
Default: 300
(seconds)
This middleware will cache the username if a successful response from the /validate
query is returned. To reduce the load on Vouch Proxy, the middleware will only validate the cookie every 300 seconds (5 minutes) by default.
Set this value to a positive integer if you want to change the cache timeout.
Set this to 0
if you want Django to query the Vouch Proxy /validate
endpoint on every request.
VOUCH_PROXY_CACHE_PREFIX
Default: defaults to the configured value for VOUCH_PROXY_COOKIE_NAME
plus underscore (i.e. VouchCookie_
)
Set this value if you want to change the prefix for the CacheKey.
VOUCH_PROXY_CACHE_BACKEND
Default: default
Set this value if you want to store cached results in a different cache.
VOUCH_PROXY_DISABLED_PATHS
Default: []
Set this value (as an array) to full paths that you want to disable the middleware.
For example, if you have other middleware that causes conflict:
VOUCH_PROXY_DISABLED_PATHS = ['/oidc/authenticate/', '/oidc/callback/']
VOUCH_PROXY_CREATE_UNKNOWN_USER
Default: True
Set this to False if you do not want the middleware to automatically create a user entry on first login. You must use the
VOUCH_PROXY_FORCE_LOGOUT_IF_NO_COOKIE
Default: False
Set this to True
if you want Django to logout the user if the Vouch Cookie is not present.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django-vouch-proxy-auth-0.1.2.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | ad4f65f021b1bb09ba4d09b576c0d287a5612eb8e3cfc2e75a99f0cc38585427 |
|
MD5 | 15d405653443b1fa0cd38c7957867b61 |
|
BLAKE2b-256 | 7c46af550145c1c8deb7c20e59253e6f0e1b56df46c15120324ebb93023e0ec2 |
Hashes for django_vouch_proxy_auth-0.1.2-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 257293b6c54ef61443ca4f4e8ad69e387b256b0ba0303553d5dda2c8000fa9ff |
|
MD5 | 3da314fa6eb75b3775a1e7fd9655225f |
|
BLAKE2b-256 | 875e6e26d0c31910b77bb4e876032600a514d0528e38b198827337b4ada2fffb |