{"id":18471316,"url":"https://github.com/blueshoe/pycloak","last_synced_at":"2025-06-27T13:35:05.315Z","repository":{"id":44319003,"uuid":"408820308","full_name":"Blueshoe/pycloak","owner":"Blueshoe","description":"pycloak contains a handy django middleware to read jwt (from openid connect flow) to manage users and access from remote identity providers.","archived":false,"fork":false,"pushed_at":"2025-02-04T15:22:28.000Z","size":302,"stargazers_count":9,"open_issues_count":9,"forks_count":1,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-01T12:58:05.440Z","etag":null,"topics":["authentication","jwt","jwt-authentication","oidc","oidc-client"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Blueshoe.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGES.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-09-21T12:56:44.000Z","updated_at":"2025-02-04T15:22:24.000Z","dependencies_parsed_at":"2024-02-21T19:28:00.705Z","dependency_job_id":"ae4be3a6-ed6e-4893-8420-a266267482f8","html_url":"https://github.com/Blueshoe/pycloak","commit_stats":null,"previous_names":[],"tags_count":25,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Blueshoe%2Fpycloak","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Blueshoe%2Fpycloak/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Blueshoe%2Fpycloak/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Blueshoe%2Fpycloak/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Blueshoe","download_url":"https://codeload.github.com/Blueshoe/pycloak/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247833988,"owners_count":21003897,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["authentication","jwt","jwt-authentication","oidc","oidc-client"],"created_at":"2024-11-06T10:16:35.684Z","updated_at":"2025-04-08T11:32:08.278Z","avatar_url":"https://github.com/Blueshoe.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pycloak\n\n## Abstract\nWhen creating service-oriented platforms with django, the redundant user management becomes an unneeded overhead.\nHence, a central user and permission management with secure authorization is required. We'd like to use standard\ncomponents all over and only use django for the domain specific implementations. That is following the trend to\npush implementation details to the infrastructure.\n\nThis project contains utilities for django to support the following architecture. In this usecase django is not required\nto authorize or validate the token as this is already done. Django can extract the user's information (i.e. profile and\ngroup memberships) and other claims and work with it right away.\n\n![Pycloak Architecture](docs/static/img/pycloak-arch.png?raw=true \"Architecture\")\n\nThis setup contains a couple of standard components, such as the JWT issuer, for instance \n[Keycloak](https://www.keycloak.com) or any social login provider. The token validation and authorization \n(like e-mail domain, profile information, group membership) is done by a specialized reverse proxy, such as the\n[OAuth2 Proxy](https://oauth2-proxy.github.io/oauth2-proxy/). Of course there are plenty of other OpenID Connect/OAuth2\nproducts available on the market.\n\n\n\n## Auth backend\nAdd `pycloak.auth.JWTBackend` to your `AUTHENTICATION_BACKENDS` setting, e.g.:\n\n```python\nAUTHENTICATION_BACKENDS = [\n    \"django.contrib.auth.backends.ModelBackend\",\n    \"pycloak.auth.JWTBackend\",\n]\n```\n\nThe auth backend can be subclassed and provides a couple of hooks to customize its behaviour beyond the flexibility given by the settings:\n\n```\nget_username(self, request, jwt_data: dict) -\u003e str\nget_email(self, request, jwt_data: dict) -\u003e str:\nget_firstname(self, request, jwt_data: dict) -\u003e str\nget_lastname(self, request, jwt_data: dict) -\u003e str\nget_is_staff(self, request, jwt_data: dict) -\u003e bool\nget_is_superuser(self, request, jwt_data: dict) -\u003e bool\nget_roles(self, request, jwt_data: dict) -\u003e List[str]\n```\n\n## Middleware\nAdd `pycloak.middleware.JWTMiddleware` to your `MIDDLEWARE`setting, e.g.:\n\n```python\nMIDDLEWARE = [\n    'django.contrib.sessions.middleware.SessionMiddleware',\n    'django.contrib.auth.middleware.AuthenticationMiddleware',\n    # ...\n    'pycloak.middleware.JWTMiddleware',  # after the above!\n]\n```\n\nThe middleware can also be subclassed with the following hooks:\n```\nget_verify(self, request) -\u003e bool\nget_audience(self, request) -\u003e str\nget_public_key(self, request) -\u003e str\nget_algorithms(self, request) -\u003e List[str]\nget_jwt_from_request(self, request) -\u003e str  # extract the raw token from the request\nget_data_from_jwt(self, request, jwt) -\u003e dict  # decode the raw token\nallow_default_login(self, request) -\u003e bool\ndef get_token_id(self, request, jwt_data) -\u003e str\n```\n\n## Other settings\nThere are a couple of other settings that can be used to modify the behaviour. They are shown with their default values:\n\n```python\n# if these three are set, the jwt will be verified\nPYCLOAK_ALGORITHM = None  # could be for instance: \"RS256\"\nPYCLOAK_AUDIENCE = None\nPYCLOAK_PUBLIC_KEY = None  # public key can be exported from keycloak (realm settings \u003e keys \u003e public keys)\n\n# if set, the issuer will be checked against this value\nPYCLOAK_ISSUER = None \n\n# header that transports the JWT; use HTTP_AUTHORIZATION for Bearer authentication\nPYCLOAK_TOKEN_HEADER = \"HTTP_X_FORWARDED_ACCESS_TOKEN\"\n\n# if token decoding or authentication fails, do nothing\nPYCLOAK_ALLOW_DEFAULT_LOGIN = True\n\n# claims to use for populating user model \nPYCLOAK_USERNAME_CLAIM = \"preferred_username\"\nPYCLOAK_FIRSTNAME_CLAIM = \"given_name\"\nPYCLOAK_LASTNAME_CLAIM = \"family_name\"\nPYCLOAK_EMAIL_CLAIM = \"email\"\n\n# claim used to identify tokens and expire sessions\nPYCLOAK_TOKENID_LOGIN = \"jti\"\n\n# key used to store token id in session\nPYCLOAK_SESSION_KEY = \"_pycloak_token_id\"\n\n# client_id. Only \"resource_access\" roles of this client will be considered \nPYCLOAK_CLIENT_ID = \"account\"\n\n# roles that escalate user privileges\n# they are read from jwt[\"realm_access\"][\"roles\"] and \n# any jwt[\"resource_access\"][...][\"roles\"]\nPYCLOAK_STAFF_ROLES = []\nPYCLOAK_SUPERUSER_ROLES = []\n\n# mapping to store claim from token on user field, e.g.\n#\n# from somewhere import parse_birthdate\n# PYCLOAK_CLAIM_TO_USER_MAPPING = {\n#     \"birthday\": {\"field\": \"profile.birth_date\", \"callback\": parse_birthdate}\n# }\n#\n# will pass the value of claim \"birthday\" to parse_birthday and store the result on user.profile.birth_day field\nPYCLOAK_CLAIM_TO_USER_MAPPING = {}\n# if True, missing claims will be skipped and logged as a warning, otherwise an ImproperlyConfigured exception will be raised\nPYCLOAK_CLAIM_SKIP_MISSING = False\n# if True, validation errors will be skipped and logged as a warning, otherwise a ValueError will be raised\nPYCLOAK_CLAIM_IGNORE_VALIDATION_ERRORS = False\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblueshoe%2Fpycloak","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fblueshoe%2Fpycloak","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fblueshoe%2Fpycloak/lists"}