{"id":19310313,"url":"https://github.com/cedadev/django-auth-service","last_synced_at":"2025-04-22T13:33:56.122Z","repository":{"id":44686970,"uuid":"240533809","full_name":"cedadev/django-auth-service","owner":"cedadev","description":"Django based filters for handing authorization/authentication in Nginx.","archived":false,"fork":false,"pushed_at":"2024-08-22T18:18:14.000Z","size":110,"stargazers_count":7,"open_issues_count":2,"forks_count":1,"subscribers_count":9,"default_branch":"master","last_synced_at":"2024-09-22T00:05:20.733Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"other","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cedadev.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-02-14T15:02:37.000Z","updated_at":"2024-08-13T07:31:27.000Z","dependencies_parsed_at":"2024-08-09T17:34:24.287Z","dependency_job_id":"f108d83a-4e30-42a9-8314-8688dd4600a2","html_url":"https://github.com/cedadev/django-auth-service","commit_stats":null,"previous_names":[],"tags_count":8,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedadev%2Fdjango-auth-service","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedadev%2Fdjango-auth-service/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedadev%2Fdjango-auth-service/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cedadev%2Fdjango-auth-service/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cedadev","download_url":"https://codeload.github.com/cedadev/django-auth-service/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":223898942,"owners_count":17221855,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-10T00:23:36.704Z","updated_at":"2024-11-10T00:23:37.517Z","avatar_url":"https://github.com/cedadev.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Django Auth Service\n\nDjango application for authenticating and authorizing user sessions.\n\nDesigned to work in tandem with an Nginx server using the [auth_request module](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html)\nto authorize access to resources, e.g. a web service or set of services in a cluster.\nAuthorization is handled by one or more middleware classes, which must be added to your deployment settings.\nThere are also a selection of middleware classes available to provide authentication.\n\nSee the below sections for details about how the app works and how it can be configured.\n\n## Basic access control flow\n\nTo verify access to a resource, the auth service app's `/verify` endpoint can be queried with a resource specified\nwith the `next` query parameter or the `X-Origin-URI` request header.\n\nActivated authorization middleware can then check this URL against whatever rules are in place on the server and\nmake a decision to allow or deny access to the resource.\n\nHere is an example of how to pass a resource to the verify endpoint:\n\n```\nhttp://my-auth-host.example.com/verify/?next=http://my-requested-resource.example.com/\n```\n\nIf this was an anonymous action, and an appropriate authentication middleware had been enabled, a login flow\nmay be triggered by a 401 response from the auth service. In such a case, the next step would be to query the `/login`\nendpoint with the same resource:\n\n```\nhttp://my-auth-host.example.com/login/?next=http://my-requested-resource.example.com/\n```\n\nThis time, the resource URL will be stored inside the Django session during a browser login flow, to be fetched\nback by the `/callback` endpoint.\n\nThe following settings related to resource URL management can be adjusted to suit your deployment needs:\n\n- `RESOURCE_URI_QUERY_KEY` - The URL query parameter used to set the requested resource, default `next`.\n- `RESOURCE_URI_HEADER_KEY` - If not using a URL query parameter, this request header parameter can be used to set the resource, default `X-Origin-URI`.\n- `RESOURCE_URI_SESSION_KEY` - The dictionary key used to store the resource inside the Django session during a login flow, default `resource_uri`.\n\n## Using with the Nginx auth_request module\n\nFor detailed information about using the auth_request module, see the [Nginx documentation page](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html).\n\nConfiguration for the Auth service's `/verify` endpoint might look something like this:\n\n```python\n# The verify endpoint gives a 200, 401 or 403 response to a request depending on authorization\nlocation /verify {\n    proxy_pass http://authservice/verify;\n    proxy_pass_request_body off;\n\n    proxy_set_header Content-Length '0';\n    proxy_set_header X-Original-URI $request_uri;\n}\n```\n\nNotice that we have specified the resource with the `X-Origin-URI` header, informing the auth service of the resource we are attempting to authorize access to.\n\nIf authorization is not granted, and authentication is required, a `/login` endpoint can be configured similarly:\n\n```python\n# The login endpoint will authenticate a user with a configured OIDC server\nlocation /login {\n    proxy_pass http://authservice/login;\n    proxy_pass_request_body off;\n\n    proxy_set_header Content-Length '0';\n    proxy_set_header Host $host;\n}\n```\n\nIn this case, we are using the `next` query parameter to set the resource URL.\n\nThe next thing to do is to configure some secured path on the same server to enable authorization for:\n\n```python\n# Some application serving secured data\nlocation /dataserver {\n    proxy_pass http://dataserver;\n\n    # Auth request configuration for this path\n    auth_request /verify;\n    # Extract the authenticated user's username\n    auth_request_set $username $upstream_http_x_username;\n\n    # Unauhenticated requests are redirected to the login endpoint\n    error_page 401 = @error401;\n}\n```\n\nHere we have added a simple `auth_request` call to our previously configured `/verify` endpoint. Once queried by Nginx, the request will either be allowed through (on an HTTP 200 response), or denied (401 or 403 response). Additionally, an `error_page` has been specified for 401 responses, to trigger a login.\n\nWe are also using the `auth_request_set` parameter to extract an authenticated user's username and store it for other purposes. See the [relevant documentation](http://nginx.org/en/docs/http/ngx_http_auth_request_module.html) for more options.\n\nFinally, the 401 error can be configured:\n\n```python\nlocation @error401 {\n    set $query '';\n    if ($request_uri ~* \"[^\\?]+\\?(.*)$\") {\n        set $query $1;\n    }\n\n    return 302 /login/?next=$scheme://$http_host$http_port$request_uri;\n}\n```\n\nThis initiates a redirect to the `/login` endpoint when a request requires authentication.\n\n## Authentication settings\n\nThis section introduces the available authentication middleware classes. One of more of these classes can added to your Django deployment's `MIDDLEWARE`\nsettings, in any order, to provide a variety of different authentication methods to users.\n\n- `authenticate.oauth2.middleware.BearerTokenAuthenticationMiddleware`\n\n  Authenticates requests based on the presence of an [OAuth2](https://oauth.net/2/) Bearer Token.\n\n  Requires the following settings:\n\n  - `OAUTH_CLIENT_ID` - The ID of your OAuth2 client.\n  - `OAUTH_CLIENT_SECRET` The secret associated with your OAuth2 client.\n  - `OAUTH_TOKEN_URL` - An endpoint on the OAuth2 server used to fetch a token.\n  - `OAUTH_TOKEN_INTROSPECT_URL` - The OAuth2 server's token introspection endpoint. Used to determine token validity.\n\n- `authenticate.oidc.middleware.OpenIDConnectAuthenticationMiddleware`\n\n  Authenticates requests using an OpenID Connect authentication flow.\n\n  This middleware makes use of [Authlib](https://pypi.org/project/Authlib/). See the Authlib documentation for help with [configuration](https://docs.authlib.org/en/latest/client/django.html#configuration).\n\n- `authenticate.cookie.middleware.CookieAuthenticationMiddleware`\n\n  Authenticates requests based on the presence of an encrypted cookie generated by the [crypto-cookie](https://pypi.org/project/crypto-cookie/) package.\n\n  Requires the following settings:\n\n  - `ACCOUNT_COOKIE_NAME` - The name of the cookie.\n  - `SECURITY_SHAREDSECRET` - The Base64 encoded secret used to encrypt the cookie.\n\n## Authorization Settings\n\nSimilar to authentication middleware, authorization middleware are added to your Django deployment's `MIDDLEWARE` settings\nto provide a variety of authorization methods for controlling access to resources.\n\n- `authorize.middleware.saml.SAMLAuthorizationMiddleware`\n\n  A middleware which queries a SAML authorization server to determine if a user is permitted access to the requested resource.\n\n  This middleware requires an authorization service endpoint specified by the `AUTHORIZATION_SERVICE_URL` setting.\n\n- `authorize.middleware.LoginAuthorizationMiddleware`\n\n  A simple middleware that will authorize any request that has been successfully authenticated.\n\n### Bybassing authorization\n\nThe `AUTHORIZATION_EXEMPT_FILTER` setting can be assigned a function used to determine whether a request is exempt from authorization. e.g.\n\n  ```python\n  def exempt_all(request):\n      return True\n\n  AUTHORIZATION_EXEMPT_FILTER = exempt_all\n  ```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedadev%2Fdjango-auth-service","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcedadev%2Fdjango-auth-service","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcedadev%2Fdjango-auth-service/lists"}