Tweet
Tweet

Slide 1

Slide 1 text

Developing a Single-Sign-On Service using Django github.com/Vibhu-Agarwal/PyCon-India-2020 @vibhu4agarwal PyCon India 2020

Slide 2

Slide 2 text

- He/him - Student - Pythonista - Django User - Back-End Developer at VigaStudios Vibhu Agarwal (@vibhu4agarwal) PyCon India 2020

Slide 3

Slide 3 text

Single-Sign-On Service @vibhu4agarwal PyCon India 2020

Slide 4

Slide 4 text

Why? @vibhu4agarwal PyCon India 2020 For User ● Only one password to remember ● Better UX For Service Providers ● Management: ○ Database ○ Session ● User-account Support ● Security Layers

Slide 5

Slide 5 text

How does it work? @vibhu4agarwal PyCon India 2020

Slide 6

Slide 6 text

How does it work? @vibhu4agarwal PyCon India 2020

Slide 7

Slide 7 text

How does it work? @vibhu4agarwal PyCon India 2020

Slide 8

Slide 8 text

How does it work? @vibhu4agarwal PyCon India 2020

Slide 9

Slide 9 text

How does it work? @vibhu4agarwal PyCon India 2020

Slide 10

Slide 10 text

How does it work? @vibhu4agarwal PyCon India 2020

Slide 11

Slide 11 text

How does it work? @vibhu4agarwal PyCon India 2020 Client Auth-Server Resource-Server Client Tokens Resource-Owner (You) Redirect

Slide 12

Slide 12 text

Commonly used Protocols … with different implementations SAML and WS-Fed - XML OpenID Connect - JWT LDAP/AD - LDIF @vibhu4agarwal PyCon India 2020 auth0.com/docs/sso#protocols

Slide 13

Slide 13 text

OpenID Connect (OIDC) @vibhu4agarwal PyCon India 2020 ID_Token (JWT) OAuth 2.0 - Access & Refresh Tokens

Slide 14

Slide 14 text

@vibhu4agarwal PyCon India 2020 OAuth 2.0

Slide 15

Slide 15 text

@vibhu4agarwal PyCon India 2020 OpenID Connect

Slide 16

Slide 16 text

JWT @vibhu4agarwal PyCon India 2020 { "alg": "HS256", "typ": "JWT", } { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } HEADER PAYLOAD xxxxx . yyyyy . zzzzz HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key) SIGNATURE

Slide 17

Slide 17 text

@vibhu4agarwal PyCon India 2020 Access and Refresh Tokens

Slide 18

Slide 18 text

@vibhu4agarwal PyCon India 2020 Access and Refresh Tokens a short live demo? github.com/Vibhu-Agarwal/PyCon-India-2020

Slide 19

Slide 19 text

The Required Tables @vibhu4agarwal PyCon India 2020

Slide 20

Slide 20 text

The Required Tables @vibhu4agarwal PyCon India 2020

Slide 21

Slide 21 text

Few things to remember @vibhu4agarwal PyCon India 2020 ➔ We’re primarily Service-Providers! ➔ Limited/Restricted Services

Slide 22

Slide 22 text

@vibhu4agarwal PyCon India 2020 Third-Party Services Scope & Consent Request Delegated OIDC Flow OpenID Connect (OIDC)

Slide 23

Slide 23 text

@vibhu4agarwal PyCon India 2020 Consent Request (OIDC Flow)

Slide 24

Slide 24 text

@vibhu4agarwal PyCon India 2020 Limited Services

Slide 25

Slide 25 text

Flow of Data (Sign-Up) @vibhu4agarwal PyCon India 2020 Client Auth-Server Resource-Server Client Tokens

Slide 26

Slide 26 text

JWT @vibhu4agarwal PyCon India 2020 xxxxx . yyyyy . zzzzz HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key) SIGNATURE

Slide 27

Slide 27 text

Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself 2. Dedicated service for token generation and verification @vibhu4agarwal PyCon India 2020

Slide 28

Slide 28 text

secret_key with both servers @vibhu4agarwal PyCon India 2020 secret_key secret_key

Slide 29

Slide 29 text

secret_key with both servers @vibhu4agarwal PyCon India 2020 secret_key secret_key

Slide 30

Slide 30 text

Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself 2. Dedicated service for token generation and verification @vibhu4agarwal PyCon India 2020

Slide 31

Slide 31 text

Dedicated Verification Service @vibhu4agarwal PyCon India 2020 secret_key secret_key Auth-Server Verification-Server

Slide 32

Slide 32 text

Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates Signatures Public Key: Verifies Signatures @vibhu4agarwal PyCon India 2020

Slide 33

Slide 33 text

Public and Private Keys @vibhu4agarwal PyCon India 2020 private_key Auth-Server public_key public_key public_key public_key

Slide 34

Slide 34 text

Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates Signatures Public Key: Verifies Signatures @vibhu4agarwal PyCon India 2020 Public Key: Encrypts messages Private Key: Decrypts messages

Slide 35

Slide 35 text

Show me the Code! @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020

Slide 36

Slide 36 text

@vibhu4agarwal PyCon India 2020 License Management Database Model: github.com/Vibhu-Agarwal/PyCon-India-2020

Slide 37

Slide 37 text

@vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020 Django Django-REST-Framework (DRF) Libraries first ... The Framework

Slide 38

Slide 38 text

@vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020 djangorestframework-simplejwt requests Libraries first ... JSON-Web-Tokens and Making Requests

Slide 39

Slide 39 text

@vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020 Libraries first ... Asymmetric cryptography

Slide 40

Slide 40 text

@vibhu4agarwal PyCon India 2020 settings.py

Slide 41

Slide 41 text

@vibhu4agarwal PyCon India 2020 settings.py

Slide 42

Slide 42 text

@vibhu4agarwal PyCon India 2020 settings.py

Slide 43

Slide 43 text

@vibhu4agarwal PyCon India 2020 settings.py

Slide 44

Slide 44 text

@vibhu4agarwal PyCon India 2020 settings.py

Slide 45

Slide 45 text

@vibhu4agarwal PyCon India 2020 How the JWT claims would look right now

Slide 46

Slide 46 text

@vibhu4agarwal PyCon India 2020 Django-REST-Framework Models Serializers Views URLs Permissions

Slide 47

Slide 47 text

@vibhu4agarwal PyCon India 2020 users/models.py

Slide 48

Slide 48 text

@vibhu4agarwal PyCon India 2020 services/models.py

Slide 49

Slide 49 text

@vibhu4agarwal PyCon India 2020 Expand the reach ...

Slide 50

Slide 50 text

@vibhu4agarwal PyCon India 2020 The ‘aud’ (Audience) Claim

Slide 51

Slide 51 text

@vibhu4agarwal PyCon India 2020 urls.py

Slide 52

Slide 52 text

@vibhu4agarwal PyCon India 2020 jwt.py

Slide 53

Slide 53 text

@vibhu4agarwal PyCon India 2020 How the JWT claims would look Now!

Slide 54

Slide 54 text

@vibhu4agarwal PyCon India 2020 DRF’s Generic API Views

Slide 55

Slide 55 text

@vibhu4agarwal PyCon India 2020 DRF’s Model Serializers

Slide 56

Slide 56 text

Resources @vibhu4agarwal PyCon India 2020 ● OpenID Connect ● Map of OAuth 2.0 Specs ● cryptography - Asymmetric Algorithms ● DRF - Writing Custom Permissions ● Writing Generic API Views using DRF github.com/Vibhu-Agarwal/PyCon-India-2020

Slide 57

Slide 57 text

@vibhu4agarwal Hit me Up! :) @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020