Developing an SSO service using Django

E02a98c7e51ebc221e9a757ae25ad4a6?s=47 Vibhu
October 03, 2020

Developing an SSO service using Django

Single-Sign-On (SSO) allows users to authenticate with a single ID and password to any of several related, yet independent, software systems. Google's authentication system is one such example through which it allows users to sign-in to YouTube, G-Mail, Docs and several other products.

We discussed how an SSO works and how it can be designed, architected and implemented in Python using Django (REST Framework). This will also feature the particular implementation, being used at Viga Studios to develop an SSO service for all of their products.

E02a98c7e51ebc221e9a757ae25ad4a6?s=128

Vibhu

October 03, 2020
Tweet

Transcript

  1. Developing a Single-Sign-On Service using Django github.com/Vibhu-Agarwal/PyCon-India-2020 @vibhu4agarwal PyCon India

    2020
  2. - He/him - Student - Pythonista - Django User -

    Back-End Developer at VigaStudios Vibhu Agarwal (@vibhu4agarwal) PyCon India 2020
  3. Single-Sign-On Service @vibhu4agarwal PyCon India 2020

  4. Why? @vibhu4agarwal PyCon India 2020 For User • Only one

    password to remember • Better UX For Service Providers • Management: ◦ Database ◦ Session • User-account Support • Security Layers
  5. How does it work? @vibhu4agarwal PyCon India 2020

  6. How does it work? @vibhu4agarwal PyCon India 2020

  7. How does it work? @vibhu4agarwal PyCon India 2020

  8. How does it work? @vibhu4agarwal PyCon India 2020

  9. How does it work? @vibhu4agarwal PyCon India 2020

  10. How does it work? @vibhu4agarwal PyCon India 2020

  11. How does it work? @vibhu4agarwal PyCon India 2020 Client Auth-Server

    Resource-Server Client Tokens Resource-Owner (You) Redirect
  12. Commonly used Protocols … with different implementations SAML and WS-Fed

    - XML OpenID Connect - JWT LDAP/AD - LDIF @vibhu4agarwal PyCon India 2020 auth0.com/docs/sso#protocols
  13. OpenID Connect (OIDC) @vibhu4agarwal PyCon India 2020 ID_Token (JWT) OAuth

    2.0 - Access & Refresh Tokens
  14. @vibhu4agarwal PyCon India 2020 OAuth 2.0

  15. @vibhu4agarwal PyCon India 2020 OpenID Connect

  16. JWT @vibhu4agarwal PyCon India 2020 { "alg": "HS256", "typ": "JWT",

    } { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } HEADER PAYLOAD xxxxx . yyyyy . zzzzz HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key) SIGNATURE
  17. @vibhu4agarwal PyCon India 2020 Access and Refresh Tokens

  18. @vibhu4agarwal PyCon India 2020 Access and Refresh Tokens a short

    live demo? github.com/Vibhu-Agarwal/PyCon-India-2020
  19. The Required Tables @vibhu4agarwal PyCon India 2020

  20. The Required Tables @vibhu4agarwal PyCon India 2020

  21. Few things to remember @vibhu4agarwal PyCon India 2020 ➔ We’re

    primarily Service-Providers! ➔ Limited/Restricted Services
  22. @vibhu4agarwal PyCon India 2020 Third-Party Services Scope & Consent Request

    Delegated OIDC Flow OpenID Connect (OIDC)
  23. @vibhu4agarwal PyCon India 2020 Consent Request (OIDC Flow)

  24. @vibhu4agarwal PyCon India 2020 Limited Services

  25. Flow of Data (Sign-Up) @vibhu4agarwal PyCon India 2020 Client Auth-Server

    Resource-Server Client Tokens
  26. JWT @vibhu4agarwal PyCon India 2020 xxxxx . yyyyy . zzzzz

    HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key) SIGNATURE
  27. Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself

    2. Dedicated service for token generation and verification @vibhu4agarwal PyCon India 2020
  28. secret_key with both servers @vibhu4agarwal PyCon India 2020 secret_key secret_key

  29. secret_key with both servers @vibhu4agarwal PyCon India 2020 secret_key secret_key

  30. Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself

    2. Dedicated service for token generation and verification @vibhu4agarwal PyCon India 2020
  31. Dedicated Verification Service @vibhu4agarwal PyCon India 2020 secret_key secret_key Auth-Server

    Verification-Server
  32. Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates

    Signatures Public Key: Verifies Signatures @vibhu4agarwal PyCon India 2020
  33. Public and Private Keys @vibhu4agarwal PyCon India 2020 private_key Auth-Server

    public_key public_key public_key public_key
  34. Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates

    Signatures Public Key: Verifies Signatures @vibhu4agarwal PyCon India 2020 Public Key: Encrypts messages Private Key: Decrypts messages
  35. Show me the Code! @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020

  36. @vibhu4agarwal PyCon India 2020 License Management Database Model: github.com/Vibhu-Agarwal/PyCon-India-2020

  37. @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020 Django Django-REST-Framework (DRF) Libraries first

    ... The Framework
  38. @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020 djangorestframework-simplejwt requests Libraries first ...

    JSON-Web-Tokens and Making Requests
  39. @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020 Libraries first ... Asymmetric cryptography

  40. @vibhu4agarwal PyCon India 2020 settings.py

  41. @vibhu4agarwal PyCon India 2020 settings.py

  42. @vibhu4agarwal PyCon India 2020 settings.py

  43. @vibhu4agarwal PyCon India 2020 settings.py

  44. @vibhu4agarwal PyCon India 2020 settings.py

  45. @vibhu4agarwal PyCon India 2020 How the JWT claims would look

    right now
  46. @vibhu4agarwal PyCon India 2020 Django-REST-Framework Models Serializers Views URLs Permissions

  47. @vibhu4agarwal PyCon India 2020 users/models.py

  48. @vibhu4agarwal PyCon India 2020 services/models.py

  49. @vibhu4agarwal PyCon India 2020 Expand the reach ...

  50. @vibhu4agarwal PyCon India 2020 The ‘aud’ (Audience) Claim

  51. @vibhu4agarwal PyCon India 2020 urls.py

  52. @vibhu4agarwal PyCon India 2020 jwt.py

  53. @vibhu4agarwal PyCon India 2020 How the JWT claims would look

    Now!
  54. @vibhu4agarwal PyCon India 2020 DRF’s Generic API Views

  55. @vibhu4agarwal PyCon India 2020 DRF’s Model Serializers

  56. Resources @vibhu4agarwal PyCon India 2020 • OpenID Connect • Map

    of OAuth 2.0 Specs • cryptography - Asymmetric Algorithms • DRF - Writing Custom Permissions • Writing Generic API Views using DRF github.com/Vibhu-Agarwal/PyCon-India-2020
  57. @vibhu4agarwal Hit me Up! :) @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020