Developing an SSO service using Django

Transcript

1. Developing a Single-Sign-On Service using Django github.com/Vibhu-Agarwal/PyCon-India-2020 @vibhu4agarwal PyCon India

   2020

2. - He/him - Student - Pythonista - Django User -

   Back-End Developer at VigaStudios Vibhu Agarwal (@vibhu4agarwal) PyCon India 2020

3. Single-Sign-On Service @vibhu4agarwal PyCon India 2020

4. Why? @vibhu4agarwal PyCon India 2020 For User • Only one

   password to remember • Better UX For Service Providers • Management: ◦ Database ◦ Session • User-account Support • Security Layers

5. How does it work? @vibhu4agarwal PyCon India 2020

6. How does it work? @vibhu4agarwal PyCon India 2020

7. How does it work? @vibhu4agarwal PyCon India 2020

8. How does it work? @vibhu4agarwal PyCon India 2020

9. How does it work? @vibhu4agarwal PyCon India 2020

10. How does it work? @vibhu4agarwal PyCon India 2020

11. How does it work? @vibhu4agarwal PyCon India 2020 Client Auth-Server

    Resource-Server Client Tokens Resource-Owner (You) Redirect

12. Commonly used Protocols … with different implementations SAML and WS-Fed

    - XML OpenID Connect - JWT LDAP/AD - LDIF @vibhu4agarwal PyCon India 2020 auth0.com/docs/sso#protocols

13. OpenID Connect (OIDC) @vibhu4agarwal PyCon India 2020 ID_Token (JWT) OAuth

    2.0 - Access & Refresh Tokens

14. @vibhu4agarwal PyCon India 2020 OAuth 2.0

15. @vibhu4agarwal PyCon India 2020 OpenID Connect

16. JWT @vibhu4agarwal PyCon India 2020 { "alg": "HS256", "typ": "JWT",

    } { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 } HEADER PAYLOAD xxxxx . yyyyy . zzzzz HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key) SIGNATURE

17. @vibhu4agarwal PyCon India 2020 Access and Refresh Tokens

18. @vibhu4agarwal PyCon India 2020 Access and Refresh Tokens a short

    live demo? github.com/Vibhu-Agarwal/PyCon-India-2020

19. The Required Tables @vibhu4agarwal PyCon India 2020

20. The Required Tables @vibhu4agarwal PyCon India 2020

21. Few things to remember @vibhu4agarwal PyCon India 2020 ➔ We’re

    primarily Service-Providers! ➔ Limited/Restricted Services

22. @vibhu4agarwal PyCon India 2020 Third-Party Services Scope & Consent Request

    Delegated OIDC Flow OpenID Connect (OIDC)

23. @vibhu4agarwal PyCon India 2020 Consent Request (OIDC Flow)

24. @vibhu4agarwal PyCon India 2020 Limited Services

25. Flow of Data (Sign-Up) @vibhu4agarwal PyCon India 2020 Client Auth-Server

    Resource-Server Client Tokens

26. JWT @vibhu4agarwal PyCon India 2020 xxxxx . yyyyy . zzzzz

    HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key) SIGNATURE

27. Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself

    2. Dedicated service for token generation and verification @vibhu4agarwal PyCon India 2020

28. secret_key with both servers @vibhu4agarwal PyCon India 2020 secret_key secret_key

29. secret_key with both servers @vibhu4agarwal PyCon India 2020 secret_key secret_key

30. Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself

    2. Dedicated service for token generation and verification @vibhu4agarwal PyCon India 2020

31. Dedicated Verification Service @vibhu4agarwal PyCon India 2020 secret_key secret_key Auth-Server

    Verification-Server

32. Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates

    Signatures Public Key: Verifies Signatures @vibhu4agarwal PyCon India 2020

33. Public and Private Keys @vibhu4agarwal PyCon India 2020 private_key Auth-Server

    public_key public_key public_key public_key

34. Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates

    Signatures Public Key: Verifies Signatures @vibhu4agarwal PyCon India 2020 Public Key: Encrypts messages Private Key: Decrypts messages

35. Show me the Code! @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020

36. @vibhu4agarwal PyCon India 2020 License Management Database Model: github.com/Vibhu-Agarwal/PyCon-India-2020

37. @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020 Django Django-REST-Framework (DRF) Libraries first

    ... The Framework

38. @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020 djangorestframework-simplejwt requests Libraries first ...

    JSON-Web-Tokens and Making Requests

39. @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020 Libraries first ... Asymmetric cryptography

40. @vibhu4agarwal PyCon India 2020 settings.py

41. @vibhu4agarwal PyCon India 2020 settings.py

42. @vibhu4agarwal PyCon India 2020 settings.py

43. @vibhu4agarwal PyCon India 2020 settings.py

44. @vibhu4agarwal PyCon India 2020 settings.py

45. @vibhu4agarwal PyCon India 2020 How the JWT claims would look

    right now

46. @vibhu4agarwal PyCon India 2020 Django-REST-Framework Models Serializers Views URLs Permissions

47. @vibhu4agarwal PyCon India 2020 users/models.py

48. @vibhu4agarwal PyCon India 2020 services/models.py

49. @vibhu4agarwal PyCon India 2020 Expand the reach ...

50. @vibhu4agarwal PyCon India 2020 The ‘aud’ (Audience) Claim

51. @vibhu4agarwal PyCon India 2020 urls.py

52. @vibhu4agarwal PyCon India 2020 jwt.py

53. @vibhu4agarwal PyCon India 2020 How the JWT claims would look

    Now!

54. @vibhu4agarwal PyCon India 2020 DRF’s Generic API Views

55. @vibhu4agarwal PyCon India 2020 DRF’s Model Serializers

56. Resources @vibhu4agarwal PyCon India 2020 • OpenID Connect • Map

    of OAuth 2.0 Specs • cryptography - Asymmetric Algorithms • DRF - Writing Custom Permissions • Writing Generic API Views using DRF github.com/Vibhu-Agarwal/PyCon-India-2020

57. @vibhu4agarwal Hit me Up! :) @vibhu4agarwal PyCon India 2020 github.com/Vibhu-Agarwal/PyCon-India-2020