Developing an SSO service using Django - PyCon Sweden 2020

Developing a Single-Sign-On Service using Django @vibhu4agarwal PyCon Sweden 2020
github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

- He/him - Student - Pythonista - Django User -
Back-End Developer at VigaStudios Vibhu Agarwal (@vibhu4agarwal) PyCon Sweden 2020

What? @vibhu4agarwal PyCon Sweden 2020

Why? For User • Only one password to remember •
Better UX For Service Providers • Management: ◦ Database ◦ Session • User-account Support • Security Layers @vibhu4agarwal PyCon Sweden 2020

Why … this talk? @vibhu4agarwal PyCon Sweden 2020

How? @vibhu4agarwal PyCon Sweden 2020

How does it work? @vibhu4agarwal PyCon Sweden 2020

OAuth Authorization {Access & Refresh} Tokens @vibhu4agarwal PyCon Sweden 2020

Terminologies Client Authorization-Server Back-End Server Client Tokens Resource-Owner (You) Redirect
@vibhu4agarwal PyCon Sweden 2020 Protected Resource

OAuth Authorization {Access & Refresh} Tokens @vibhu4agarwal PyCon Sweden 2020

OpenID Connect (OIDC) ID_Token (JWT) OAuth 2.0 @vibhu4agarwal PyCon Sweden
2020

OAuth 2.0 @vibhu4agarwal PyCon Sweden 2020

OpenID Connect @vibhu4agarwal PyCon Sweden 2020

JWT { "alg": "HS256", "typ": "JWT", } { "sub": "1234567890",
"name": "John Doe", "iat": 1516239022 } HEADER PAYLOAD xxxxx . yyyyy . zzzzz HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key) SIGNATURE @vibhu4agarwal PyCon Sweden 2020

Access and Refresh Tokens @vibhu4agarwal PyCon Sweden 2020

Access and Refresh Tokens a short live demo? @vibhu4agarwal PyCon
Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

OAuth 2.0 Flow(s) @vibhu4agarwal PyCon Sweden 2020 Auth-Code Resource-Owner Password
Implicit Client-Credentials auth0.com/docs/flows

Third-Party Services; Identity-Providers Scope & Consent Request @vibhu4agarwal PyCon Sweden
2020 Authorization-Code Flow

Consent Request @vibhu4agarwal PyCon Sweden 2020

From this ... @vibhu4agarwal PyCon Sweden 2020

… to this @vibhu4agarwal PyCon Sweden 2020

OAuth 2.0 - Authorization Code Flow PyCon Sweden 2020 youtu.be/0VWkQMr7r_c

Few things to remember ➔ We’re primarily Service-Providers! ➔ Limited/Restricted
Services @vibhu4agarwal PyCon Sweden 2020

Service Providers! Need to separate out auth-server No third-party involvement
@vibhu4agarwal PyCon Sweden 2020

What’s the point? No worries about third-parties Release some control
to Clients Customization of Flow @vibhu4agarwal PyCon Sweden 2020

Previously ... Auth-Server Back-End Server Client Tokens @vibhu4agarwal PyCon Sweden
2020 Client

Previously ... Auth-Server @vibhu4agarwal PyCon Sweden 2020 Client

Previously ... Back-End Server Client Tokens @vibhu4agarwal PyCon Sweden 2020

What customization? @vibhu4agarwal PyCon Sweden 2020 Auth-Server Tokens Back-End Server

What customization? @vibhu4agarwal PyCon Sweden 2020 Auth-Server Tokens Back-End Server
Client

Few things to remember ➔ We’re primarily Service-Providers! ➔ Limited/Restricted
Services @vibhu4agarwal PyCon Sweden 2020

Limited Services @vibhu4agarwal PyCon Sweden 2020

Separate Servers @vibhu4agarwal PyCon Sweden 2020

JWT xxxxx . yyyyy . zzzzz HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key)
SIGNATURE @vibhu4agarwal PyCon Sweden 2020

Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself
2. Dedicated service for token generation and verification @vibhu4agarwal PyCon Sweden 2020

secret_key with both servers secret_key secret_key @vibhu4agarwal PyCon Sweden 2020

Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself
2. Dedicated service for token generation and verification @vibhu4agarwal PyCon Sweden 2020

Dedicated Verification Service secret_key secret_key Auth-Server Verification-Server @vibhu4agarwal PyCon Sweden
2020

secret_key with both servers secret_key secret_key @vibhu4agarwal PyCon Sweden 2020

Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates
Signatures Public Key: Verifies Signatures @vibhu4agarwal PyCon Sweden 2020

Public and Private Keys private_key Auth-Server public_key public_key public_key public_key

Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates
Signatures Public Key: Verifies Signatures Public Key: Encrypts messages Private Key: Decrypts messages @vibhu4agarwal PyCon Sweden 2020

Database Model @vibhu4agarwal PyCon Sweden 2020

The Required Tables @vibhu4agarwal PyCon Sweden 2020

License Management Database Model: github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django @vibhu4agarwal PyCon Sweden 2020

Work-Flow @vibhu4agarwal PyCon Sweden 2020

Work-Flow @vibhu4agarwal PyCon Sweden 2020 Name Client-ID Client-Secret Scope: [abc,
pqr] callback_url

Work-Flow @vibhu4agarwal PyCon Sweden 2020

Auth-Flow @vibhu4agarwal PyCon Sweden 2020 Client Auth-Server Client Tokens Back-End
Server

Auth-Flow (Sign-Up) @vibhu4agarwal PyCon Sweden 2020

Last customization to the flow @vibhu4agarwal PyCon Sweden 2020 ➔
On Connection

Show me the Code! @vibhu4agarwal PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

Django Django-REST-Framework (DRF) Libraries first ... The Framework @vibhu4agarwal PyCon
Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

djangorestframework-simplejwt requests Libraries first ... JSON-Web-Tokens and Making Requests @vibhu4agarwal
PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

Libraries first ... Asymmetric cryptography @vibhu4agarwal PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

settings.py @vibhu4agarwal PyCon Sweden 2020

JWTAuthentication backend @vibhu4agarwal PyCon Sweden 2020

How the JWT claims would look right now @vibhu4agarwal PyCon
Sweden 2020

Django-REST-Framework Models Serializers Views URLs Permissions @vibhu4agarwal PyCon Sweden 2020

users/models.py @vibhu4agarwal PyCon Sweden 2020

services/models.py @vibhu4agarwal PyCon Sweden 2020

Expand the reach ... @vibhu4agarwal PyCon Sweden 2020

The ‘aud’ (Audience) Claim @vibhu4agarwal PyCon Sweden 2020

urls.py @vibhu4agarwal PyCon Sweden 2020

jwt.py @vibhu4agarwal PyCon Sweden 2020

How the JWT claims would look Now! @vibhu4agarwal PyCon Sweden
2020

Client JWTAuthentication backend??? @vibhu4agarwal PyCon Sweden 2020 authenticate() Looks up
the User in the database corresponding to the user-ID provided in the JWT

Client JWTTokenUserAuthentication backend @vibhu4agarwal PyCon Sweden 2020 authenticate() No DB-lookup
to obtain a user instance TokenUser A stateless user object backed only by a validated token

Client JWTTokenUserAuthentication backend @vibhu4agarwal PyCon Sweden 2020

Client permissions.py @vibhu4agarwal PyCon Sweden 2020

DRF’s Generic API Views @vibhu4agarwal PyCon Sweden 2020

DRF’s Model Serializers @vibhu4agarwal PyCon Sweden 2020

Commonly used Protocols … with different implementations SAML and WS-Fed
- XML OpenID Connect - JWT LDAP/AD - LDIF @vibhu4agarwal PyCon Sweden 2020 auth0.com/docs/sso#protocols

Resources • OpenID Connect • Map of OAuth 2.0 Specs
• cryptography - Asymmetric Algorithms • DRF - Writing Custom Permissions • Writing Generic API Views using DRF @vibhu4agarwal PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

@vibhu4agarwal Hit me Up! :) github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django PyCon Sweden 2020

Developing an SSO service using Django - PyCon ...

Developing an SSO service using Django - PyCon Sweden 2020

More Decks by Vibhu

Other Decks in Programming

Featured

Transcript