Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Developing an SSO service using Django - PyCon Sweden 2020

E02a98c7e51ebc221e9a757ae25ad4a6?s=47 Vibhu
November 11, 2020

Developing an SSO service using Django - PyCon Sweden 2020

Live stream: https://youtu.be/4BN2Np7fUqY

Abstract: Single-Sign-On (SSO) allows users to authenticate with a single ID and password to any of several related, yet independent, software systems. In this talk, we'll discuss how an SSO works and how it can be designed. We'll also see the code to implement it in Python using Django (REST Framework).

About the speaker: Vibhu Agarwal is an avid Pythonista, open-source enthusiast and a Back-End Developer at Viga Entertainment Technology, developing applications serving different UIs (Web, Desktop, AR/VR) and designing CI/CD pipelines for their delivery.

E02a98c7e51ebc221e9a757ae25ad4a6?s=128

Vibhu

November 11, 2020
Tweet

Transcript

  1. Developing a Single-Sign-On Service using Django @vibhu4agarwal PyCon Sweden 2020

    github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django
  2. - He/him - Student - Pythonista - Django User -

    Back-End Developer at VigaStudios Vibhu Agarwal (@vibhu4agarwal) PyCon Sweden 2020
  3. What? @vibhu4agarwal PyCon Sweden 2020

  4. Why? For User • Only one password to remember •

    Better UX For Service Providers • Management: ◦ Database ◦ Session • User-account Support • Security Layers @vibhu4agarwal PyCon Sweden 2020
  5. Why … this talk? @vibhu4agarwal PyCon Sweden 2020

  6. How? @vibhu4agarwal PyCon Sweden 2020

  7. How does it work? @vibhu4agarwal PyCon Sweden 2020

  8. How does it work? @vibhu4agarwal PyCon Sweden 2020

  9. How does it work? @vibhu4agarwal PyCon Sweden 2020

  10. How does it work? @vibhu4agarwal PyCon Sweden 2020

  11. How does it work? @vibhu4agarwal PyCon Sweden 2020

  12. OAuth Authorization {Access & Refresh} Tokens @vibhu4agarwal PyCon Sweden 2020

  13. Terminologies Client Authorization-Server Back-End Server Client Tokens Resource-Owner (You) Redirect

    @vibhu4agarwal PyCon Sweden 2020 Protected Resource
  14. OAuth Authorization {Access & Refresh} Tokens @vibhu4agarwal PyCon Sweden 2020

  15. OpenID Connect (OIDC) ID_Token (JWT) OAuth 2.0 @vibhu4agarwal PyCon Sweden

    2020
  16. OAuth 2.0 @vibhu4agarwal PyCon Sweden 2020

  17. OpenID Connect @vibhu4agarwal PyCon Sweden 2020

  18. JWT { "alg": "HS256", "typ": "JWT", } { "sub": "1234567890",

    "name": "John Doe", "iat": 1516239022 } HEADER PAYLOAD xxxxx . yyyyy . zzzzz HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key) SIGNATURE @vibhu4agarwal PyCon Sweden 2020
  19. Access and Refresh Tokens @vibhu4agarwal PyCon Sweden 2020

  20. Access and Refresh Tokens a short live demo? @vibhu4agarwal PyCon

    Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django
  21. OAuth 2.0 Flow(s) @vibhu4agarwal PyCon Sweden 2020 Auth-Code Resource-Owner Password

    Implicit Client-Credentials auth0.com/docs/flows
  22. Third-Party Services; Identity-Providers Scope & Consent Request @vibhu4agarwal PyCon Sweden

    2020 Authorization-Code Flow
  23. Consent Request @vibhu4agarwal PyCon Sweden 2020

  24. From this ... @vibhu4agarwal PyCon Sweden 2020

  25. … to this @vibhu4agarwal PyCon Sweden 2020

  26. OAuth 2.0 - Authorization Code Flow PyCon Sweden 2020 youtu.be/0VWkQMr7r_c

  27. Few things to remember ➔ We’re primarily Service-Providers! ➔ Limited/Restricted

    Services @vibhu4agarwal PyCon Sweden 2020
  28. Service Providers! Need to separate out auth-server No third-party involvement

    @vibhu4agarwal PyCon Sweden 2020
  29. What’s the point? No worries about third-parties Release some control

    to Clients Customization of Flow @vibhu4agarwal PyCon Sweden 2020
  30. @vibhu4agarwal PyCon Sweden 2020

  31. Previously ... Auth-Server Back-End Server Client Tokens @vibhu4agarwal PyCon Sweden

    2020 Client
  32. Previously ... Auth-Server @vibhu4agarwal PyCon Sweden 2020 Client

  33. Previously ... Back-End Server Client Tokens @vibhu4agarwal PyCon Sweden 2020

  34. What customization? @vibhu4agarwal PyCon Sweden 2020 Auth-Server Tokens Back-End Server

  35. What customization? @vibhu4agarwal PyCon Sweden 2020 Auth-Server Tokens Back-End Server

    Client
  36. Few things to remember ➔ We’re primarily Service-Providers! ➔ Limited/Restricted

    Services @vibhu4agarwal PyCon Sweden 2020
  37. Limited Services @vibhu4agarwal PyCon Sweden 2020

  38. Separate Servers @vibhu4agarwal PyCon Sweden 2020

  39. JWT xxxxx . yyyyy . zzzzz HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key)

    SIGNATURE @vibhu4agarwal PyCon Sweden 2020
  40. Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself

    2. Dedicated service for token generation and verification @vibhu4agarwal PyCon Sweden 2020
  41. secret_key with both servers secret_key secret_key @vibhu4agarwal PyCon Sweden 2020

  42. secret_key with both servers secret_key secret_key @vibhu4agarwal PyCon Sweden 2020

  43. Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself

    2. Dedicated service for token generation and verification @vibhu4agarwal PyCon Sweden 2020
  44. Dedicated Verification Service secret_key secret_key Auth-Server Verification-Server @vibhu4agarwal PyCon Sweden

    2020
  45. secret_key with both servers secret_key secret_key @vibhu4agarwal PyCon Sweden 2020

  46. Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates

    Signatures Public Key: Verifies Signatures @vibhu4agarwal PyCon Sweden 2020
  47. Public and Private Keys private_key Auth-Server public_key public_key public_key public_key

    @vibhu4agarwal PyCon Sweden 2020
  48. Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates

    Signatures Public Key: Verifies Signatures Public Key: Encrypts messages Private Key: Decrypts messages @vibhu4agarwal PyCon Sweden 2020
  49. Database Model @vibhu4agarwal PyCon Sweden 2020

  50. The Required Tables @vibhu4agarwal PyCon Sweden 2020

  51. License Management Database Model: github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django @vibhu4agarwal PyCon Sweden 2020

  52. Work-Flow @vibhu4agarwal PyCon Sweden 2020

  53. Work-Flow @vibhu4agarwal PyCon Sweden 2020

  54. Work-Flow @vibhu4agarwal PyCon Sweden 2020 Name Client-ID Client-Secret Scope: [abc,

    pqr] callback_url
  55. Work-Flow @vibhu4agarwal PyCon Sweden 2020

  56. Work-Flow @vibhu4agarwal PyCon Sweden 2020

  57. Work-Flow @vibhu4agarwal PyCon Sweden 2020

  58. Work-Flow @vibhu4agarwal PyCon Sweden 2020

  59. Work-Flow @vibhu4agarwal PyCon Sweden 2020

  60. Work-Flow @vibhu4agarwal PyCon Sweden 2020

  61. Auth-Flow @vibhu4agarwal PyCon Sweden 2020 Client Auth-Server Client Tokens Back-End

    Server
  62. Auth-Flow (Sign-Up) @vibhu4agarwal PyCon Sweden 2020

  63. Last customization to the flow @vibhu4agarwal PyCon Sweden 2020 ➔

    On Connection
  64. Show me the Code! @vibhu4agarwal PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

  65. Django Django-REST-Framework (DRF) Libraries first ... The Framework @vibhu4agarwal PyCon

    Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django
  66. djangorestframework-simplejwt requests Libraries first ... JSON-Web-Tokens and Making Requests @vibhu4agarwal

    PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django
  67. Libraries first ... Asymmetric cryptography @vibhu4agarwal PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

  68. settings.py @vibhu4agarwal PyCon Sweden 2020

  69. settings.py @vibhu4agarwal PyCon Sweden 2020

  70. settings.py @vibhu4agarwal PyCon Sweden 2020

  71. settings.py @vibhu4agarwal PyCon Sweden 2020

  72. JWTAuthentication backend @vibhu4agarwal PyCon Sweden 2020

  73. How the JWT claims would look right now @vibhu4agarwal PyCon

    Sweden 2020
  74. Django-REST-Framework Models Serializers Views URLs Permissions @vibhu4agarwal PyCon Sweden 2020

  75. users/models.py @vibhu4agarwal PyCon Sweden 2020

  76. services/models.py @vibhu4agarwal PyCon Sweden 2020

  77. Expand the reach ... @vibhu4agarwal PyCon Sweden 2020

  78. The ‘aud’ (Audience) Claim @vibhu4agarwal PyCon Sweden 2020

  79. urls.py @vibhu4agarwal PyCon Sweden 2020

  80. jwt.py @vibhu4agarwal PyCon Sweden 2020

  81. How the JWT claims would look Now! @vibhu4agarwal PyCon Sweden

    2020
  82. Client JWTAuthentication backend??? @vibhu4agarwal PyCon Sweden 2020 authenticate() Looks up

    the User in the database corresponding to the user-ID provided in the JWT
  83. Client JWTTokenUserAuthentication backend @vibhu4agarwal PyCon Sweden 2020 authenticate() No DB-lookup

    to obtain a user instance TokenUser A stateless user object backed only by a validated token
  84. Client JWTTokenUserAuthentication backend @vibhu4agarwal PyCon Sweden 2020

  85. Client JWTTokenUserAuthentication backend @vibhu4agarwal PyCon Sweden 2020

  86. Client permissions.py @vibhu4agarwal PyCon Sweden 2020

  87. DRF’s Generic API Views @vibhu4agarwal PyCon Sweden 2020

  88. DRF’s Model Serializers @vibhu4agarwal PyCon Sweden 2020

  89. Commonly used Protocols … with different implementations SAML and WS-Fed

    - XML OpenID Connect - JWT LDAP/AD - LDIF @vibhu4agarwal PyCon Sweden 2020 auth0.com/docs/sso#protocols
  90. Resources • OpenID Connect • Map of OAuth 2.0 Specs

    • cryptography - Asymmetric Algorithms • DRF - Writing Custom Permissions • Writing Generic API Views using DRF @vibhu4agarwal PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django
  91. @vibhu4agarwal Hit me Up! :) github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django PyCon Sweden 2020