Developing an SSO service using Django - PyCon Sweden 2020

Transcript

1. Developing a Single-Sign-On Service using Django @vibhu4agarwal PyCon Sweden 2020

   github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

2. - He/him - Student - Pythonista - Django User -

   Back-End Developer at VigaStudios Vibhu Agarwal (@vibhu4agarwal) PyCon Sweden 2020

3. What? @vibhu4agarwal PyCon Sweden 2020

4. Why? For User • Only one password to remember •

   Better UX For Service Providers • Management: ◦ Database ◦ Session • User-account Support • Security Layers @vibhu4agarwal PyCon Sweden 2020

5. Why … this talk? @vibhu4agarwal PyCon Sweden 2020

6. How? @vibhu4agarwal PyCon Sweden 2020

7. How does it work? @vibhu4agarwal PyCon Sweden 2020

8. How does it work? @vibhu4agarwal PyCon Sweden 2020

9. How does it work? @vibhu4agarwal PyCon Sweden 2020

10. How does it work? @vibhu4agarwal PyCon Sweden 2020

11. How does it work? @vibhu4agarwal PyCon Sweden 2020

12. OAuth Authorization {Access & Refresh} Tokens @vibhu4agarwal PyCon Sweden 2020

13. Terminologies Client Authorization-Server Back-End Server Client Tokens Resource-Owner (You) Redirect

    @vibhu4agarwal PyCon Sweden 2020 Protected Resource

14. OAuth Authorization {Access & Refresh} Tokens @vibhu4agarwal PyCon Sweden 2020

15. OpenID Connect (OIDC) ID_Token (JWT) OAuth 2.0 @vibhu4agarwal PyCon Sweden

    2020

16. OAuth 2.0 @vibhu4agarwal PyCon Sweden 2020

17. OpenID Connect @vibhu4agarwal PyCon Sweden 2020

18. JWT { "alg": "HS256", "typ": "JWT", } { "sub": "1234567890",

    "name": "John Doe", "iat": 1516239022 } HEADER PAYLOAD xxxxx . yyyyy . zzzzz HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key) SIGNATURE @vibhu4agarwal PyCon Sweden 2020

19. Access and Refresh Tokens @vibhu4agarwal PyCon Sweden 2020

20. Access and Refresh Tokens a short live demo? @vibhu4agarwal PyCon

    Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

21. OAuth 2.0 Flow(s) @vibhu4agarwal PyCon Sweden 2020 Auth-Code Resource-Owner Password

    Implicit Client-Credentials auth0.com/docs/flows

22. Third-Party Services; Identity-Providers Scope & Consent Request @vibhu4agarwal PyCon Sweden

    2020 Authorization-Code Flow

23. Consent Request @vibhu4agarwal PyCon Sweden 2020

24. From this ... @vibhu4agarwal PyCon Sweden 2020

25. … to this @vibhu4agarwal PyCon Sweden 2020

26. OAuth 2.0 - Authorization Code Flow PyCon Sweden 2020 youtu.be/0VWkQMr7r_c

27. Few things to remember ➔ We’re primarily Service-Providers! ➔ Limited/Restricted

    Services @vibhu4agarwal PyCon Sweden 2020

28. Service Providers! Need to separate out auth-server No third-party involvement

    @vibhu4agarwal PyCon Sweden 2020

29. What’s the point? No worries about third-parties Release some control

    to Clients Customization of Flow @vibhu4agarwal PyCon Sweden 2020

30. @vibhu4agarwal PyCon Sweden 2020

31. Previously ... Auth-Server Back-End Server Client Tokens @vibhu4agarwal PyCon Sweden

    2020 Client

32. Previously ... Auth-Server @vibhu4agarwal PyCon Sweden 2020 Client

33. Previously ... Back-End Server Client Tokens @vibhu4agarwal PyCon Sweden 2020

34. What customization? @vibhu4agarwal PyCon Sweden 2020 Auth-Server Tokens Back-End Server

35. What customization? @vibhu4agarwal PyCon Sweden 2020 Auth-Server Tokens Back-End Server

    Client

36. Few things to remember ➔ We’re primarily Service-Providers! ➔ Limited/Restricted

    Services @vibhu4agarwal PyCon Sweden 2020

37. Limited Services @vibhu4agarwal PyCon Sweden 2020

38. Separate Servers @vibhu4agarwal PyCon Sweden 2020

39. JWT xxxxx . yyyyy . zzzzz HMAC-SHA256( base64UrlEncode(header). base64UrlEncode(payload), secret_key)

    SIGNATURE @vibhu4agarwal PyCon Sweden 2020

40. Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself

    2. Dedicated service for token generation and verification @vibhu4agarwal PyCon Sweden 2020

41. secret_key with both servers secret_key secret_key @vibhu4agarwal PyCon Sweden 2020

42. secret_key with both servers secret_key secret_key @vibhu4agarwal PyCon Sweden 2020

43. Solutions with secret_key method (HMAC-SHA256) 1. Distribute the secret_key itself

    2. Dedicated service for token generation and verification @vibhu4agarwal PyCon Sweden 2020

44. Dedicated Verification Service secret_key secret_key Auth-Server Verification-Server @vibhu4agarwal PyCon Sweden

    2020

45. secret_key with both servers secret_key secret_key @vibhu4agarwal PyCon Sweden 2020

46. Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates

    Signatures Public Key: Verifies Signatures @vibhu4agarwal PyCon Sweden 2020

47. Public and Private Keys private_key Auth-Server public_key public_key public_key public_key

    @vibhu4agarwal PyCon Sweden 2020

48. Asymmetric Cryptography (Public + Private Keys) (RSA-SHA256) Private Key: Creates

    Signatures Public Key: Verifies Signatures Public Key: Encrypts messages Private Key: Decrypts messages @vibhu4agarwal PyCon Sweden 2020

49. Database Model @vibhu4agarwal PyCon Sweden 2020

50. The Required Tables @vibhu4agarwal PyCon Sweden 2020

51. License Management Database Model: github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django @vibhu4agarwal PyCon Sweden 2020

52. Work-Flow @vibhu4agarwal PyCon Sweden 2020

53. Work-Flow @vibhu4agarwal PyCon Sweden 2020

54. Work-Flow @vibhu4agarwal PyCon Sweden 2020 Name Client-ID Client-Secret Scope: [abc,

    pqr] callback_url

55. Work-Flow @vibhu4agarwal PyCon Sweden 2020

56. Work-Flow @vibhu4agarwal PyCon Sweden 2020

57. Work-Flow @vibhu4agarwal PyCon Sweden 2020

58. Work-Flow @vibhu4agarwal PyCon Sweden 2020

59. Work-Flow @vibhu4agarwal PyCon Sweden 2020

60. Work-Flow @vibhu4agarwal PyCon Sweden 2020

61. Auth-Flow @vibhu4agarwal PyCon Sweden 2020 Client Auth-Server Client Tokens Back-End

    Server

62. Auth-Flow (Sign-Up) @vibhu4agarwal PyCon Sweden 2020

63. Last customization to the flow @vibhu4agarwal PyCon Sweden 2020 ➔

    On Connection

64. Show me the Code! @vibhu4agarwal PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

65. Django Django-REST-Framework (DRF) Libraries first ... The Framework @vibhu4agarwal PyCon

    Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

66. djangorestframework-simplejwt requests Libraries first ... JSON-Web-Tokens and Making Requests @vibhu4agarwal

    PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

67. Libraries first ... Asymmetric cryptography @vibhu4agarwal PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

68. settings.py @vibhu4agarwal PyCon Sweden 2020

69. settings.py @vibhu4agarwal PyCon Sweden 2020

70. settings.py @vibhu4agarwal PyCon Sweden 2020

71. settings.py @vibhu4agarwal PyCon Sweden 2020

72. JWTAuthentication backend @vibhu4agarwal PyCon Sweden 2020

73. How the JWT claims would look right now @vibhu4agarwal PyCon

    Sweden 2020

74. Django-REST-Framework Models Serializers Views URLs Permissions @vibhu4agarwal PyCon Sweden 2020

75. users/models.py @vibhu4agarwal PyCon Sweden 2020

76. services/models.py @vibhu4agarwal PyCon Sweden 2020

77. Expand the reach ... @vibhu4agarwal PyCon Sweden 2020

78. The ‘aud’ (Audience) Claim @vibhu4agarwal PyCon Sweden 2020

79. urls.py @vibhu4agarwal PyCon Sweden 2020

80. jwt.py @vibhu4agarwal PyCon Sweden 2020

81. How the JWT claims would look Now! @vibhu4agarwal PyCon Sweden

    2020

82. Client JWTAuthentication backend??? @vibhu4agarwal PyCon Sweden 2020 authenticate() Looks up

    the User in the database corresponding to the user-ID provided in the JWT

83. Client JWTTokenUserAuthentication backend @vibhu4agarwal PyCon Sweden 2020 authenticate() No DB-lookup

    to obtain a user instance TokenUser A stateless user object backed only by a validated token

84. Client JWTTokenUserAuthentication backend @vibhu4agarwal PyCon Sweden 2020

85. Client JWTTokenUserAuthentication backend @vibhu4agarwal PyCon Sweden 2020

86. Client permissions.py @vibhu4agarwal PyCon Sweden 2020

87. DRF’s Generic API Views @vibhu4agarwal PyCon Sweden 2020

88. DRF’s Model Serializers @vibhu4agarwal PyCon Sweden 2020

89. Commonly used Protocols … with different implementations SAML and WS-Fed

    - XML OpenID Connect - JWT LDAP/AD - LDIF @vibhu4agarwal PyCon Sweden 2020 auth0.com/docs/sso#protocols

90. Resources • OpenID Connect • Map of OAuth 2.0 Specs

    • cryptography - Asymmetric Algorithms • DRF - Writing Custom Permissions • Writing Generic API Views using DRF @vibhu4agarwal PyCon Sweden 2020 github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

91. @vibhu4agarwal Hit me Up! :) github.com/Vibhu-Agarwal/Developing-an-SSO-Service-using-Django PyCon Sweden 2020