Authenticate to Django with JSON Web Tokens (JWTs) signed by Cloudflare Access
Project description
Authenticate to Django with JSON Web Tokens (JWTs) signed by Cloudflare Access. A Django reimplementation of https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/validating-json/#python-example
To run the demo, set the following environment variables:
export ALLOWEDFLARE_ACCESS_URL=https://your-organization.cloudflareaccess.com
export ALLOWEDFLARE_AUDIENCE=64-character hexadecimal string
export ALLOWEDFLARE_PRIVATE_DOMAIN=your-domain.tld
Then run
docker compose up
Configure Cloudflare Tunnel public hostname demodj.your-domain.tld to http://localhost:8001 or equivalent.
TODO
- Iterate on the same-origin (re-)authenticating proxy
- From-scratch reimplementation of https://developers.cloudflare.com/cloudflare-one/identity/authorization-cookie/cors/#send-authentication-token-with-cloudflare-worker
- Setting username so it can be logged by gunicorn
- Setting the XmlHttpRequest(?) header to avoid redirects to the sign-in page
- Iterate on Admin site ModelBackend
- http://localhost:8001/admin/login/ text when authenticated is "You are authenticated as , but are not authorized to access this page. Would you like to login to a different account?"
- Expand unit test coverage
- Basic integration and end-to-end tests
- mTLS support and testing
- Configure PostgreSQL
- Post-migration hook to create a
readonlyDB user - Use the
readonlyDB user for django-sql-explorer and jupyterhub - Update the django-sql-explorer allowlist to accept
SETsince it's only dangerous for MySQL - Exclude only specific fields, like password hash, from the django-sql-explorer view of the django.contrib.auth schema
- See if admin site change history fields can be shown in the django-sql-explorer schema viewer
- Post-migration hook to create a
Open Questions
- Do existing projects like django-allauth or https://django-rest-framework-simplejwt.readthedocs.io/en/latest/index.html already provide this functionality?
- What about RemoteUserMiddleware?
- Are there Free/Libre/Open Source alternatives to Cloudflare Access and Okta that I can run end-to-end tests against?
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file allowedflare-2024.44.1.tar.gz.
File metadata
- Download URL: allowedflare-2024.44.1.tar.gz
- Upload date:
- Size: 8.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 227d9b7b20caab61272aa3e413a43ab21b51bc5689c7804a27541d374cbe967d |
|
| MD5 | e0aa1801747d94ea682dc108a5a71966 |
|
| BLAKE2b-256 | 2998741407b2122ad047ace3b24dcd92f6f6cdeccc81f826f062c6431cf8f15c |
File details
Details for the file allowedflare-2024.44.1-py3-none-any.whl.
File metadata
- Download URL: allowedflare-2024.44.1-py3-none-any.whl
- Upload date:
- Size: 9.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | bcf94c7b9cb8c2935b96bc3fef2669e359449a024b2e629a2bd793fa9ee6894a |
|
| MD5 | 5c1f10372260c28eea092505292e6daa |
|
| BLAKE2b-256 | 281442d6f381a09ae22d817960f14d6e231d7dfe5cf0703795a03788b8f26973 |
