A small authentication-authorization server.
This is a small server meant to help add authentication (authn) and authorization (authz) to other HTTP servers. It's built using Tornado, SQLAlchemy, cryptography, argon2-cffi, python-diskcache, and uvloop.
I wrote it to help with the login/logout/signup flows for the LCC-Server and extracted much of the code from there. It builds on the auth bits there and is eventually meant to replace them. It can do the following things:
- Handle user sign-ups, logins, logouts, and locks/unlocks.
- Handle user email verification, password changes, forgotten password processes, and editing user properties.
- Handle API key issuance and verification.
- Handle access and rate-limit checks for arbitrary schemes of user roles, permissions, and target items. There is a default scheme of permissions and user roles, originally from the LCC-Server where this code was extracted from. Another permissions policy can be specified as JSON.
Authnzerver talks to a frontend server over HTTP. Communications are secured with symmetric encryption using the cryptography package's Fernet scheme, so you'll need a pre-shared key that both Authnzerver and your frontend server know.
Authnzerver is available at PyPI, but is very much a work in progress at the moment. Maybe hold off on installing it until we've reached v0.2 (beta).
With that said, it can be installed (preferably in a virtualenv) using
(venv) $ pip install authnzerver # use pip install authnzerver --pre for unstable releases
Running the server
There is a single executable that will be in your
$PATH if you have a
virtualenv activated and the package installed:
authnzrv --help will list all the options available:
--authdb An SQLAlchemy database URL to indicate where the local authentication DB is. This should be in the form discussed at: https://docs.sq lalchemy.org/en/latest/core/engines.html#dat abase-urls --autosetup If this is True, will automatically generate an SQLite authentication database in the basedir if there isn't one present and the value of the authdb option is also None. (default False) --basedir The base directory containing secret files and the auth DB. (default os.getcwd()) --cachedir Path to the cache directory to be used. (default /tmp/authnzerver-cache) --debugmode If 1, will enable an /echo endpoint for debugging purposes. (default False) --emailpass The password to use for login to the email server. --emailport The SMTP port of the email server to use. (default 25) --emailsender The account name and email address that the authnzerver will send from. (default Authnzerver <authnzerver@localhost>) --emailserver The address of the email server to use. (default localhost) --emailuser The username to use for login to the email server. (default getpass.getuser()) --envfile Path to a file containing environ variables for testing/development. --listen Bind to this address and serve content. (default 127.0.0.1) --permissions The JSON file containing the permissions model the server will enforce. (default install-dir/authnzerver/authnzerver/ default-permissions-model.json) --piisalt A random value used as a salt when SHA256 hashing personally identifiable information (PII), such as user IDs and session tokens, etc. for authnzerver logs. --port Run the server on this TCP port. (default 13431) --secret The shared secret key used to secure communications between authnzerver and any frontend servers. --sessionexpiry This sets the session-expiry time in days. (default 30) --workers The number of background workers to use when processing requests. (default 4)
There's an example systemd
.service file available in the
to run this server automatically on startup.
Configuring the server
Use the following environmental variables to configure the server. Defaults are noted below where appropriate.
# listen address, port settings, and workers AUTHNZERVER_PORT=13141 AUTHNZERVER_LISTEN=127.0.0.1 AUTHNZERVER_WORKERS=4 # cache and base directory locations AUTHNZERVER_CACHEDIR=/tmp/authnzerver-cache AUTHNZERVER_BASEDIR=directory where the server is started # secret token, PII salt, and authentication DB URL AUTHNZERVER_SECRET= AUTHNZERVER_PIISALT= AUTHNZERVER_AUTHDB= # session expiry time in days AUTHNZERVER_SESSIONEXPIRY=30 # permissions model JSON AUTHNZERVER_PERMISSIONS=path/to/default-permissions-model.json # email settings for sending emails to users AUTHNZERVER_EMAILSENDER=Authnzerver <authnzerver@localhost> AUTHNZERVER_EMAILSERVER=localhost AUTHNZERVER_EMAILPORT=25 AUTHNZERVER_EMAILUSER=user running the authnzrv executable AUTHNZERVER_EMAILPASS=''
You can also provide all of these at once using an environment file. This is not
recommended for production but is useful for development. If you go this route,
--envfile option to point to an appropriate environment file.
At a minimum, you must provide:
- a random pre-shared secret key as an environmental variable:
- a random salt value for hashing personally identifiable information in the
authnzerver logs as an environmental variable:
- an SQLAlchemy database
indicating where the server should store authentication information as an
If none of these are provided, and the command-line option
--autosetup=True, the server will prompt you for admin credentials during
start up, generate the pre-shared secret key and random salt, and initialize an
authentication database at the SQLAlchemy URL you provide. Autogenerated
defaults for these values can be used by hitting Enter at all the prompts.
Authnzerver is provided under the MIT License. See the LICENSE file for details.
Release history Release notifications | RSS feed
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Hashes for authnzerver-0.1.3-py3-none-any.whl