Permissions class for testing a request is coming from an authorized GCP user.
Project description
Provides a way to determine if an incoming request is coming from a GCP service account that you have authorized. You can also use this module to as a way of wrapping an identity token which on its own has no access claims. The wrapped token is an authenticated GCP token and the inner token specifies the Django user.
For instance, an authenticated user requests an identity token using the /identity/ endpoint. This token on its own can not be used to access services. The user then gives this identity token to an IoT device that can obtain its own GCP Token. When the IoT device wants to make a request on behalf of the authenticated user, it adds the X-GCP-IDTOKEN header.
In another example, you may be using Google Functions from a pub/sub model to make a request to an API endpoint on your Django server. In this case your Google Function will have a default service account and you can obtain an id-token within your Google Function. An id-token is a JWT token that contains various claims. You will need to get an id-token that contains the email claim. You can pass this token into your request using the Authorization header. This module can then be used to verify the token and make sure that the identity of the user belongs a list of allowed service accounts that you configure.
Free software: MIT license
Documentation: https://dj_gcp_rest_auth.readthedocs.io.
Installation
Install dj_gcp_rest_auth from pip
$ pip install dj_gcp_rest_auth
Update your top level settings.py
GCP_REST_AUTH = {
'IDENTITY_TOKEN_LIFETIME_DAYS': 7,
'ALLOWED_SERVICE_ACCOUNTS': ['11111122222-compute@developer.gserviceaccount.com']
}
IDENTITY_TOKEN_LIFETIME_DAYS is optional and if specified specify the lifetime of an identity token in days. Identity tokens can be generated from this package.
ALLOWED_SERVICE_ACCOUNTS is a list of regex patterns representing the service account emails that are allowed to use your API.
In your views, set
from dj_gcp_rest_auth.authentication import GCPTokenAuthentication
class MyView(GenericAPIView):
authentication_classes = ( GCPTokenAuthentication, )
Optionally, in your urls.py, set
import dj_gcp_rest_auth
path('', include(dj_gcp_rest_auth.urls))
Optionally, you can use the IsGCPUser custom permission. This permission is useful to indicate that the GCP Token is valid and from an authorized service account.
from dj_gcp_rest_auth.permissions import IsGCPUser
Obtaining an id-token
There are several ways to obtain an id-token from your Google service (Compute, GAE, Cloud Run, Function, etc.).
The following method only depends on curl and makes use of the internal meta data to retrieve the id-token
curl -H "Metadata-Flavor: Google" "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/default/identity?audience=arbitrary&format=full"
Endpoints
This package can be used to expose an endpoint to generate an identity token for the authenticated user
GET /identity
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for dj_gcp_rest_auth-0.6.0-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 9758a135400045374f87b1f62e75f94dde1240a3f967d16853a8e1b3cd354bde |
|
| MD5 | 34b2a315149f5194d0ab1ee65085489c |
|
| BLAKE2b-256 | b403728846b712694edd5ac4f6828186f556ebe02dc036fbe4e71901f7637ad4 |
