A Django middleware that adds 2-factor authentication via Duo.
Project description
A Django middleware that adds 2-factor authentication via Duo.
django-duo-auth is designed to be easily integrated into an existing Django project to quickly add 2-factor authentication. It supports one or more Duo applications and uses the configured AUTHENTICATION_BACKENDS to select which users it should authenticate under which circumstance.
Installation
django-duo-auth can be installed from PyPI, and depends on duo-universal.
?> pip install django-duo-auth
If you wish to use the traditional iframe-based prompt, install like this instead
?> pip install django-duo-auth[legacy]
Configuration
To enable Duo authentication, first add the following to settings.py:
# Add duo_auth to the list of installed apps INSTALLED_APPS = [ # ... 'duo_auth', ] # The DuoAuthMiddleware requires and must come after the SessionMiddleware # and AuthenticationMiddleware MIDDLEWARE = [ # ... 'duo_auth.middleware.DuoAuthMiddleware', ] DUO_CONFIG = { 'DEFAULT': { 'API_HOSTNAME': '<api-host-url>', 'CLIENT_ID': '<integration_key>', 'CLIENT_SECRET': '<secret_key>', 'FIRST_STAGE_BACKENDS': [ 'django.contrib.auth.backends.ModelBackend', ] } }
Then include the URLs in urls.py:
from django.urls import path, include urlpatterns = [ # ... path('duo/', include('duo_auth.urls')), ]
And that’s it!
By default, the Duo Universal Prompt will be used. If the traditional iframe-based prompt is desired, add DUO_LEGACY_PROMPT to your settings and it, as well as DUO_CONFIG, will look more like this:
DUO_LEGACY_PROMPT: True DUO_CONFIG = { 'DEFAULT': { 'HOST': '<api-host-url>', 'IKEY': '<integration_key>', 'AKEY': '<app_secret_key>', 'SKEY': '<secret_key>', 'FIRST_STAGE_BACKENDS': [ 'django.contrib.auth.backends.ModelBackend', ] } }
Note the additional AKEY parameter, which should be a large randomly-generated string, similar to your SECRET_KEY.
First Stage Backends
The FIRST_STAGE_BACKENDS key for each entry in DUO_CONFIG should be a list of the authentication backends that the Duo application should act as a second factor for. If an authentication backend isn’t listed in any FIRST_STAGE_BACKENDS list, then Duo is disabled.
This behavior can be used to create scenarios where only certain users are required to authenticate with Duo. An example might be where all users of Django’s builtin authentication system are required to perform a second factor, but externally authenticated users via LDAP or some other mechanism are not.
Likewise, this feature allows different Duo apps to be tasked with users from separate authentication streams. Take the previous example, only LDAP users are instead required to authenticate against a different institution’s Duo application instance.
Username Remapping
If it is necessary to remap a user’s name to a different name in Duo, you can add the USERNAME_REMAPPER key to a Duo Config entry. The value of USERNAME_REMAPPER should be a function, callable object, or a string containing the dotted path to a callable which accepts an HttpRequest object and returns a username string, which will be used in the Duo signing request instead of the name as it appears in request.user.username.
Failing Open (Not supported on LEGACY)
By default, if any error occurs communicating with Duo’s authentication servers, the authentication attempt is aborted, and the user is logged out. If it is desirable for Duo to be skipped in the event of a communication issue, simply add 'FAIL_OPEN': True to the desired applications in the DUO_CONFIG.
Overloading the Default Template (LEGACY ONLY)
The Duo login view loads a template named duo_auth_form.html which must minimally include the following to properly render the Duo I-Frame:
<form method="POST" id="duo_form"> {% csrf_token %} {% if next %} <input type="hidden" name="next" value="{{ next }}"/> {% endif %} {% if app_name %} <input type="hidden" name="app_name" value="{{ app_name }}"/> {% endif %} </form> <link rel="stylesheet" type="text/css" href="{{ duo_css_src }}"> <script src="{{ duo_js_src }}"></script> <iframe id="duo_iframe" title="Two-Factor Authentication" frameborder="0" data-host="{{ duo_host }}" data-sig-request="{{ sig_request }}" data-post-action="{{ post_action }}" > </iframe>
Project details
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file django-duo-auth-1.0.0.tar.gz
.
File metadata
- Download URL: django-duo-auth-1.0.0.tar.gz
- Upload date:
- Size: 14.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.14
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9780453c9dfeb082e0153854625c34c31dddea211d1ca7553bf877a257928d53 |
|
MD5 | ca4cc1253b8b73bb82d9e1ef902a4560 |
|
BLAKE2b-256 | 37b4929c7d98dbdb8f9b9961447d18b9eb5a3c7bd8ca0b3b10194491c8674453 |
File details
Details for the file django_duo_auth-1.0.0-py2.py3-none-any.whl
.
File metadata
- Download URL: django_duo_auth-1.0.0-py2.py3-none-any.whl
- Upload date:
- Size: 15.5 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.2 CPython/3.9.14
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | 06685ee59751fb585bf34c43ff675f6f749fe7e2def4bf5d2f4f5e5561247c84 |
|
MD5 | 85b3840975e1bf71ca6e1e0b79c2b1da |
|
BLAKE2b-256 | 6fc84dcd6505cd7253bc54abc38f352d8b872cb286a78b725001d3a430cdf1ff |