Skip to main content

Authenticate your users using OpenID Connect (OIDC)

Project description

django-pyoidc

This library allows Single Sign On (SSO) integration into Django through the Open ID Connect (OIDC) protocol.

It can be used to set up a Single Sign On using an identity provider (Keycloak, etc.) or to login using Google, Twitter, etc.

Warning: this library has not been audited. However, we are based on pyoidc which we believe is a sane OIDC implementation.

We tried to make OpenID Connect (OIDC) configuration as easy and secure as possible. However everything can be customized, and we tried to take into account every use case in the library design. If you are not satisfied with the default configuration, take a look at the cookbook or the setting reference.

Features

  • Easy configuration through premade Provider classes (see the list here)
  • Authenticate users from multiple providers
  • Bearer authentication support for django-rest-framework integration (single provider)
    • drf-spectacular : your swagger page will allow to connect to your OIDC provider
  • Easy integration with the Django permission system
  • Highly customizable design that should suit most needs
  • Support back-channel logout
  • Support service accounts (accounts for machine-to-machine authentication)
  • Sane and secure defaults settings

Roadmap

  • Frontchannel logout
  • Switch to django signal system login/logout hooks
  • Allow for audience check without customizing get_user using a setting

Acknowledgement

This library is built on the work of many others. First of all, thanks to all the maintainers of pyoidc as they did all the spec implementation. This library is mostly about glue between Django and pyoidc.

We were also heavily inspired by:

If you want to understand why we decided to implement our own library, this is documented here.

Documentation

The documentation is graciously hosted at readthedocs.

Installation

First, install the python package:

pip install django_pyoidc

Then add the library app to your django applications, after django.contrib.sessions and django.contrib.auth:

INSTALLED_APPS = [
    "django.contrib.auth",
    "django.contrib.sessions",
    ...
    "django_pyoidc"
]

Remember to add the session middleware! Add in your settings.py:

MIDDLEWARE = [
    "django.contrib.sessions.middleware.SessionMiddleware",
]

Now is the time to run a migrate operation, as we create a database table (read why here). Run in your project dir:

./manage.py migrate

We also need a cache (read why here), so let's configure a dumb one for development purposes. Add in your settings.py:

CACHES = {
    "default": {
        "BACKEND": "django.core.cache.backends.locmem.LocMemCache",
        "LOCATION": "unique-snowflake",
    }
}

Now you can pick an identity provider from the available providers. Provider classes are a quick way to generate the library configuration and URLs. You can also configure the settings manually, but this is not recommended if you are not familiar with the OpendID Connect (OIDC) protocol.

Add the following DJANGO_PYOIDC to your settings.py:

# settings
DJANGO_PYOIDC = {
    # This is the name that your identity provider will have within the library
    "sso": {
        # change the following line to use your provider
        "provider_class": "django_pyoidc.providers.keycloak_18.Keycloak18Provider",
        
        # your secret should not be stored in settings.py, load them from an env variable
        "client_secret": os.getenv("SSO_CLIENT_SECRET"),
        "client_id": os.getenv("SSO_CLIENT_ID"),
        
        "provider_discovery_uri": "https://keycloak.example.com/auth/realms/fixme",
        
        # This setting allow the library to cache the provider configuration auto-detected using
        # the `provider_discovery_uri` setting
        "oidc_cache_provider_metadata": True,
    }

Finally, add OIDC views to your url configuration (urls.py):

from django_pyoidc.helper import OIDCHelper

# `op_name` must be the name of your identity provider as used in the `DJANGO_PYOIDC` setting
oidc_helper = OIDCHelper(op_name="sso")

urlpatterns = [
    path(
        "auth/",
        include((oidc_helper.get_urlpatterns(), "django_pyoidc"), namespace="auth"),
    ),
]

And you are ready to go!

If you struggle with those instructions, take a look at the quickstart tutorial.

Usage/Examples

We wrote an extensive collection of 'how-to' guides in the documentation.

Appendix

Commercial support

This project is sponsored by Makina Corpus. If you require assistance on your project(s), please contact us: contact@makina-corpus.com

Report a security vulnerability

License

GPL

Authors

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_pyoidc-1.0.13.tar.gz (1.0 MB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

django_pyoidc-1.0.13-py3-none-any.whl (35.0 kB view details)

Uploaded Python 3

File details

Details for the file django_pyoidc-1.0.13.tar.gz.

File metadata

  • Download URL: django_pyoidc-1.0.13.tar.gz
  • Upload date:
  • Size: 1.0 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for django_pyoidc-1.0.13.tar.gz
Algorithm Hash digest
SHA256 f36de1829998fe6a197640b6cd41a8d83be90551c93b11bd8fdba4a5ba43c38a
MD5 1d193fe36fd5dbf0f5051689463a4aed
BLAKE2b-256 ac629e5428af3a888296f95a435513c616a5dc52718f6c79410e20e6315ac7c6

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_pyoidc-1.0.13.tar.gz:

Publisher: python-publish.yml on makinacorpus/django_pyoidc

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file django_pyoidc-1.0.13-py3-none-any.whl.

File metadata

  • Download URL: django_pyoidc-1.0.13-py3-none-any.whl
  • Upload date:
  • Size: 35.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for django_pyoidc-1.0.13-py3-none-any.whl
Algorithm Hash digest
SHA256 db477db9503deb25fb999d4be22376a09d01bc6849cfe6261ec3d1fd2b55a037
MD5 f08becc7305cfab0f8c85ab8ca66253a
BLAKE2b-256 b4e9636eaa8e7807d94531e62e598ed7ac92e89cf746505948377236e6bc0a69

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_pyoidc-1.0.13-py3-none-any.whl:

Publisher: python-publish.yml on makinacorpus/django_pyoidc

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page