A convenience libary for authenticating users from Keycloak access tokens
Project description
DRF Keycloak Auth
Requirements
- Python >= 3.4
- Django
- Django Rest Framework
- Python Keycloak
Installation
$ pip install drf-keycloak-auth
Add the application to your project's INSTALLED_APPS
in settings.py
.
INSTALLED_APPS = [
...
'drf_keycloak_auth',
]
In your project's settings.py
, add this to the REST_FRAMEWORK
configuration. Note that if you want to retain access to the browsable API for locally created users, then you will probably want to keep rest_framework.authentication.SessionAuthentication
too.
REST_FRAMEWORK = {
...
'DEFAULT_AUTHENTICATION_CLASSES': [
...
'rest_framework.authentication.SessionAuthentication',
'drf_keycloak_auth.authentication.KeycloakAuthentication',
]
}
The drf_keycloak_auth
application comes with the following settings as default, which can be overridden in your project's settings.py
file. Make sure to nest them within DRF_KEYCLOAK_AUTH
as below:
# should be comma separated string
KEYCLOAK_ROLES_TO_DJANGO_IS_STAFF = \
os.getenv('KEYCLOAK_ROLES_TO_DJANGO_IS_STAFF')
DEFAULTS = {
'KEYCLOAK_SERVER_URL': os.getenv('KEYCLOAK_SERVER_URL'),
'KEYCLOAK_REALM': os.getenv('KEYCLOAK_REALM'),
'KEYCLOAK_CLIENT_ID': os.getenv('KEYCLOAK_CLIENT_ID'),
'KEYCLOAK_CLIENT_SECRET_KEY': os.getenv('KEYCLOAK_CLIENT_SECRET_KEY'),
'KEYCLOAK_AUTH_HEADER_PREFIX':
os.getenv('KEYCLOAK_AUTH_HEADER_PREFIX', 'Bearer'),
'KEYCLOAK_ROLE_SET_PREFIX':
os.getenv('KEYCLOAK_ROLE_SET_PREFIX', 'role:'),
'KEYCLOAK_MANAGE_LOCAL_USER':
os.getenv('KEYCLOAK_MANAGE_LOCAL_USER', True),
'KEYCLOAK_MANAGE_LOCAL_GROUPS':
os.getenv('KEYCLOAK_MANAGE_LOCAL_GROUPS', False),
'KEYCLOAK_DJANGO_USER_UUID_FIELD':
os.getenv('KEYCLOAK_DJANGO_USER_UUID_FIELD', 'pk'),
'KEYCLOAK_FIELD_AS_DJANGO_USERNAME':
os.getenv('KEYCLOAK_FIELD_AS_DJANGO_USERNAME', 'preferred_username'),
'KEYCLOAK_ROLES_TO_DJANGO_IS_STAFF': (
[x.strip() for x in KEYCLOAK_ROLES_TO_DJANGO_IS_STAFF.split(',')]
if KEYCLOAK_ROLES_TO_DJANGO_IS_STAFF
else ['admin'] # can be list, tuple or set
)
}
All you need to do now is have your client code handle the Keycloak authentication flow, retrieve the access_token for the user, and then use the access_token for the user in an Authorization
header in requests to your API.
Bearer <token>
Roles will be present in request.roles
with a KEYCLOAK_ROLE_SET_PREFIX
prefix (only if succesfully authenticated), e.g.:
['role:admin', 'a4a9be6e-bd04-42f8-9377-27d9db82216f']
except for the authenticated user's pk field, e.g. for a user model using uuid's as primary key:
['role:user', 'a4a9be6e-bd04-42f8-9377-27d9db82216f']
where the pk can be used for checking object ownership.
If you wish to create your own role permissions:
https://www.django-rest-framework.org/api-guide/permissions/#custom-permissions
simply import and use the prefix helper:
from .keycloak import prefix_role
ROLE_USER = prefix_role('user')
ROLE_SERVICE = prefix_role('service')
ROLE_ADMIN = prefix_role('admin')
request.user.is_staff will be modified based upon roles in KEYCLOAK_ROLES_TO_DJANGO_IS_STAFF
.
These roles can be hard coded as a list, tuple or set, or from a comma-separated env var.
Functionality ignored if KEYCLOAK_ROLES_TO_DJANGO_IS_STAFF is None or empty.
If your user model doesn't / can't have a UUID primary key, override the KEYCLOAK_DJANGO_USER_UUID_FIELD
setting to indicate a unique UUIDField
on your model, e.g.:
KEYCLOAK_DJANGO_USER_UUID_FIELD = 'uuid'
Voila!
Contributing
- Please raise an issue/feature and name your branch 'feature-n' or 'issue-n', where 'n' is the issue number.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for drf_keycloak_auth-0.0.1.dev13.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | ff7c7a485677f115147f70d979a68df05980d3061b890c55f13852a941adf19c |
|
MD5 | e8d249b4d92d4ad1e84dc884c31ac1c4 |
|
BLAKE2b-256 | cdff09dd750cc282bceb6ad9ba31167e5b47d97297957338467b287b893d4acd |
Hashes for drf_keycloak_auth-0.0.1.dev13-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | f3b36383d9c45cff5c0de64a7cb92bc6d7aea77a9cb8af208a012b1ec7460d00 |
|
MD5 | dc89c3bcfe6e377d19af80478dbdaec4 |
|
BLAKE2b-256 | 0315da7901769440891ba32c09e74dc054ba94f6287232a9792d6269fef5c5d5 |