Skip to main content

Google Cloud Identity-Aware Proxy authentication policy for Pyramid

Project description

============================================================
Google Cloud Identity-Aware Proxy Authentication for Pyramid
============================================================

This package implements an authentication policy for Pyramid compatible with Google Cloud's `Identity-Aware Proxy <https://cloud.google.com/iap/>`.


Configuration
=============

After configuring your Identity-Aware Proxy, get the *Signed Header JWT Audience* from its settings (detailed instructions in `Securing your app with signed headers <https://cloud.google.com/iap/docs/signed-headers-howto>`.)

To enable JWT support in a Pyramid application:

.. code-block:: python

from pyramid.config import Configurator
from pyramid.authorization import ACLAuthorizationPolicy
from pyramid_iap import JWTClaimAuthenticationPolicy

def main():
config = Configurator()
# Pyramid requires an authorization policy to be active.
config.set_authorization_policy(ACLAuthorizationPolicy())
# Identity-Aware Proxy's Signed Header JWT Audience.
audience = "/projects/123/global/backendServices/456"
# Enable JWT authentication.
config.include('pyramid_iap')
config.add_iap_jwt_claims(audience)
config.set_authentication_policy(JWTClaimAuthenticationPolicy())

By default, the userid is the "sub" claim of the JWT token (e.g. "accounts.google.com:123456".) To instead use the "email" claim (e.g. "test@example.com") specify:

.. code-block:: python

config.set_authentication_policy(JWTClaimAuthenticationPolicy(userid_claim="email"))


Settings
========

There are a number of flags that specify how tokens are verified.
You can either set this in your .ini-file, or pass/override them directly to the ``config.add_iap_jwt_claims()`` function.

+--------------+------------------+---------------+---------------------------------------------+
| Parameter | ini-file entry | Default | Description |
+==============+==================+===============+=============================================+
| audience | iap.audience | | Verified audience for the token (required.) |
+--------------+------------------+---------------+---------------------------------------------+


Uncommon settings
-----------------

These settings are unlikely to be needed if you are running behind Google Cloud IAP.

+--------------+-----------------+---------------+--------------------------------------------+
| Parameter | ini-file entry | Default | Description |
+==============+=================+===============+============================================+
| public_key_url | iap.public_key_url | https://www.gstatic.com/iap/verify/public_key | Url of keys used to verify token signatures. |
+--------------+-----------------+---------------+--------------------------------------------+
| algorithm | iap.algorithm | ES256 | Hash or encryption algorithm |
+--------------+-----------------+---------------+--------------------------------------------+
| leeway | iap.leeway | 0 | Number of seconds a token is allowed to be expired before it is rejected. |
+--------------+-----------------+---------------+--------------------------------------------+
| http_header | iap.http_header | x-goog-iap-jwt-assertion | HTTP header used for tokens |
+--------------+-----------------+---------------+--------------------------------------------+
| auth_type | iap.auth_type | JWT | Authentication type used in Authorization header. Unused for other HTTP headers. |
+--------------+-----------------+---------------+--------------------------------------------+


Differences with pyrmid_jwt
===========================

This package is inspired by `pyramid_jwt <https://pypi.org/project/pyramid_jwt/>` and seeks to remain compatible where possible.

* Public keys are fetched automatically from the ``public_key_url``.

* The ``create_jwt_token`` request method is not available since it is the responsiblity of the Idenitity-Aware Proxy to issue tokens.

* No authentication policy is configured by the ``add_iap_jwt_claims`` config method to provide flexibility for those using ``pyramid_multiauth``.


Changes
=======

0.1 (2019-02-14)
----------------

* Initial release

Project details


Release history Release notifications | RSS feed

This version

0.1

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pyramid_iap-0.1.tar.gz (5.4 kB view details)

Uploaded Source

Built Distribution

pyramid_iap-0.1-py3-none-any.whl (6.0 kB view details)

Uploaded Python 3

File details

Details for the file pyramid_iap-0.1.tar.gz.

File metadata

  • Download URL: pyramid_iap-0.1.tar.gz
  • Upload date:
  • Size: 5.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: Python-urllib/3.7

File hashes

Hashes for pyramid_iap-0.1.tar.gz
Algorithm Hash digest
SHA256 df77be0f80aa60520180fc3f00290d77e62cd94f533c01dd18039c7b527d6c1a
MD5 a3313daaac16f041c3b9cf7a0362a18d
BLAKE2b-256 179565a081d5499ebf85a3bb85b1ea6d2983dff22a70e82fd273130351114b00

See more details on using hashes here.

File details

Details for the file pyramid_iap-0.1-py3-none-any.whl.

File metadata

  • Download URL: pyramid_iap-0.1-py3-none-any.whl
  • Upload date:
  • Size: 6.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: Python-urllib/3.7

File hashes

Hashes for pyramid_iap-0.1-py3-none-any.whl
Algorithm Hash digest
SHA256 533f8817485a2671da4e8d11bdc0b42bdb45b90d4375da3d14ed6ce0d88df984
MD5 35a6e6b035bdab79ec1156fc2ae6693b
BLAKE2b-256 e096197ed5736e18820e1e037636345c087521075cc26714995fffb329399ba8

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page