Skip to main content

Simplifying third-party authentication for web applications.

Project description




Velruse is a set of authentication routines that provide a unified way
to have a website user authenticate to a variety of different identity
providers and/or a variety of different authentication schemes.

It is similar in some ways to RPXnow with the exception of being
open-source, locally installable, and easily pluggable for custom
identity providers and authentication schemes.

You can run Velruse as a stand-alone service for use with your websites
regardless of the language they're written in. While Velruse itself is
written in Python, since it can interact with your website purely via

Velruse can:

* Normalize identity information from varying provider sources
(OpenID, Google, Facebook, etc.) to Portable Contacts.
* Simplify complex authentication protocols by providing a simple
consistent API.
* Provide extension points for other authentication systems, write your
own auth provider to handle CAS, LDAP, and use it with ease.
* Integrate with most web applications regardless of the language used
to write the website.



Velruse aims to simplify authenticating a user. It provides auth
providers that handle authenticating to a variety of identity providers
with multiple authentication schemes (LDAP, SAML, etc.).

Eventually, Velruse will include widgets similar to RPXNow that allow
one to customize a login/registration widget so that a website user can
select a preferred identity provider to use to sign-in.

In the mean-time, effort is focused on increasing the available auth
providers for the commonly used authentication schemes and identity
providers (Facebook, Google, OpenID, etc).

Unlike other authentication libraries for use with web applications, a
website using Velruse for authentication does not have to be written in
any particular language.


Velruse implements an API similar to RPXNow to standardize the way a
web application handles user authentication.

Velruse Authentication flow

1. Website sends a POST to the auth provider‘s URL with an endpoint that
the user should be redirected back to when authentication is complete
and includes any additional parameters that the auth provider requires.
2. When the auth provider finishes the authentication, the user is
redirected back to the endpoint specified with a POST, which includes
a unique token.
3. Website then makes a query to the UserStore using the token that was
provided. The user’s identity information will be returned, or an
error if the authentication was unsuccessful.

If the website is unable to directly access the UserStore then Step 3 can
be replaced by issuing a HTTP POST in the background to the auth provider
requesting the user’s information with the token.

1.1.1 (2013-08-29)

This release primarily includes various unicode improvements as we approach
py3k support.

Bug Fixes

- [twitter] Fix bug when twitter sends a `null` value for `utc_offset`.

1.1 (2013-06-27)

New Features

- Minimal Py3k compatibility.

- Switch dependency to 'python3-openid' for Py3k.

- [bitbucket] Add an extra query to populate the `emails` and `verifiedEmail`
keys in the profile.

- [douban] The douban provider now uses their OAuth2 API instead of OAuth1.0.

- [facebook] Support optional `display` parameter for facebook logins.

- [linkedin] Add support for email address.

- [linkedin] Standardize the default login and callback urls to be similar
to all of the other providers by using the `/login/{provider}` prefix.

- [twitter] Support more portable contacts keys including `preferredUsername`.

- [weibo] Add support for the `scope` parameter.

Backward Incompatibilities

- Standardize birthdays to YYYY-MM-DD format as specified by Portable
Contacts instead of using Python date objects. This was done to follow
the spec more closely and keep the standalone app's serialized profile
the same as the plugin's profile.

- [douban] The douban provider now uses their OAuth2 API instead of OAuth1.0.

- [facebook] Profile keys `gender`, `emails` and `verifiedEmail` will not be
present in the profile if they are not available.

- [openid, google_hybrid, yahoo] The default OpenID store is now stateless,
changed from the previous default
:class:``. The provider can be updated
by specifying the `store` opention when creating creating each provider.


- Switch to using oauthlib instead of python-oauth2 for
OAuth1-based providers.

1.0.3 (2012-10-11)

- [google_hybrid] Modified the type of the
to be ``google_hybrid`` instead of ``google``.

1.0.2 (2012-10-11)

- [facebook,github,weibo] Fix bug in CSRF checking where Velruse would pass
the CSRF check if a session had not been started.

- [google_hybrid] Renamed the Google OpenID+OAuth1.0 hybrid module to
``google_hybrid``. There are bw-compat shims left in
````. This will be deprecated in a future release.

- [google_oauth2] Added support for Google's OAuth2.0 protocol.

- [mailru] Added a new provider for

- [vk] Added a new provider for (Vkontakte).

- [yandex] Added a new provider for

1.0.1 (2012-08-30)

- [facebook] Modified handling of timezone offsets in user profiles to be more
robust to different "minute" values.

1.0 (2012-08-14)

Version 0.3 is classified as an older release than the previous 0.20
in the semantic versioning scheme. Thus 0.3 was a brownbag and 1.0 will
correct that issue.

This release is also an opportunity to promote Velruse's new API and
provide confidence that it will try to maintain backward compatibility
going forward.

0.3b3 (2012-08-06)

- 0.3b2 was a brownbag

0.3b2 (2012-08-06)

- [github] Add CSRF checks to the provider as they started requiring the
OAuth state variable to be used.

0.3b1 (2012-08-03)

- Complete rewrite of the Velruse internal API. It is now written as a
fully supported Pyramid plugin.

- Overhaul of documentation.

+ Individually documented the standalone service application and
the Pyramid plugin API.

- Removed support for Twitter's authorization API. This will be brought
back in a future release.

- Added support for several new OAuth2.0 providers.

+ douban
+ github
+ linkedin
+ qq
+ renren (
+ taobao
+ weibo

0.20a1 (2011-05-25)

- Minor bug fixes.

0.1 (2010-04-30)

- Initial release.

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rgomes_velruse-1.1.2.tar.gz (98.6 kB view hashes)

Uploaded source

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page