1
Watch
30
Star
10
Fork
2
Issue

Material referenced in the talks @pythonindia @python-sverige

Vibhu-Agarwal
Vibhu-Agarwal
pushedAt 1 month ago

Vibhu-Agarwal/Developing-an-SSO-Service-using-Django

Developing-a-Single-Sign-On-Service-using-Django

Conference Date and Time Venue Slide Deck Video
PyCon Sweden 2020 14:15 CET, November 12, 2020 Online Link YouTube
PyCon India 2020 15:20 IST, October 3, 2020 Online Link YouTube, Hopin

Description:

Single-Sign-On (SSO) allows users to authenticate with a single ID and password to any of several related, yet independent, software systems.[1] Google's authentication system is one such example through which it allows users to sign-in to YouTube, G-Mail, Docs and several other products.

We'll be discussing how a SSO works and how it can be designed, architected and implemented in Python using Django (REST Framework). This will also feature the particular implementation, being used at Viga Studios to develop a SSO service for all of their products.

Who's this talk for?

  • Anyone who's curious to know what goes on behind services like 'One-Account for all of Google'
  • Anyone who wants to know how a Single-Sign-On can be implemented for their own business
  • Anyone who wants to maintain a central database for storing their user data for a bunch of applications under them
  • Anyone who wants a way to separate their auth-server from their application-specific back-end
  • Anyone who wants to dive deep into authentication with Django

How SSO works

  • The SSO is developed to provide a single point for managing authorization and authentication for individual services which can be on any platform: Mobile, Desktop or Web. The SSO service handles all the authorization part and most of the authentication part is carried out by individual services based on the particular service's use-case.
  • Users are redirected to SSO when requested for resources which need authentication. Authentication is then handled by the SSO following some protocol (most common ones listed below).
  • Sessions store the data for making further authorized requests and can be maintained at different points: SSO-level, Local Session or Identity Provider Session.

Different Protocols

OpenID Connect (OIDC)

OIDC is an authentication protocol, based on the OAuth 2.0 family of specifications. It uses simple JSON Web Tokens (JWT), which can be obtained using flows conforming to the OAuth 2.0 specifications.[2][3]

  • Access Tokens are credentials used to access protected resources. An access token is a string representing an authorization issued to the client.[4]
  • Refresh Tokens are credentials used to obtain access tokens.[4]

We'll be following OIDC and using JSON Web Tokens (JWT) for transferring Access Tokens and Refresh Tokens through HTTP(s). We'll also have a short demo using Postman to see how to use JWT.

Using Django to develop a SSO service

We will walk through each of these sections discussing the implementation, what was the need and why a particular method was adopted.

Discussion and a short demo on Access and Refresh Tokens

Introduction to Asymmetric Keys and their usage

  • The need for using asymmetric algorithms for encryption
  • Using cryptography for generating public and private keys
    • Private-keys can be used to decrypt messages which were encrypted with the corresponding Public-key, as well as to create signatures, which can be verified with the corresponding Public-key [5]

Designing Database: Walk through the UML of the project

  • Key models needed to set-up the service

Using Business-Specific Permissions and developing APIs (Code Walk-through)

Integrating Services

  • Configuring SSO to integrate individual services
    • As the new services and products are created, their integration with SSO should require minimum effort and how we can configure the SSO to do that

Prerequisites:

  • Basic understanding of JWT
  • Basic understanding of (RESTful) Web APIs
  • To understand the last 30% of the talk, basic knowledge Django and REST Framework

References:

  1. Single-Sign-On - Wikipedia
  2. OpenID Connect - Auth0
  3. Map of Oauth 2.0 Specs - oauth.com
  4. Access Tokens and Refresh Tokens - IETF RFC #6749
  5. Public and Private Keys - pyca/cryptography Docs

Speaker Info:

I am an avid Pythonista and an Open-Source Enthusiast, currently working at Viga Studios as a back-end developer, Intern. I've always been a community guy, organizing workshops in college on weekdays and spending weekends attending meetups and conferences all over Delhi-NCR at PyDelhi, PyData, ILUG-D, AWS and GDG.

Speaker Links:

ucloud ads