OAuth2 and Django, What You Should Know

Video in TIB AV-Portal: OAuth2 and Django, What You Should Know

Formal Metadata

OAuth2 and Django, What You Should Know
Title of Series
Part Number
Number of Parts
CC Attribution - ShareAlike 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor and the work or content is shared also in adapted form only under the conditions of this license.
Release Date

Content Metadata

Subject Area
OAuth 2.0 is the current version of OAuth, a hotly debated open standard for authorization. Implementing it allows your users to grant access to their data to other services, turning your collection of services into a platform. In this talk I will discuss the options you have for creating your own OAuth 2.0 components with Django, how to use them, and common implementation mistakes.
Authentication Web service Service (economics) Software Core dump Authorization Bit Supercomputer
Service (economics) Divisor Variety (linguistics) Multiplication sign Transport Layer Security Letterpress printing Mereology Graph coloring Web 2.0 Web service Different (Kate Ryan album) Authorization Cuboid Software framework Graph (mathematics) Key (cryptography) Data storage device Bit Evolute Particle system Word Arithmetic mean Password Point cloud Communications protocol Reading (process)
Server (computing) Key (cryptography) Token ring Letterpress printing Data storage device Client (computing) Cartesian coordinate system Latent heat Web service Term (mathematics) Authorization Point cloud Series (mathematics)
Web page Dataflow Server (computing) Greatest element Link (knot theory) Code Java applet Client (computing) Web browser Login Field (computer science) Web service Different (Kate Ryan album) Authorization Exception handling Scripting language Domain name Graph (mathematics) Electronic mailing list Cartesian coordinate system Sequence Flow separation Type theory Personal digital assistant Password
Point (geometry) Dataflow Sensitivity analysis Server (computing) Information State of matter Code Data storage device Letterpress printing Planning Client (computing) Parameter (computer programming) Line (geometry) Field (computer science) Cross-site scripting Web service Query language String (computer science) Single-precision floating-point format Authorization Point cloud
Point (geometry) Web page Dataflow Server (computing) Link (knot theory) State of matter Code Structural load Letterpress printing Counting Client (computing) Web browser Parameter (computer programming) Web service Uniform resource locator Computer animation Authorization
Point (geometry) Server (computing) Email Information Link (knot theory) Code Token ring State of matter Multiplication sign Transport Layer Security 1 (number) Client (computing) Parameter (computer programming) Code Word Personal digital assistant Authorization Spacetime
Mobile app Server (computing) Implementation Token ring Consistency Physical law Bit Client (computing) Image registration Rule of inference Inference Arithmetic mean Internet service provider Authorization Software framework
Point (geometry) Uniform resource locator Vector space Token ring Mathematical analysis Authorization Interactive television
Code Gender Connectivity (graph theory) Bit Line (geometry) Number Power (physics) Computer animation Average Internet service provider Software testing Table (information) Reading (process) Library (computing)
Authentication Addition Code Software developer Set (mathematics) Bit Database Front and back ends Process (computing) Hash function Password Core dump Endliche Modelltheorie Middleware
Server (computing) Mobile app Open source State of matter Parameter (computer programming) Mechanism design Computer animation Personal digital assistant Natural number Internet service provider Authorization Energy level Configuration space Software framework Abstraction
Authentication Medical imaging Implementation Consistency Internet service provider Login Middleware
Dataflow Word State of matter Code View (database) Authorization Set (mathematics) Client (computing) Endliche Modelltheorie Parameter (computer programming)
Authentication Server (computing) Graph (mathematics) Code Token ring Connectivity (graph theory) View (database) Set (mathematics) Bit Database Client (computing) Cartesian coordinate system Computer animation Natural number Mixed reality Authorization Software framework Social class
Web service Server (computing) Computer animation Connectivity (graph theory) Authorization Right angle Database Flow separation Computer architecture
Suite (music) Web service Server (computing) Service (economics) Computer animation Link (knot theory) Block (periodic table) Token ring Authorization Interactive television Database Computing platform
Point (geometry) Slide rule Server (computing) Functional (mathematics) Service (economics) Token ring State of matter View (database) Client (computing) Parameter (computer programming) Code Metadata Mechanism design Goodness of fit Single-precision floating-point format Authorization Information Validity (statistics) Gender Data storage device Database Word Googol Computer animation Internet service provider Musical ensemble Middleware
Computer animation
and it is it was the the the the 3rd letters and speaking at the core of it they will talk to you about altering GenGO what you should know little bit about me I work for a small company called OpenEye Scientific Software and we make software scientific software for drug discovery we're also a corporate member of the jingle Software Foundation and at I I create web services that allow our customers to access a drug discovery tools including the authentication and authorization services prior to joining open I was your scientist at the was almost National Laboratory were working high-performance computing enough about me and talk about genuine lot what should you know
about it I hope that at the end of this on a little bit about how it works you know how to use it with Django and like common mistakes you should avoid the so in order to understand all off it's useful to understand the problem that's trying to solve so let's say we have a user will color alice in alice is an engineer designed parts in 3 D she stores those designs in a cloud storage service no occasionally Alice needs to print those designs out using a 3 D printer which isn't only 1 however there is a service out there that will do that for her now this service needs feel access those designs in order to print them on and Alice could upload a copy of each design every time she wanted to print 1 but it would be more convenient that service were allowed to access those designs directly she's not going to give her password to that 3 D printing services that would be foolish and and her designs are protected by a password in cloud which he needs instead as a way to tell the cloud storage service yes this 3 printing service can access these designs and do it in a controlled secure manner that is what a lot
of design for the most recent examples later but in summary aloft was designed to allow authorization for web services without the need to disclose user's password often referred to as the valley key for the web in the same way that a valley key will let you drive some far without getting into the glove box what's provides a means for specifying authorization now this talk about what to do but before last you there was of course a lot 1 but nobody uses that anymore right we'll decide used better and moved on know sadly that is not the truth is large divide between what 1 analyst to them for a variety of reasons but I'm not going to talk about those reasons here to borrow from the suspect that is beyond the scope of this document so a to it's called the next evolution of the off particle although if you wanna be technically correct that's kind of correct it's a framework our particles a whole lot more general than a lot 1 is released as C 67 49 and recommended all of you read it it's an easy read trust me they left all the hard it's up to you summarizes differences between all off 1 and 2 by letting you know that they've added the requirement for Transport Layer Security some of you may refer to this as L in exchange for that requirement they were able to remove some complexity for from the protocol making it a little easier use words or what 1 was designed to be secure independently of the transport plus 2 has its own
vocabulary I'm going to go over some of the terms of using threats remainder of the talk 1st we have the resource owner this is what we would call a user and this user owns data that is stored on the resource server resource servers a server that hosts the data and provides controlled access to it according to the specification that provides that access to the client the client is another application and accesses data residing the resource server belonging to the resource owner you can do this by working with the authorization server it puts all of this together by taking the authenticated user and allowing the user to specify the access to clients in annex that access by granting tokens tokens are just credentials you can think of them like a key and it gets metadata attached to them so using our previous example
Alice is the resource owner the client is the 3 D printing service and the cloud storage service is both the resource server and the authorization server there's nothing inspect it says that the cloud that 1 entity has to be both of these roles that it doesn't come prohibit that either it's a common example that you'll see if you use a lot that's why you see here all of 2 specifies a few ways
that authorization can be granted in those are unsurprisingly called grants a grant is just a way for a client to get a token there of several different graph types and I've listed them here but there's no need arise that list each grant has its own requirements but they all in the end in the same way and that is with the client obtaining a token the sequence of steps required to obtain a grant is called a flow and there's a flow through the grant type I'm going to focus on 1 particular flow the authorization code flow the reason for that is that according to the spec is optimized for confidential clients what is a confidential client will confidential client is a client that is capable of keeping a secret so for example if you implement it declined in java script in a web browser that would not be considered confidential client because it can't keep any secrets from the user however and the other hand Agenda server has to be capable of keeping secrets will depend on the therefore it's a confidential client and the authorization code flow allows us to get a token to the client without the user or anyone else having access to the so how does it all work well I'm gonna walk you through the the authorization flow but before we begin a few things already been set up yet assume that the user has an account on the authorization server the client has also registered according to this fact with the authorization server and so it has its own ID and its own secret which you can think of as a username and password and that's a secret that confidential client capable of keeping and it specifies another field called redirect your eyes full explain later so suppose you have an application that allows
users to log in through off to the login page might look something like this marker notice that the browser is on client at farm and the link at the bottom says log in the example of come to different domains the client in this case is quite that outcome and the authorization server is example that comes the user clicks log in the example upon the be redirected to the authorization server in the authorization service and ask the user to approve or deny that access if the user clicks approved there then redirected back to the client except now the log the so using the example that I
had previously Alice would attempt to log into the 3 D printing service would be redirected to the cloud storage service now that redirect represents the client's request to access data so few arguments have to be sent along with that this is what that and 1
example of what that redirect might look like and all the arguments are passed in the query string I put them on separate lines you can read them and the 1st 1 is the client ID and the plane's going to include this in every single authorization question is just there so the authorization server can identify that quiet the 2nd argument is the scope and this is literally the scope of the data access being requested it should be something that is meaningful to the authorization server next we have the state parameter now state parameter is an opaque string and it's just here to mitigate cross-site request forgery attacks explain how this works later but you should always use this even though it's an optional parameter according to the spec and finally we have the redirect here this is where the user is going to be redirected to after the of authorized access and remember I said earlier this was 1 of the fields of the client specifies when it registers the reason is the authorization service will look at this URI and make sure that it matches with the client said was a valid URI earlier because if it didn't you could put something evil there and redirect the user anywhere you want to after they've authorized access and the reason this is dangerous is because that redirect is going get some arguments as well 1 of those arguments is a sensitive piece of information hall the authorization code that for the whole flows named for and authorization code eventually will be used to get an access token so this point the flow the authorization server has validated the redirect here I client ID and the scope and user has approved or deny the authorization request and so using our previous
example Alice's and gone for the authorization point as now redirected back to the client or the 3 D printing service as I mentioned earlier that redirect
also has arguments the first one being this state parameter and it must be the same value that was supplied with the initial authorization request here's what and that 2nd parameter the authorization code can be used to get an access token eventually and that authorization code is associated with an account on the authorization server so let's say for example that that authorization code was tied to my account on the authorization server and I initiate this flow but I interrupted right here before my browser visits this URL instead I take this Euroline embedded in a web page and I get you to click on that link to go to that web page your browser loads this your and if the state parameters not there there's nothing linking the 2 requests together all the sudden my count on the authorization server is linked to your account on the this is just 1 example of how things can go wrong of an attack if you don't use of state parameter so now the user has been redirected
back to the client I the clients going exchange the authorization code for a token and the authorization code expires in 10 minutes or less according to this fact it can only be used once now here's how we get a token to the client without the user having access to the user has access to the authorization code right the it's in the redirect but you have to have both for the client has to have both the authorization code and the credentials belong to the client to actually get access to it both pieces of information required so even if you leak out the authorization code if you use the authorization could flow and any confidential client then you still we can access token unless that attacker also has required credentials I should also mention that tokens expire but there are things called refresh tokens inspect I don't have time to go over that but they do allow you to get new tokens and using this existing ones so either
token what do I do it all access to users data that's the whole point and we do that is by including the a token in the request header of any request is sent to the resources and you do it with the syntax he said the authorization and you put the word bearer followed by a space and the value of the token that's all you have to do and I really think that data and create link to count in our client or in our case a new jingle user and it's when you went to the user's account on the authorization server so now we've seen how use the authorization could flow how can it fail well there are a few ways if either party the client or the authorization server don't use Transport Layer Security then all bets are off we have no way of making any guarantees if the authorization server does not validate validate the redirect here I from authorization code can be linked to an attacker if either party doesn't use the state parameter and verify the state parameter to be correct then you vulnerable to cross was forgery attacks if you don't authenticate the client using the authorization server and then only to access are authorization code can be used to get an access token and finally if you don't expire authorization codes you're subject to replay attacks now that
we know a little bit about how to works how can we use it in a jingle at while the 2 floors overarching ways you can use it you can either make your app a consumer law or provided and that implies you fulfilling certain rules for consumer that means you're fulfilling the role of clients in the in the framework infer from a provider you fulfilling the roles of authorization and resource servers and each has its own requirements as well for the client you that he registered with any authorization server you want to use and you get a redirect users to those servers when and you need access of data and you gotta provide call-back your eyes and so that that authorization server knows where send user after the praefectus access and you also have to deal with inconsistent implementations of which there are many now on the provider side you gotta provide for authorization and tokens you that provide a means for clients and user registration but the best thing is you get to make your own inconsistent implementation and there are many inconsistencies in fact all of the
recommendations are consistent in the same way that all you could string UTF-8 if you get that joke you have my condolences here's an example
is token points for Google Facebook get hub and Foursquare they're all different in this is just 1 example of many but keep in mind this is with inspect because as vectors and say anything about what these and when should look like that there's a lot of this fact doesn't
say and a lot she was meant to be a lot more general than a lot 1 and it really shows through my rigorous scientific analysis here you can see that a lot of 1 or 0 was about almost twice as general as a whole lot 1 there's a lot it's left up to you I pulled a few gems their left you out spec the such as the methods used to access protected resources the interaction between the authorization and resources the location of the authorization and token points and the method used to validate the access token the methods used to validate the access token
and has but don't worry it's not all up to you and the gender the Python and you communities have your back there are quite a few libraries
available so I made this table for you based on line readings and was here you will see which libraries implement the consumer and provider bits whether or not it is compatible with what Python 3 if you're the kind of person who cares and I am 1 of those I don't get to religious about test coverage but I do believe the simple premise that well-tested code on average is better and finally on the number of downloads in the last month from PI PI the to libraries stand out immediately 1 that implements the consumer bits and 1 that implements both the consumer and provider but social off is quite popular in you can see it has decent test coverage and Python 3 compatible and I know that has very good docs jingle off toolkit influence both consumer and provider and Python 3 in excellent test coverage and finally I can't give this talk without mentioning a with 0 UCLA doesn't actually provide aging of specific that's rather it provides generic reusable components and it is the library that powers jingo off toolkit and to the creator of a lot
like I say thank you I don't know if he's here on but in addition to being a jingle core developer he is made or what is what I found for all of us he's done a great job so let's use before moving on I need to explain a little
bit about how jingle authentication works thing authenticates users in middleware and that's the code the processes your request before it gets here view code the way that it happens is that it iterates through a list of pre-configured back ends and the the the set in your GenGO settings and if it's able to authenticate a user using 1 as back ends it sets request a user to the authenticated user or anonymous if you allow that and the back end you probably most familiar with or that use the most is the model back and I've turned out the bits are relative relevant but look something like this all it does is compare the hash of the password provided for the given user against the hash stored in the database of any jingle package that provides authentication is 1 half to implement a back such as this all in place of checking the password it would come initiate were completely or to flow so persimmon attack about Python social
off and the consumer that and notice it's called Python social off not jingo social because it supports several frameworks not just Django and it also has built-in support for many providers all the large providers you would expect to be there are and it provides an authorization back in like what I described for each provider it has an higher level abstractions of those pipelines the mechanisms for associating and disassociating user accounts on the authorization server with your app and those are quite convenient I'm happy to say that
it implements the state parameter that I mentioned earlier because the important but not for every provider because it's configurable and not every provider supports it sometimes it's disabled incorrectly as were the case you for Spotify an angel that CEO in preparing for this talk I found out that the built-in configurations in Python social offer these 2 providers was wrong and I open issue they fixed it this is open source working before your very eyes and if you're curious as to how I found that I use the example lappets built in and for the providers I just looked at the redirection your else nature the state premier was present and I compared from the presence of it against the document documentation for that provider
so it's got excellent imaging of supported as things edging away a login required still works just how you think it would and it works with the session and authentication middlewares and it deals with all of those inconsistent provider implementations for you and I think that's great just remind yourselves of the component that we're actually
implementing the previous example social
off gives you the client so in summary by the
social off if you only need an author consumer I suggest you start there but carefully choose your back ends and verify the settings moving on next and when you talk about Django off toolkit it's implemented essentially is 0 what plus some models views and you're else which I think is just perfect but it's RFC 67 49 compliant which means it's words under flows not just the authorization code blow that most packages and and it also uses the state parameter which I'm happy to say and it validates redirect here I come from the docks they call it a lot you goodies forging on arts and it works quite well and what that gives us is
both the authorization server and the resource
server and give us those 2 components and again they don't have to be the same entity but they can be it gives
you built and used for managing clients what they call applications for managing tokens and also gives you mix in classes for protecting resources by requiring a token to be present in order to get that you here is 1 example of you can import the protected resource you and before this code is executed it's going ensure the token has been presented it's going to set request user and I looked to the straight from the documentation it's really easy the linear uses jingle rest framework OK you're be happy to know that they have built in support for forging arrest framework and you can configure your view said just like that and there is not built in support for a tasty by but that can be done with a little bit of work so adding a token authentication your API is literally this easy this is all you have to do so right now we used and also get to build both the resource and an authorization server and and remember how I said the methods used by the Resource server to validate the access to enter lot all somehow this package has been validating the access token so how do you think it works but it is that it really checks for the presence of the token and it can do that because it is the same database of both resources and the opposition's over so just checks for the presence of the token in nature the Skoda correct so but what you might
actually want is a separation of the resource and authorization service right and the specs so that's fine you you can do that they can be separate entities but can go off toolkit doesn't immediately allow for the separation of the simply because both components are using the same database so so as you could separated out but they're using the same database so what you have is an architecture that
looks like this but the authorization and resource server are together so man every server in your architecture in every service has to also be an authorization server is at database what you would rather have is
something looks more like a platform a suite of services and 1 of those services is the authorization service and your Services talk to it and they have separate databases yeah now
you can use a Django you can build a standalone resource server going to have a separate database which immediately immediately means that user known to places because you've got have linked accounts in your client and that a link to your authorization server and you can no longer use a dingo all toolkit authorization back and were middleware and things that I need a way to validate tokens because we're relying on that and remember those methods used to validate the tokens generally involve an interaction what block we can do this and I'm going to give you 2 possible solutions the 1st 1 is to add a
token validation due to the authorization server such as the view that States back some information about the token so a client sends a request a resource server includes a token the resource server sends a request the authorization server with the same token and authorization services yes this dystopian is good news and that metadata about it it's still hard C 67 49 compliant and if you're having 2nd thoughts about this keep in mind that this is exactly what google does because there situations in which you receive a token but you're missing some critical piece of information about it such as when it expires to use API point like this to provide that information the solution of a 2 out of band storage the signals and what I mean by out of band is not your gender database so you can use in a single database or anything else for that matter you can use the built-in signal and mechanisms and Django or the saving delete signals on the access token and users provide functions that synchronize that took into your own data store yeah so now we can build a generous or and we can verify tokens but without the gene also get you don't have this nice a lot you took a middleware that authenticates user intents request a user still need a roll-your-own ification back and not only give you code but it's really easy to do what you have to do is to achieve the token from the request and verify that token using 1 of the methods that I just showed you FIL set request a user to the authenticated user reading a local account if necessary and and or what would has some nice examples to get you started in the documentation
so now you've seen I Jane as a consumer with Python social off as a provider using the jingle off get and some common mistakes to avoid in the client always use state parameter you know it's optional you should always always is and on the server we do the same thing we need a wholly support it right and the server must always validate the redirect URI very important server needs to expire authorization codes and most of all everyone involved is used here last right if this is the only slide you pay attention to the good this is the 1 you need to watch but don't take my word for it read this back I trust but verify concludes my talk thank you very
much the 1st of a given and this is something like this bank