Page MenuHomeSoftware Heritage

django: Add OIDC Authorization code PKCE authentication backend
ClosedPublic

Authored by anlambert on Mar 26 2021, 5:53 PM.

Details

Summary

Add a generic Django authentication backend and related login / logout
views enabling to authenticate a user using Keycloak and the OpenID
Connect authorization code flow with PKCE ("Proof Key for Code Exchange").

The backend can be easily plugged into any django application by:

  • adding "swh.auth.django.backends.OIDCAuthorizationCodePKCEBackend" to the AUTHENTICATION_BACKENDS django setting
  • configuring Keycloak by adding SWH_AUTH_SERVER_URL, SWH_AUTH_REALM_NAME and SWH_AUTH_CLIENT_ID in django settings
  • adding swh.auth.django.views.urlpatterns to the django application URLs
  • using the dedicated django views: "oidc-login" and "oidc-logout"

That diff basically move code and tests from swh-web with slight changes
to make the backend generic.

Related to T3150

Diff Detail

Repository
rDAUTH Common authentication libraries
Branch
django-oidc-auth-backends-pkce
Lint
No Linters Available
Unit
No Unit Test Coverage
Build Status
Buildable 20361
Build 31610: Phabricator diff pipeline on jenkinsJenkins console · Jenkins
Build 31609: arc lint + arc unit

Event Timeline

Build has FAILED

Patch application report for D5365 (id=19218)

Rebasing onto cce5275cc4...

Current branch diff-target is up to date.
Changes applied before test
commit 0dbac0728e5b7845d27fea5afefda5f0423bc8fd
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Mar 24 17:18:18 2021 +0100

    django: Add OIDC Authorization code PKCE authentication backend
    
    Add a generic Django authentication backend and related login / logout
    views enabling to authenticate a user using Keycloak and the OpenID
    Connect authorization code flow with PKCE ("Proof Key for Code Exchange").
    
    The backend can be easily plugged into any django application by:
    
     - adding "swh.auth.django.backends.OIDCAuthorizationCodePKCEBackend"
       to the AUTHENTICATION_BACKENDS django setting
    
     - configuring Keycloak by adding SWH_AUTH_SERVER_URL, SWH_AUTH_REALM_NAME
       and SWH_AUTH_CLIENT_ID in django settings
    
     - adding swh.auth.django.views.urlpatterns to the django application URLs
    
     - using the dedicated django views: "oidc-login" and "oidc-logout"
    
    Related to T3150

Link to build: https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/59/
See console output for more information: https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/59/console

Harbormaster returned this revision to the author for changes because remote builds failed.Mar 26 2021, 5:53 PM
Harbormaster failed remote builds in B20300: Diff 19218!

Fix remaining import from swh-web.

Build is green

Patch application report for D5365 (id=19220)

Rebasing onto cce5275cc4...

Current branch diff-target is up to date.
Changes applied before test
commit 6b6df8f54593715a5986d281bc2835a3c2d70d26
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Mar 24 17:18:18 2021 +0100

    django: Add OIDC Authorization code PKCE authentication backend
    
    Add a generic Django authentication backend and related login / logout
    views enabling to authenticate a user using Keycloak and the OpenID
    Connect authorization code flow with PKCE ("Proof Key for Code Exchange").
    
    The backend can be easily plugged into any django application by:
    
     - adding "swh.auth.django.backends.OIDCAuthorizationCodePKCEBackend"
       to the AUTHENTICATION_BACKENDS django setting
    
     - configuring Keycloak by adding SWH_AUTH_SERVER_URL, SWH_AUTH_REALM_NAME
       and SWH_AUTH_CLIENT_ID in django settings
    
     - adding swh.auth.django.views.urlpatterns to the django application URLs
    
     - using the dedicated django views: "oidc-login" and "oidc-logout"
    
    Related to T3150

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/61/ for more details.

vlorentz added a subscriber: vlorentz.

I didn't really read, but it's all blue and copy-pasted from swh-web so it's probably fine

This revision is now accepted and ready to land.Mar 26 2021, 6:01 PM
ardumont added inline comments.
swh/auth/django/backends.py
104

great ;)

swh/auth/django/utils.py
84

is it necessarily a SignatureException? [1]

Some similar code in the deposit currently seems to only raise such as those.

If yes, we might want to catch only those prior to refresh the token.
And having a more broader one be raised or logged?
(not for now, just trying to determine if it's worth worrying about it)

[1] https://sentry.softwareheritage.org/share/issue/ca05974ff20940d892ff6c62524334c6

swh/auth/django/utils.py
84

You are right, we should only filter on ExpiredSignatureError, plus it is more readable, will adapt that diff and the next one.

Update: Only filter on ExpiredSignatureError exception to detect access token expiration.

Build is green

Patch application report for D5365 (id=19293)

Rebasing onto cce5275cc4...

Current branch diff-target is up to date.
Changes applied before test
commit 367ead11f59ffa7fa8f06e278f3fabc24c254519
Author: Antoine Lambert <antoine.lambert@inria.fr>
Date:   Wed Mar 24 17:18:18 2021 +0100

    django: Add OIDC Authorization code PKCE authentication backend
    
    Add a generic Django authentication backend and related login / logout
    views enabling to authenticate a user using Keycloak and the OpenID
    Connect authorization code flow with PKCE ("Proof Key for Code Exchange").
    
    The backend can be easily plugged into any django application by:
    
     - adding "swh.auth.django.backends.OIDCAuthorizationCodePKCEBackend"
       to the AUTHENTICATION_BACKENDS django setting
    
     - configuring Keycloak by adding SWH_AUTH_SERVER_URL, SWH_AUTH_REALM_NAME
       and SWH_AUTH_CLIENT_ID in django settings
    
     - adding swh.auth.django.views.urlpatterns to the django application URLs
    
     - using the dedicated django views: "oidc-login" and "oidc-logout"
    
    Related to T3150

See https://jenkins.softwareheritage.org/job/DAUTH/job/tests-on-diff/64/ for more details.