Please rewrite this README.md file to be longer and nicer
# VMP Authentication
Package for authentication in cloud micro-services.
Works with aiohttp and django.
To install it add following line to your requirements.txt:
Aiohttp:
`git+https://git.otvs.tv/api-services/python-packages/vmp-authentication@<SPECIFIY_VERSION_HERE>#egg=vmp_authentication[aiohttp]`
Django:
`git+https://git.otvs.tv/api-services/python-packages/vmp-authentication@<SPECIFIY_VERSION_HERE>#egg=vmp_authentication[django]`
# Development
1. Make sure you have docker and docker-compose installed and ready to use.
2. Clone repository
```bash
```
3. Build and run tests.
```bash
docker-compose up --build
```
# Using middleware for authentication
## Aiohttp
Example usage:
```python
import vmp_authentication.aiohttp.middleware as authentication_middleware
import vmp_authentication.aiohttp.authentication_backends as authentication_backends
from aiohttp import web
app = web.Application()
config = app['config']
common_backend_opts = dict(
# note: In local development we use only http so in such environment
# we need to disable SSL verification on public keys discovery.
key_jar=keyio.KeyJar(verify_ssl=config.entitlement.verify_ssl),
# DEBT: We don't know how to handle audiences yet for Entitlement.
# DEBT: With Aiakos we can't control the audience so we don't
# verify it
jose_options={'verify_aud': False},
)
backends = [
# 1: Entitlement cookie takes precedence over all auth schemes.
authentication_backends.TVCloudEntitlementCookie(
trusted_issuers=config.entitlement.trusted_issuers,
**common_backend_opts,
),
# 2: Next are PET tokens in Token Bearer auth as we can differentiate
# them easily from OIDC JWT Access Tokens in Token Bearer auth.
authentication_backends.TVCloudEntitlementBearer(
trusted_issuers=config.entitlement.trusted_issuers,
**common_backend_opts,
),
# 3: Last are OIDC JWT Access Tokens in Token Bearer.
authentication_backends.TVCloudAccessTokenBearer(
trusted_issuers=config.oidc.trusted_issuers,
# DEBT: With Aiakos we can't control the audience so we don't
# verify it.
jose_options={'verify_aud': False},
),
]
app.middlewares.append(authentication_middleware.authentication_middleware_factory(backends))
```
## Django
We use `drf-oidc-auth` library as a basis for authenticating users in
DRF-based services. It is included by default in this package requirements and
it means that [documentation of drf-oidc-auth] aplies here when consiguring the
authentication. `dja-toolkit` also includes some custom modifications to
authentication classes that are not included upstream.
Following is example auth configuration that enables both cookie-based and
header-based JWT authentication:
```python
REST_FRAMEWORK = DJA_TOOLKIT_REST_FRAMEWORK # Look for this in dja_toolkit package
REST_FRAMEWORK.update(
{
'DEFAULT_AUTHENTICATION_CLASSES': (
'vmp_authentication.django.AuthBakerEntitlementCookieAuthentication',
'vmp_authentication.django.AuthBakerEntitlementHeaderAuthentication',
'vmp_authentication.django.authentication.A4DEntitlementHeaderAuthentication',
),
}
)
OIDC_AUTH = {
# Here we use url of auth-baker instance deployed in the same environment.
# Configuration will be automatically done based on the discovery document found
# at <endpoint>/.well-known/openid-configuration
'OIDC_ENDPOINT': 'https://url-to-auth-baker',
# Function that resolves token into user. This function receives a
# request and token dict and expects to return a User object.
# For our services it is recommended to use the
# `dja_toolkit.auth.authentication.claims_as_user` as it always returns
# authenticated user object that gives access to users' claims.
'OIDC_RESOLVE_USER_FUNCTION': 'vmp_authentication.django.user_resolver.claims_as_user',
# Number of seconds in the past valid tokens can be issued. This is only
# to account for clock skews. Keep it small like seconds (default 600).
'OIDC_LEEWAY': 10,
# Time before signing keys will be refreshed (default 24 hrs)
'OIDC_JWKS_EXPIRATION_TIME': 24 * 60 * 60,
# Token prefix in JWT authorization header (default 'JWT', we use `Bearer`)
'JWT_AUTH_HEADER_PREFIX': 'Bearer',
# Cookie name used in cookie-based JWT authentication
'JWT_COOKIE_NAME': 'TVCloudAccessToken',
}
```