Untitled

From Filip, 7 Months ago, written in Plain Text.

Embed

Download Paste or View Raw
Hits: 430

Please rewrite this README.md file to be longer and nicer

# VMP Authentication

Package for authentication in cloud micro-services.

Works with aiohttp and django.

To install it add following line to your requirements.txt:

Aiohttp:

`git+https://git.otvs.tv/api-services/python-packages/vmp-authentication@<SPECIFIY_VERSION_HERE>#egg=vmp_authentication[aiohttp]`

Django:

`git+https://git.otvs.tv/api-services/python-packages/vmp-authentication@<SPECIFIY_VERSION_HERE>#egg=vmp_authentication[django]`

# Development

1. Make sure you have docker and docker-compose installed and ready to use.

2. Clone repository

```bash

git clone [email protected]:api-services/python-packages/vmp-authentication.git

```

3. Build and run tests.

```bash

docker-compose up --build

```

# Using middleware for authentication

## Aiohttp

Example usage:

```python

import vmp_authentication.aiohttp.middleware as authentication_middleware

import vmp_authentication.aiohttp.authentication_backends as authentication_backends

from aiohttp import web

app = web.Application()

config = app['config']

common_backend_opts = dict(

# note: In local development we use only http so in such environment

# we need to disable SSL verification on public keys discovery.

key_jar=keyio.KeyJar(verify_ssl=config.entitlement.verify_ssl),

# DEBT: We don't know how to handle audiences yet for Entitlement.

# DEBT: With Aiakos we can't control the audience so we don't

# verify it

jose_options={'verify_aud': False},

)

backends = [

# 1: Entitlement cookie takes precedence over all auth schemes.

authentication_backends.TVCloudEntitlementCookie(

trusted_issuers=config.entitlement.trusted_issuers,

**common_backend_opts,

),

# 2: Next are PET tokens in Token Bearer auth as we can differentiate

# them easily from OIDC JWT Access Tokens in Token Bearer auth.

authentication_backends.TVCloudEntitlementBearer(

trusted_issuers=config.entitlement.trusted_issuers,

**common_backend_opts,

),

# 3: Last are OIDC JWT Access Tokens in Token Bearer.

authentication_backends.TVCloudAccessTokenBearer(

trusted_issuers=config.oidc.trusted_issuers,

# DEBT: With Aiakos we can't control the audience so we don't

# verify it.

jose_options={'verify_aud': False},

),

]

app.middlewares.append(authentication_middleware.authentication_middleware_factory(backends))

```

## Django

We use `drf-oidc-auth` library as a basis for authenticating users in

DRF-based services. It is included by default in this package requirements and

it means that [documentation of drf-oidc-auth] aplies here when consiguring the

authentication. `dja-toolkit` also includes some custom modifications to

authentication classes that are not included upstream.

Following is example auth configuration that enables both cookie-based and

header-based JWT authentication:

```python

REST_FRAMEWORK = DJA_TOOLKIT_REST_FRAMEWORK # Look for this in dja_toolkit package

REST_FRAMEWORK.update(

{

'DEFAULT_AUTHENTICATION_CLASSES': (

'vmp_authentication.django.AuthBakerEntitlementCookieAuthentication',

'vmp_authentication.django.AuthBakerEntitlementHeaderAuthentication',

'vmp_authentication.django.authentication.A4DEntitlementHeaderAuthentication',

),

}

)

OIDC_AUTH = {

# Here we use url of auth-baker instance deployed in the same environment.

# Configuration will be automatically done based on the discovery document found

# at <endpoint>/.well-known/openid-configuration

'OIDC_ENDPOINT': 'https://url-to-auth-baker',

# Function that resolves token into user. This function receives a

# request and token dict and expects to return a User object.

# For our services it is recommended to use the

# `dja_toolkit.auth.authentication.claims_as_user` as it always returns

# authenticated user object that gives access to users' claims.

'OIDC_RESOLVE_USER_FUNCTION': 'vmp_authentication.django.user_resolver.claims_as_user',

# Number of seconds in the past valid tokens can be issued. This is only

# to account for clock skews. Keep it small like seconds (default 600).

'OIDC_LEEWAY': 10,

# Time before signing keys will be refreshed (default 24 hrs)

'OIDC_JWKS_EXPIRATION_TIME': 24 * 60 * 60,

# Token prefix in JWT authorization header (default 'JWT', we use `Bearer`)

'JWT_AUTH_HEADER_PREFIX': 'Bearer',

# Cookie name used in cookie-based JWT authentication

'JWT_COOKIE_NAME': 'TVCloudAccessToken',

}

```

Author

Title

Language

Your paste - Paste your paste here

Please rewrite this README.md file to be longer and nicer

# VMP Authentication
Package for authentication in cloud micro-services.
Works with aiohttp and django.

To install it add following line to your requirements.txt:
Aiohttp:
`git+https://git.otvs.tv/api-services/python-packages/vmp-authentication@&lt;SPECIFIY_VERSION_HERE&gt;#egg=vmp_authentication[aiohttp]`

Django:
`git+https://git.otvs.tv/api-services/python-packages/vmp-authentication@&lt;SPECIFIY_VERSION_HERE&gt;#egg=vmp_authentication[django]`

# Development

1. Make sure you have docker and docker-compose installed and ready to use.
2. Clone repository
    ```bash
    git clone git@git.otvs.tv:api-services/python-packages/vmp-authentication.git
    ```

3. Build and run tests.
    ```bash
    docker-compose up --build
    ```

# Using middleware for authentication

## Aiohttp
Example usage:
```python
import vmp_authentication.aiohttp.middleware as authentication_middleware
import vmp_authentication.aiohttp.authentication_backends as authentication_backends
from aiohttp import web

app = web.Application()

config = app['config']

common_backend_opts = dict(
    # note: In local development we use only http so in such environment
    #       we need to disable SSL verification on public keys discovery.
    key_jar=keyio.KeyJar(verify_ssl=config.entitlement.verify_ssl),
    # DEBT: We don't know how to handle audiences yet for Entitlement.
    # DEBT: With Aiakos we can't control the audience so we don't
    #       verify it
    jose_options={'verify_aud': False},
)

backends = [
    # 1: Entitlement cookie takes precedence over all auth schemes.
    authentication_backends.TVCloudEntitlementCookie(
        trusted_issuers=config.entitlement.trusted_issuers,
        **common_backend_opts,
    ),

# 2: Next are PET tokens in Token Bearer auth as we can differentiate
    #    them easily from OIDC JWT Access Tokens in Token Bearer auth.
    authentication_backends.TVCloudEntitlementBearer(
        trusted_issuers=config.entitlement.trusted_issuers,
        **common_backend_opts,
    ),

# 3: Last are OIDC JWT Access Tokens in Token Bearer.
    authentication_backends.TVCloudAccessTokenBearer(
        trusted_issuers=config.oidc.trusted_issuers,
        # DEBT: With Aiakos we can't control the audience so we don't
        #       verify it.
        jose_options={'verify_aud': False},
    ),
]

app.middlewares.append(authentication_middleware.authentication_middleware_factory(backends))
```

## Django

We use `drf-oidc-auth` library as a basis for authenticating users in
DRF-based services. It is included by default in this package requirements and
it means that [documentation of drf-oidc-auth] aplies here when consiguring the
authentication. `dja-toolkit` also includes some custom modifications to
authentication classes that are not included upstream.

Following is example auth configuration that enables both cookie-based and
header-based JWT authentication:

```python
REST_FRAMEWORK = DJA_TOOLKIT_REST_FRAMEWORK # Look for this in dja_toolkit package
REST_FRAMEWORK.update(
    {
        'DEFAULT_AUTHENTICATION_CLASSES': (
            'vmp_authentication.django.AuthBakerEntitlementCookieAuthentication',
            'vmp_authentication.django.AuthBakerEntitlementHeaderAuthentication',
            'vmp_authentication.django.authentication.A4DEntitlementHeaderAuthentication',
        ),
    }
)

OIDC_AUTH = {
    # Here we use url of auth-baker instance deployed in the same environment.
    # Configuration will be automatically done based on the discovery document found
    # at &lt;endpoint&gt;/.well-known/openid-configuration
    'OIDC_ENDPOINT': 'https://url-to-auth-baker',

# Function that resolves token into user. This function receives a
    # request and token dict and expects to return a User object.
    # For our services it is recommended to use the
    # `dja_toolkit.auth.authentication.claims_as_user` as it always returns
    # authenticated user object that gives access to users' claims.
    'OIDC_RESOLVE_USER_FUNCTION': 'vmp_authentication.django.user_resolver.claims_as_user',

# Number of seconds in the past valid tokens can be issued. This is only
    # to account for clock skews. Keep it small like seconds (default 600).
    'OIDC_LEEWAY': 10,

# Time before signing keys will be refreshed (default 24 hrs)
    'OIDC_JWKS_EXPIRATION_TIME': 24 * 60 * 60,

# Token prefix in JWT authorization header (default 'JWT', we use `Bearer`)
    'JWT_AUTH_HEADER_PREFIX': 'Bearer',
    # Cookie name used in cookie-based JWT authentication
    'JWT_COOKIE_NAME': 'TVCloudAccessToken',
}
```

Private - Private paste aren't shown in recent listings.

Delete After - When should we delete your paste?

Spam protection -

Reply to "Untitled"