Please rewrite this README.md file to be longer and nicer # VMP Authentication Package for authentication in cloud micro-services. Works with aiohttp and django. To install it add following line to your requirements.txt: Aiohttp: `git+https://git.otvs.tv/api-services/python-packages/vmp-authentication@#egg=vmp_authentication[aiohttp]` Django: `git+https://git.otvs.tv/api-services/python-packages/vmp-authentication@#egg=vmp_authentication[django]` # Development 1. Make sure you have docker and docker-compose installed and ready to use. 2. Clone repository ```bash git clone git@git.otvs.tv:api-services/python-packages/vmp-authentication.git ``` 3. Build and run tests. ```bash docker-compose up --build ``` # Using middleware for authentication ## Aiohttp Example usage: ```python import vmp_authentication.aiohttp.middleware as authentication_middleware import vmp_authentication.aiohttp.authentication_backends as authentication_backends from aiohttp import web app = web.Application() config = app['config'] common_backend_opts = dict( # note: In local development we use only http so in such environment # we need to disable SSL verification on public keys discovery. key_jar=keyio.KeyJar(verify_ssl=config.entitlement.verify_ssl), # DEBT: We don't know how to handle audiences yet for Entitlement. # DEBT: With Aiakos we can't control the audience so we don't # verify it jose_options={'verify_aud': False}, ) backends = [ # 1: Entitlement cookie takes precedence over all auth schemes. authentication_backends.TVCloudEntitlementCookie( trusted_issuers=config.entitlement.trusted_issuers, **common_backend_opts, ), # 2: Next are PET tokens in Token Bearer auth as we can differentiate # them easily from OIDC JWT Access Tokens in Token Bearer auth. authentication_backends.TVCloudEntitlementBearer( trusted_issuers=config.entitlement.trusted_issuers, **common_backend_opts, ), # 3: Last are OIDC JWT Access Tokens in Token Bearer. authentication_backends.TVCloudAccessTokenBearer( trusted_issuers=config.oidc.trusted_issuers, # DEBT: With Aiakos we can't control the audience so we don't # verify it. jose_options={'verify_aud': False}, ), ] app.middlewares.append(authentication_middleware.authentication_middleware_factory(backends)) ``` ## Django We use `drf-oidc-auth` library as a basis for authenticating users in DRF-based services. It is included by default in this package requirements and it means that [documentation of drf-oidc-auth] aplies here when consiguring the authentication. `dja-toolkit` also includes some custom modifications to authentication classes that are not included upstream. Following is example auth configuration that enables both cookie-based and header-based JWT authentication: ```python REST_FRAMEWORK = DJA_TOOLKIT_REST_FRAMEWORK # Look for this in dja_toolkit package REST_FRAMEWORK.update( { 'DEFAULT_AUTHENTICATION_CLASSES': ( 'vmp_authentication.django.AuthBakerEntitlementCookieAuthentication', 'vmp_authentication.django.AuthBakerEntitlementHeaderAuthentication', 'vmp_authentication.django.authentication.A4DEntitlementHeaderAuthentication', ), } ) OIDC_AUTH = { # Here we use url of auth-baker instance deployed in the same environment. # Configuration will be automatically done based on the discovery document found # at /.well-known/openid-configuration 'OIDC_ENDPOINT': 'https://url-to-auth-baker', # Function that resolves token into user. This function receives a # request and token dict and expects to return a User object. # For our services it is recommended to use the # `dja_toolkit.auth.authentication.claims_as_user` as it always returns # authenticated user object that gives access to users' claims. 'OIDC_RESOLVE_USER_FUNCTION': 'vmp_authentication.django.user_resolver.claims_as_user', # Number of seconds in the past valid tokens can be issued. This is only # to account for clock skews. Keep it small like seconds (default 600). 'OIDC_LEEWAY': 10, # Time before signing keys will be refreshed (default 24 hrs) 'OIDC_JWKS_EXPIRATION_TIME': 24 * 60 * 60, # Token prefix in JWT authorization header (default 'JWT', we use `Bearer`) 'JWT_AUTH_HEADER_PREFIX': 'Bearer', # Cookie name used in cookie-based JWT authentication 'JWT_COOKIE_NAME': 'TVCloudAccessToken', } ```