I wish to implement a custom OAuth flow/grant which requires me to create my own IDP. I did that before in .NET using IdntityServer but now the requirement is for a Python service.
Is there any Python equivalent for IdentiyServer? With regards to extensibility and popularity?
Is there any Python OIDC package that you recommend I'll use (again it should be extensible enough so I can create my own grant types)?
Thanks!
Related
I'm setting up a application on python that connects to hbase with thrift. This thrift connection uses kerberos as authentication with a service account, I need that the python application connect impersonating the user because my company uses kerberos with ad groups to restrict access to the tables on hbase.
This is an python 2.7 flask application running on linux.
I was taking a look at kerberos default library
https://github.com/apple/ccs-pykerberos/blob/master/pysrc/kerberos.py
and at line 159 I found this:
#param delegated: Optional server context containing delegated credentials
But I'm not familiar how to use this credentials.
I just want to be able to connect with hbase using impersonating.
Thanks.
P.S:I don't have much familiarity with kerberos so sorry for any misconceptions.
First you need to familiarize yourself with the concepts of delegation and constrained delegation. These are 2 different ways that Kerberos supports for "impersonation".
Short version: I recommend constrained delegation because it's more restricted. The only python library that I've been able to find that definitely supports constrained delegation is python-gssapi. I use this to impersonate users using constrained delegation and it works nicely.
Long version: There isn't a way to use Kerberos successfully without having a pretty good understanding of how it works at a high level. It isn't like anything else. You must first familiarize yourself with the essential concepts of Kerberos: tickets, principals, the KDC etc. Then, when you understand the language of Kerberos, you need to get familiar with the elements of the GSSAPI, and how they map to the Kerberos concepts you've learned. AFAIK, any python library you find out there for Kerberos is probably going to be a wrapper around the MIT krb5 libraries, which implement the GSSAPI spec. This is why I like the python-gssapi library: because it maps fairly closely to the underlying MIT libraries. That means I can usually figure out how to do stuff using the MIT documentation, and I can usually get help from the MIT mailing list if necessary.
What is an alternative to firebase for user management/auth for python apps. I know I can use node.js w/ firebase but, I would rather authenticate users through a managed 3rd party API in python using HTTPS requests,if possible. Appery.io has this feature but, I do not need all that comes with appery.io
Check out Amazon Cognito . They offer a quite nice package for small projects. Backendless is also a fantastic service, providing authentication and database with very helpful documentation and also SDK for different platforms including iOS, Android, Javascript, Rest API, Angular, React and React Native. I have been using Backendless for a couple of months and I highly recommend you use it, too.
If you're looking for a self-hosted solution, Keycloak is a pretty robust option. If you want a service, Auth0 and Okta have quite a lot of features. They also offer a free tier with reasonable limits.
You could try using Auth0 for pure authentication management. The Auth0 python package can be found here.
I new to SSO and I've only tried pysaml2 by far.
I am also aware of python3-saml library (and its python-saml Python 2 flavour).
I need to use one of those with Shibboleth, if it is relevant.
What are the pros and cons of pysaml2 and python3-saml?
Update:
As for 2019, I still find python3-saml to be the best option if you need to implement an SP. It is not flawless (sorry #smartin, hhehe), but it will give you much less headache than pysaml2.
Both projects are compatible with Shibboleth.
pysaml2 is older than python3-saml, right now both support py2 and py3. Both are kinda active and documented.
python3-saml follows the structure of Onelogin's SAML toolkit so if you used any other toolkit before (php-saml, ruby-saml, java-saml), will be easy for you to handle with it (similar methods, same settings).
Differences
Crypto:
pysaml2 uses as dependecy pycryptodome to handle with cryptography and implements its own xmldsig and xmlenc classes (to manipulate signatures and encryption on XMLs).
python3-saml uses as dependecy python-xmlsec and delegates on it the signature/encryption of XML elements.
Functionality:
pysaml2 let you deploy an Identity Provider or a Service Provider
python3-saml is focused on the Service Provider
Settings:
In my opinion, python3-saml is easier than pysaml2, settings are more precise and its repo contains code examples on how integrate a django or a flask app and a guide at the docs.
Note: I'm the author of python3-saml
I'm new to azure, I see that a new api/abstraction has been released called Azure Resource Manger, which will superceed older azure service management :
I was trying to spin up an instance using the azure python sdk, but I see the sdk still using the older concepts (afinity groups, virtual networks, hosted services). There is no mention of resource groups. Are this supported? If not when will this be added to the sdk?
Per my experience, currently Python SDK doesn't provide packages for new Azure Resource Manager APIs while it provides components, i.e. ServiceManagement, Storage, and ServiceBus. Please feel free to submit your ideas and feedback on https://github.com/Azure/azure-sdk-for-python/issues.
You might want to take a look at the azure-mgmt collection of packages, which use the new Resource Manager APIs.
I need to write a script in python to check a webpage, which is protected by kerberos. Is there any possibility to do this from within python and how? The script is going to be deployed on a linux environment with python 2.4.something installed.
dertoni
I think that python-krbV and most Linux distributions also have a python-kerberos package. For example, Debian has one of the same name. Here's the documentation on it
Extract from link:
"This Python package is a high-level wrapper for Kerberos (GSSAPI)
operations. The goal is to avoid having to build a module that wraps
the entire Kerberos.framework, and instead offer a limited set of
functions that do what is needed for client/server Kerberos
authentication based on http://www.ietf.org/rfc/rfc4559.txt. "