I need a modern looking forum solution that is self hosted (to go with a django project)
The only reasonable thing I can see using is discourse, but that gives me a problem... How can I take care of auth between the two? It will need to be slightly deeper than just auth because I will need a few User tables in my django site as well.
I have been reading about some SSO options, but I am unclear on how to appraoch the problem down the road. here is the process that I have roughly in my head... Let me know if it sounds coherent...
Use Discourse auth (since it already has social auth and profiles and a lot of user tables.
Make some SSO hook for django so that it will accept the Discourse login
Upon account creation of the Discourse User, I will send (from the discourse instance) an API request that will create a user in my django instance with the proper user tables for my django site.
Does this sound like a good idea?
That sounds plausible. To make sure a user is logged in to both, you may put one of the auths in front of the other. For example, if discourse is in front of Django, you can use something like the builtin RemoteUserMiddleware.
In general, if they are going to be hosted on different domains, take a look at JWT. It has been gainining ground to marry different services and the only thing you need is to be able to decode the JWT token, which a lot of languages have nowadays in the form of libraries.
Related
I have got an Django application that uses the RemoteUserBackend in combination with Apache and mod_auth_kerb to authenticate against Kerberos.
However, this has some drawbacks:
There is no proper logout without closing the browser tab. You may click "Logout" in your Django application, but I would expect to be asked for my credentials when I try to log in again - the latter is not the case. (Side note: It is quite possible for my application that two users want to log in one after another, which increases the lack of comfort and may be problematic when one users performs actions with the other user's rights.)
The application is currently tailored to the Apache/RemoteUser solution, so it does provide no flexibility to switch over to other authentication methods, e.g. authentication against the Django database. The possibility to use alternative authentication methods would also ease the development of the application.
That said, I would like to use a form-based authentication (username/password). This would move the control for the authentication to Django, so login/logout should work properly then. Also, this form could be used as well with different authentication backends, without a need to modify the GUI.
How can this be done? Is there already a solution to this or a project that adresses my issue? Most implementations I saw like the ones in the answers here just use Apache or an LDAP authentication, but not Kerberos.
Related, but unanswered question: Django user logout with remote authentication
Sorry this is delayed. I am the author of the above recommended Kerberos + Django post (roguelynn.com).
For your first issue, take a look at kobo: https://fedorahosted.org/kobo/ - it uses Kerberos + RemoteUserBackend + Apache with Django, but implements a logout mechanism (in kobo/django/xmlrpc/auth.py: https://git.fedorahosted.org/cgit/kobo.git/tree/kobo/django/xmlrpc/auth.py).
http://www.roguelynn.com/words/django-custom-user-models/
That blog post explains quite nicely how to use Kerberos as a Django 1.5 backend authenticator. Hot off the presses as of May 15th. She's got a bunch of nice kerberos examples.
For posterity's sake just in case the blog goes away someday, the author stores her blog posts as static files in her github repo.
https://github.com/econchick/roguelynn/blob/master/_posts/
It seems like the security model fits very small projects, but that it is probably not feasible to write all possible registered users' hashed passwords in security.py. Do you know any examples of scaling up Pyramid's authentication, or are there any benefits to calling through Pyramid's security scheme into my own database of security information?
I dont think the size of the project is related to the security model. Either you want a simple or a complex security model. Both can be applied to projects of any size. One of Pyramid's strong points is its extensibility.
Why would you store hashed passwords in security.py? (cmiiw here, I probably misunderstood) If you read this on someone's code, that's probably just an example. In real apps, you save them in a storage/persistence system of your choice.
Again, I don't understand what you mean by "scaling up authentication". My guess is you want some working examples:
tutorial from the docs
shootout application: small and good example with forms
pyramid auth demo: complex/granular/row-level permission
pyramid apex: 3rd party auth (google, twitter, etc) with velruse, forms etc
pyramid registration: unfinished library; you can steal some ideas from it
No idea what your needs are or what you mean by "scaling up security", but pyramids authentication policy is very flexible. You need to understand though that it doesn't maintain users and passwords it merely provides a mechanism for obtaining a user identifier from the incoming request. For example, the AuthTktAuthenticationPolicy keeps track of the user id by cookie that you set using the remember method.
What meaningful information you derive from that user id is totally up to you and is application specific.
So really the question you may want to ask is can your application "scale up security".
I can't show you code because it's proprietary but I've needed to support openid, http auth and your typical db backed user store on the same application, with the extra added complication that users are stored in different database shards and the shard can't be immediately determined. It takes very little code to support this.
I ended up building something for myself that makes authentication a little easier if you happen to be using MongoDB.
https://github.com/mosesn/mongauth
It isn't built into pyramid, but hooks in easily enough. Everything is pretty transparent.
I am looking for a generic Tell a Friend application in django which will allow my website users to invite and tell about website features to one's mail or social networking friends by sending invitation email to join the website....
Any suggestion will help...
Thanks in advance...
This isn't Django, but you might consider a remotely-hosted application like ShareThis.
Otherwise, you could make use of this code, and add parameters (such as name and email address) into the URL where possible / necessary. In any case, I'm not aware of a Django-specific solution that integrates with the CMS out of the box - you might have to do it yourself, at least partly.
There's a reusable app at github called django-tellafriend.
Haven't used it myself. In the essence however it shouldn't be to hard to roll your own app for this if you have special requirements. Basically you need a form and send out an email if it's valid. If you want to keep track of the you can store the information using a simple model.
Connecting to social networks might be a little trickier, but there are also a few django apps for this like django-facebook and django-social-auth.
I am considering a 3rd part Authentication system for logging in (new/old) users. Much like how StackOverflow authenticates it's users. This scheme is good as it frees me from doing authentication from my side. I need this -
Login using Google, Facebook, Twitter, Yahoo, OpenID Authentication Systems.
Provide the same user logged in functionality as the default django auth system i.e. #login_required decorators should work
There seem to be some number of Django-apps out there which claim to solve this problem. Which ones are good?
Ex. Django-SocialAuth, django-openid-auth
For an all-in-one solution, I had good results with django-socialregistration. It has auth backends for Twitter, Facebook and OpenID (Google, Yahoo!, ...).
Another possibility would be JanRain Engage (formerly RPX) which provides a single point of authentication for all the major authentication providers. There's a 3rd party django app for it, but I can't say anything about its quality.
If you want something simple try this
those are actually auth backends.
In other words, you're still using django.contrib.auth - you're just loading an extension to it.
Auth backends are pretty easy to write, so I would just take a look at the docs and then see if the code looks like something you'd be comfortable working on (for each candidate for a backend).
If you're afraid to change your codebase, you're in trouble.
What are the pros and cons of using open id vs auth? Shoud I do both?
That depends whether you want to support Open ID. As to the reasons behind Open ID, in my view the most compelling one is that it avoids requiring your users to have an account just for your site, with all the hassle that involves (yet another username and password to remember).
If you decide you want to use Open ID, there's not need to choose between that and auth - use django-openid-auth, which adds Open ID support to the auth framework.
Definitely try and avoid using an Open ID implementation that doesn't plug into Django's auth framework - you'll lose a lot of the baked-in goodness of Django (model-level permissions etc).
OpenID and OAuth do different things. OpenID lets users log into your site. OAuth lets people give your site access to their data elsewhere. On the other side of the coin, OAuth gives you a secure way to let users access their data in your service from elsewhere.
If you implement OpenID, don't implement an OpenID producer. Everyone's already got an OpenID, whether they know it or not. Just consume openids from elsewhere. Migrating OpenIDs shouldn't be hard. Just make sure that a user account can connect via multiple OIDs, then they can add new ones as needed, and remove when they're done with them.
Edit: Just saw that you were talking about django auth, not oauth. Oops. The second paragraph still stands.