Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Google logins #49

Open
jameslzhu opened this issue Feb 22, 2019 · 3 comments
Open

Google logins #49

jameslzhu opened this issue Feb 22, 2019 · 3 comments
Assignees
@dragon18456

Comments

@jameslzhu
Copy link
Member

jameslzhu commented Feb 22, 2019
edited
Loading

Users currently login using the default Django auth module (guide, API reference).

We'd like to add an optional alternative login, using Google OpenID Connect (sometimes known as OAuth login). In particular, we'd like to support logins with our hkn.eecs.berkeley.edu domain accounts, only. (I'm against allowing logins from other domains, like @gmail.com or @berkeley.edu, in particular because we don't control them and because @berkeley.edu requires CalNet authentication, apparently a pain.)

I think the major library to do this is called python-social-auth, with the specific backend for Django, social-auth-app-django. The authentication pipeline docs can be found here.

While I wouldn't recommend implementing this login manually, there are various OpenID / OAuth pages which may be helpful for understanding the protocol:

  • OAuth 2.0, the base protocol for authenticated communications. Note this is 2.0, not 1.0.
  • OpenID Connect: the login spec's website, built on top of OAuth
  • Google OpenID Connect: Google's implementation of login using OAuth / OpenID
  • Google Sign In: Google's solution on top of OpenID Connect, lets you put a "Sign in with Google" button on the link. Probably the simplest.
@GeoHutch
Copy link
Contributor

CalNet is Apero CAS, which is definitely not a popular protocol for libraries like this to support. There is a 3rd-party plug-in for django-allauth, https://github.com/aureplop/django-allauth-cas . Allauth is pretty heavy for our use case, but it seems nice enough to use. Explored it some in my fork.

@jameslzhu jameslzhu added project and removed project labels Feb 27, 2019
@dragon18456 dragon18456 self-assigned this Apr 6, 2019
@jameslzhu
Copy link
Member Author

When we implement this with Google OAuth credentials with the hkn-ops account, we'll need to add the following entries to the secrets.py (encrypted):

SOCIAL_AUTH_GOOGLE_OAUTH2_SECRET = '...'
SOCIAL_AUTH_GOOGLE_OAUTH2_KEY = '...'

source: https://python-social-auth.readthedocs.io/en/latest/developer_intro.html

@jvperrin
Copy link
Member

ocfweb does calnet auth, and it doesn't seem too bad, although I'm not sure if it needs any kind of registration with the university to get it all set up.

There's this decorator (https://github.com/ocf/ocfweb/blob/54a90774442bbef072185d338129c942b582661b/ocfweb/auth.py#L44-L62), added to paths that need auth (probably would need one for general auth and then a selection between google apps and calnet on a separate page?). I do think CalNet auth would be pretty valuable, most crucially for candidates, since they don't have a HKN email but should all have CalNet logins.

Some other relevant code snippets:
https://github.com/ocf/ocfweb/blob/9a138f8819040279554bc1b3bc83a18199239346/ocfweb/login/calnet.py
https://github.com/ocf/ocflib/blob/8776681464253c710aca7f963eeff6b662635a2b/ocflib/ucb/cas.py
https://github.com/ocf/ocflib/blob/8776681464253c710aca7f963eeff6b662635a2b/tests/ucb/cas_test.py

@bri25yu bri25yu removed the hard label Sep 21, 2020
@bri25yu bri25yu removed the project label May 6, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dragon18456 dragon18456

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@jvperrin @jameslzhu @GeoHutch @dragon18456 @bri25yu