This package contains custom authentication backends, views, and pipeline steps used by edX services for single sign-on.
This package is compatible with Python 2.7 and 3.5, and Django 1.11 through 2.2.
We currently support OAuth 2.0 authentication. Support for OpenID Connect (OIDC) was removed as of version 3.0. Use version 2.x if you require OIDC and are not able to migrate to OAuth2.
The auth_backends package can be installed from PyPI using pip:
$ pip install edx-auth-backends
INSTALLED_APPS = ( 'social_django', )
Adding single sign-on/out support to a service requires a few changes:
- Define settings
- Add the authentication backend
- Add the login/logout redirects
OAuth 2.0 Settings
|SOCIAL_AUTH_EDX_OAUTH2_URL_ROOT||LMS root, reachable from the application server (e.g. https://courses.stage.edx.org or http://edx.devstack.lms:18000)|
|SOCIAL_AUTH_EDX_OAUTH2_PUBLIC_URL_ROOT||LMS root, reachable from the end user's browser (e.g. https://courses.stage.edx.org or http://localhost:18000)|
|SOCIAL_AUTH_EDX_OAUTH2_JWS_HMAC_SIGNING_KEY||(Optional) Shared secret for JWT signed with HS512 algorithm|
|SOCIAL_AUTH_EDX_OAUTH2_PROVIDER_CONFIGURATION_CACHE_TTL||(Optional) Cache timeout for provider configuration. Defaults to 1 week.|
|SOCIAL_AUTH_EDX_OAUTH2_JWKS_CACHE_TTL||(Optional) Cache timeout for provider's JWKS key data. Defaults to 1 day.|
OAuth2 Applications require access to the
user_id scope in order for the
EdXOAuth2 backend to work. The backend will write the
user_id into the social-auth extra_data, and can be accessed within the User model as follows:
self.social_auth.first().extra_data[u'user_id'] # pylint: disable=no-member
We use a custom strategy that includes many of the default settings necessary to utilize single sign-on for edX services. This strategy should be used for all services to simplify configuration. If you need to override the defaults, you may still do so as you would with any social auth setting——prepend SOCIAL_AUTH_ to the setting name. Add the following to your Django settings to use the strategy:
SOCIAL_AUTH_STRATEGY = 'auth_backends.strategies.EdxDjangoStrategy'
Configuring the backend is simply a matter of updating the
AUTHENTICATION_BACKENDS setting. The configuration
below is sufficient for all edX services.
AUTHENTICATION_BACKENDS = ( 'auth_backends.backends.EdXOAuth2', 'django.contrib.auth.backends.ModelBackend', )
In order to make use of the authentication backend, your service's login/logout views need to be updated. The login view should be updated to redirect to the authentication provider's login page. The logout view should be updated to redirect to the authentication provider's logout page.
This package includes views and urlpatterns configured for OAuth 2.0. To use them, simply append/prepend
oauth2_urlpatterns to your service's urlpatterns in urls.py.
from auth_backends.urls import oauth2_urlpatterns urlpatterns = oauth2_urlpatterns + [ url(r'^admin/', include(admin.site.urls)), ... ]
It is recommended that you not modify the login view. If, however, you need to modify the logout view (to redirect to
a different URL, for example), you can subclass
the view and
LogoutViewTestMixin for your tests.
The code in this repository is licensed under the AGPL unless otherwise noted.
LICENSE.txt for details.
How To Contribute
Contributions are very welcome!
Please read How To Contribute for details.
Even though it was written with edx-platform in mind, the guidelines should be followed for Open edX code in general.
Reporting Security Issues
Please do not report security issues in public. Please email email@example.com.
Mailing List and IRC Channel
You can discuss this code on the edx-code Google Group or in the
#edx-code IRC channel on Freenode.