-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSO #1372
Comments
@jaysoffian I'd be curious to hear your feedback since you guys have done a bunch around this and ideally we can support what you're doing without any modifications (beyond potentially a custom auth implementation plugin) |
Some things we should keep in mind when doing this is other peoples successes failures:
Something important to note is allauth takes a URL based approach, and there might be limitations to what we're trying to do w/ the pipeline. As an alternative we could do a get_urls hook that just returns views, and we could easily namespace those (see nexus for an example) |
Some initial thoughts on APIs:
|
Working branch is |
django-social-auth is renamed to python-social-auth and it has very good support for pipelines. |
@remik I think we're definitely going with a pipeline approach as it seems flexible enough to support all cases and is easy to implement. To be clear though our pipelines are per provider whereas social-auth's are for controlled what happens at a global level (afaict) |
Here's a basic prototype of Google (OAuth2): https://gist.github.com/dcramer/35dd269c17ddac11274a#file-google_oauth2-py-L65 I'm not sure I'm happy with it yet. We'll obviously need to make a few minor additions to support refresh tokens, but its a minor issue and IMO due to OAuth2 being so simple we likely wont bring in third party libs since they just add complexity/additional abstractions that can break. |
My biggest issue right now is how we treat the step flow control, which honestly probably won't even work. We need a clean way to handle these situations:
I don't like returning different data types (in fact, I won't allow that), so the alternative is that we return some kind of tuple (success, [response]), but that's a bit obscure and to me always feels unpythonic. The general alternative to this is using exceptions as flow control (i.e. raise Authenticated) but that's super shitty. Another alternative would be to do something like return self.the_kind_of_action(), but that has scoping issues as we need to bind the implementation instance in this area, and we need the outer controller (which realistically is where the |
I think this might actually be not completely shitty and reasonable:
|
Sorry for the slow reply. From my perspective, auth is handled by a web server in-front of Sentry. The web-server sends an HTTP header with the username. I have a shim in django to check for that header, create the user if necessary, backfilling certain user attributes from LDAP (real name, email). Within Sentry, I disable all of its user management (create new account, alter username, email, real name). I probably won't have a chance to experiment with what you've done here before you are able to land it, so I'll just submit patches if need be after the fact. :-) |
I think the best approach is to adapt Sentry to work with python-social-auth. Later in order to add SAML support we need to integrate python-saml and create a new SAML Auth provider. |
@pitbulk we already did that. It's too restrictive/buggy/hard to fix. I even have a branch where we vendor an older django-social-auth so we can fix some core issues, but its just not worth the effort. Basically we implemented almost all we needed for the base auth framework in <300 loc and its much easier to maintain. It also guarantees functionality with all working cases we have (we have several, and most of them aren't currently supported by social-auth). As an example we need:
I have no desire to build such straight forward APIs on a complex backend that tries to cater to every use case there is. It adds way too much complexity and just makes it harder for people to understand. It's also important to note that we dont care about 99% of the social auth backends, so reusability is minimal. We're going to be dropping some things like Twitter/Facebook auth as they simply dont make sense for Sentry as a product. For what its worth, there could be a point we pull the Sentry auth system out of Sentry as it's super generic and thin, but reusability isnt a priority yet. |
@dcramer, ok I underestand. In the python-saml library you have 2 examples of how add SAML support to a Django app and a Flask app The normal case of the python-saml library is to be used 1 SP - 1 IdP, but is not hard to make it work 1SP - multiple IdPs. If I can help you with the library, let me know. You can open an issue in the repo. |
v0 of this is in master, closing this out so we can follow up with a new ticket |
Implement organization-based SSO.
We're circulating an internal draft and will publish more details as we make decisions.
Changes to the current authentication system:
Basic data modeling:
Here's an ugly representation of what some of the code layout might look like:
The text was updated successfully, but these errors were encountered: