Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSO Custom Auth Backend Support #728

Closed
FragmentedPacket opened this issue Jul 23, 2021 · 1 comment · Fixed by #807
Closed

SSO Custom Auth Backend Support #728

FragmentedPacket opened this issue Jul 23, 2021 · 1 comment · Fixed by #807
Assignees
@FragmentedPacket
Labels
type: feature Introduction of new or enhanced functionality to the application

Comments

@FragmentedPacket
Copy link
Contributor

Environment

  • Python version: 3.6
  • Nautobot version: 1.0.3

Proposed Functionality

Currently, only social_core.backends are supported within Nautobot to properly redirect to an external login source due to the following code.

nautobot/nautobot/core/settings_funcs.py

Lines 28 to 33 in dd731f3

@lru_cache(maxsize=5)
def _sso_auth_enabled(auth_backends):
for backend in auth_backends:
if backend.startswith("social_core.backends"):
return True
return False

nautobot/nautobot/core/templates/inc/nav_menu.html

Lines 823 to 827 in dd731f3

{% if SSO_AUTH_ENABLED %}
<li><a href="{% url 'social:begin' backends.backends.0 %}?next={{ request.get_full_path | urlencode }}&{{ SAML_IDP }}"><i class="mdi mdi-login"></i> Log in</a></li>
{% else %}
<li><a href="{% url settings.LOGIN_URL %}?next={{ request.get_full_path | urlencode }}"><i class="mdi mdi-login"></i> Log in</a></li>
{% endif %}

If would be great if this can potentially be overridden within nautobot_config.py via a setting of some sort or just be more relaxed in general. A few potential ideas.

from django.conf import settings

@lru_cache(maxsize=5)
def _sso_auth_enabled(auth_backends):
    for backend in auth_backends:
        if backend.startswith(settings["SOCIAL_AUTH_BACKEND_PREFIX"]):
            return True
    return False

or

@lru_cache(maxsize=5)
def _sso_auth_enabled(auth_backends):
    if len(auth_backends) > 1:
        return True
    return False

This is due to only one AUTHENTICATION_BACKEND being defined by default, but not sure it's safe to assume that if it's greater than one, the login redirect should be enabled.

I'm sure there are other ways as well. I'd be willing to implement this once a decision has been made.

Use Case

We're building a custom authentication backend (that may eventually get ported into Social Auth Core, but at this point that is too much overhead and I assume that others may need to develop their own custom auth backends that can't be open sourced.

Database Changes

N/A

External Dependencies

N/A
@jathanism
Copy link
Contributor

Seems like a hybrid of your suggestion and an explicit ENABLE_SSO = True setting might be the winning combination here. Thanks @FragmentedPacket!

@jathanism jathanism added type: feature Introduction of new or enhanced functionality to the application status: accepted labels Jul 27, 2021
@jathanism jathanism added this to the v1.2.0 milestone Jul 27, 2021
@jedelman8 jedelman8 removed this from the v1.2.0 milestone Jul 30, 2021
@FragmentedPacket FragmentedPacket mentioned this issue Aug 12, 2021
Merged
glennmatthews added a commit that referenced this issue Sep 30, 2021
@glennmatthews
Add release-note for #728
df275f3
@glennmatthews glennmatthews mentioned this issue Sep 30, 2021
Merged
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Dec 30, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@FragmentedPacket FragmentedPacket

Labels
type: feature Introduction of new or enhanced functionality to the application
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add SOCIAL_AUTH_BACKEND_PREFIX for custom auth backends FragmentedPacket/nautobot
3 participants
@jathanism @jedelman8 @FragmentedPacket