Skip to content

Authorization Server Implementation in Python supporting OAuth 2.0 & OpenID Connect

License

Notifications You must be signed in to change notification settings

authlete/django-oauth-server

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Authorization Server Implementation in Python

Overview

This is an authorization server implementation in Python which supports OAuth 2.0 and OpenID Connect.

This implementation is written using Django API and authlete-python-django library. Django is a web framework written in Python. On the other hand, authlete-python-django is an Authlete's open source library which provides utility classes for developers to implement an authorization server and a resource server. authlete-python-django in turn uses authlete-python library which is another open source library to communicate with Authlete Web APIs.

Access tokens issued by this authorization server can be used at a resource server which uses Authlete as a backend service. django-resource-server is such a resource server implementation. It supports a userinfo endpoint defined in OpenID Connect Core 1.0 and includes an example implementation of a protected resource endpoint, too.

License

Apache License, Version 2.0

Source Code

https://github.com/authlete/django-oauth-server

About Authlete

Authlete is a cloud service that provides an implementation of OAuth 2.0 & OpenID Connect (overview). You can easily get the functionalities of OAuth 2.0 and OpenID Connect either by using the default implementation provided by Authlete or by implementing your own authorization server using Authlete Web APIs as this implementation (django-oauth-server) does.

To use this authorization server implementation, you need to get API credentials from Authlete and set them in authlete.ini. The steps to get API credentials are very easy. All you have to do is just to register your account (sign up). See Getting Started for details.

How To Run

  1. Install authlete-python and authlete-python-django libraries.

     $ pip install authlete
     $ pip install authlete-django
    
  2. Download the source code of this authorization server implementation.

     $ git clone https://github.com/authlete/django-oauth-server.git
     $ cd django-oauth-server
    
  3. Edit the configuration file to set the API credentials of yours.

     $ vi authlete.ini
    
  4. Create a user account for testing.

     $ python manage.py migrate
     $ python manage.py shell
     >>> from django.contrib.auth.models import User
     >>> user = User()
     >>> user.username = 'john'
     >>> user.first_name = 'John'
     >>> user.last_name = 'Smith'
     >>> user.email = '[email protected]'
     >>> user.set_password('john')
     >>> user.is_active = True
     >>> user.save()
     >>> quit()
    
  5. Start the authorization server on http://localhost:8000.

     $ python manage.py runserver
    

Endpoints

This implementation exposes endpoints as listed in the table below.

Endpoint Path
Authorization Endpoint /api/authorization
Token Endpoint /api/token
JWK Set Endpoint /api/jwks
Configuration Endpoint /.well-known/openid-configuration
Revocation Endpoint /api/revocation
Introspection Endpoint /api/introspection

The authorization endpoint and the token endpoint accept parameters described in RFC 6749, OpenID Connect Core 1.0, OAuth 2.0 Multiple Response Type Encoding Practices, RFC 7636 (PKCE) and other specifications.

The JWK Set endpoint exposes a JSON Web Key Set document (JWK Set) so that client applications can (1) verify signatures signed by this OpenID Provider and (2) encrypt their requests to this OpenID Provider.

The configuration endpoint exposes the configuration information of this OpenID Provider in the JSON format defined in OpenID Connect Discovery 1.0.

The revocation endpoint is a Web API to revoke access tokens and refresh tokens. Its behavior is defined in RFC 7009.

The introspection endpoint is a Web API to get information about access tokens and refresh tokens. Its behavior is defined in RFC 7662.

Authorization Request Example

The following is an example to get an access token from the authorization endpoint using Implicit Flow. Don't forget to replace {client-id} in the URL with the real client ID of one of your client applications. As for client applications, see Getting Started and the document of Developer Console.

http://localhost:8000/api/authorization?client_id={client-id}&response_type=token

The request above will show you an authorization page. The page asks you to input login credentials and click "Authorize" button or "Deny" button. If you have created a user account as shown in How To Run, both the login ID and the password are john.

Once login succeeds, the authorization page may not show the login form. To force the login form to appear, append &prompt=login at the end of the authorization request.

Amazon Cognito

This implementation contains a sample code that uses Amazon Cognito as a user database. To enable the sample code, follow the steps below.

  1. Install AWS SDK for Python (Boto3).

     $ pip install boto3
    
  2. Open django_oauth_server/settings.py and add backends.CognitoBackend to AUTHENTICATION_BACKENDS.

     AUTHENTICATION_BACKENDS = ('backends.CognitoBackend',)
    
  3. Set COGNITO_USER_POOL_ID and COGNITO_CLIENT_ID in the same file properly.

     COGNITO_USER_POOL_ID = 'YOUR_COGNITO_USER_POOL_ID'
     COGNITO_CLIENT_ID    = 'YOUR_COGNITO_CLIENT_ID'
    

Note that the Cognito client associated with the Cognito User Pool has to support ALLOW_ADMIN_USER_PASSWORD_AUTH and that the AWS account has to have permissions necessary to call Cognito's AdminInitiateAuth API and AdminGetUser API.

See Amazon Cognito and Latest OAuth/OIDC Specifications for details.

See Also

Contact

Contact Form : https://www.authlete.com/contact/

Purpose Email Address
General [email protected]
Sales [email protected]
PR [email protected]
Technical [email protected]