Metadata-Version: 2.1
Name: edx-auth-backends
Version: 2.0.0
Summary: Custom edX authentication backends and pipeline steps
Home-page: https://github.com/edx/auth-backends
Author: edX
Author-email: oscm@edx.org
License: AGPL
Keywords: authentication edx
Platform: UNKNOWN
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Web Environment
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: GNU Affero General Public License v3
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 2.7
Classifier: Programming Language :: Python :: 3.5
Classifier: Programming Language :: Python :: 3.6
Classifier: Framework :: Django
Classifier: Framework :: Django :: 1.8
Classifier: Framework :: Django :: 1.9
Classifier: Framework :: Django :: 1.10
Classifier: Framework :: Django :: 1.11
Classifier: Topic :: Internet
Requires-Dist: Django (<2.0,>=1.8)
Requires-Dist: pyjwt
Requires-Dist: six
Requires-Dist: social-auth-core[openidconnect] (<2.0.0,>=1.3.0)
Requires-Dist: social-auth-app-django (<2.0.0,>=1.2.0)

auth-backends  |Travis|_ |Codecov|_
===================================
.. |Travis| image:: https://travis-ci.org/edx/auth-backends.svg?branch=master
.. _Travis: https://travis-ci.org/edx/auth-backends

.. |Codecov| image:: http://codecov.io/github/edx/auth-backends/coverage.svg?branch=master
.. _Codecov: http://codecov.io/github/edx/auth-backends?branch=master

This package contains custom authentication backends, views, and pipeline steps used by edX services for single sign-on.

This package is compatible with Python 2.7 and 3.5, and Django 1.8 through 1.11.

We currently support two forms of authentication:

- OAuth 2.0
- OpenID Connect (deprecated)

Support for OpenID Connect (OIDC) is deprecated. Clients should use the OAuth 2.0 backend. This backend behaves
similarly to the OIDC backend, except we use a JWT as the access token instead of OIDC's ID token. This allows us to use
any OAuth provider, and not rely on an implementation of an OIDC provider.

Installation
------------

The `auth_backends` package can be installed from PyPI using pip::

    $ pip install edx-auth-backends

Update ``INSTALLED_APPS``:

.. code-block:: python

    INSTALLED_APPS = (
        'social_django',
    )


Configuration
-------------
Adding single sign-on/out support to a service requires a few changes:

1. Define settings
2. Add the authentication backend
3. Add the login/logout redirects


OAuth 2.0 Settings
~~~~~~~~~~~~~~~~~~
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+
| Setting                                                  | Purpose                                                                                   |
+==========================================================+===========================================================================================+
| SOCIAL_AUTH_EDX_OAUTH2_KEY                               | Client key                                                                                |
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OAUTH2_SECRET                            | Client secret                                                                             |
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OAUTH2_ENDPOINT                          | Provider root (e.g. https://courses.stage.edx.org/oauth2)                                 |
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OAUTH2_JWS_HMAC_SIGNING_KEY              | (Optional) Shared secret for JWT signed with HS512 algorithm                              |
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OAUTH2_PROVIDER_CONFIGURATION_CACHE_TTL  | (Optional) Cache timeout for provider configuration. Defaults to 1 week.                  |
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OAUTH2_JWKS_CACHE_TTL                    | (Optional) Cache timeout for provider's JWKS key data. Defaults to 1 day.                 |
+----------------------------------------------------------+-------------------------------------------------------------------------------------------+

Note that the OAuth 2.0 provider uses ``SOCIAL_AUTH_EDX_OAUTH2_ENDPOINT`` to read configuration from a special path,
``.well-known/openid-configuration`` (e.g. https://courses.stage.edx.org/oauth2/.well-known/openid-configuration). The
data returned from this endpoint provides the URLs necessary for authentication as well as the public keys used to
verify the signed JWT (JWS) access token.

As of auth-backends 2.0.0, oAuth2 Applications require access to the ``user_id`` scope in order for the ``EdXOAuth2`` backend to work.  The backend will write the ``user_id`` into the social-auth extra_data, and can be accessed within the User model as follows::

    self.social_auth.first().extra_data[u'user_id']  # pylint: disable=no-member


OIDC Settings (deprecated)
~~~~~~~~~~~~~~~~~~~~~~~~~~
The following settings MUST be set:

+----------------------------------------------+---------------------------------------------------------------------------------------------+
| Setting                                      | Purpose                                                                                     |
+==============================================+=============================================================================================+
| SOCIAL_AUTH_EDX_OIDC_KEY                     | OAuth/OpenID Connect client key                                                             |
+----------------------------------------------+---------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OIDC_SECRET                  | OAuth/OpenID Connect client secret                                                          |
+----------------------------------------------+---------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OIDC_ID_TOKEN_DECRYPTION_KEY | Identity token decryption key (same value as the client secret for edX OpenID Connect)      |
+----------------------------------------------+---------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OIDC_URL_ROOT                | OAuth/OpenID Connect provider root (e.g. https://courses.stage.edx.org/oauth2)              |
+----------------------------------------------+---------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OIDC_ISSUER                  | OAuth/OpenID Connect provider ID token issuer (e.g. https://courses.stage.edx.org/oauth2)   |
+----------------------------------------------+---------------------------------------------------------------------------------------------+
| SOCIAL_AUTH_EDX_OIDC_LOGOUT_URL              | OAuth/OpenID Connect provider's logout page URL (e.g. https://courses.stage.edx.org/logout) |
+----------------------------------------------+---------------------------------------------------------------------------------------------+

If your application requires additional user data in the identity token, you can specify additional claims by defining
the ``EXTRA_SCOPE`` setting. For example, if you wish to have a claim named `preferred_language`, you would include
the following in your settings:

.. code-block:: python

    EXTRA_SCOPE = ['preferred_language']

Assuming the identity provider knows how to process that scope, the associated claim data will be included in the
identity token returned during authentication. Note that these scopes/claims are dependent on the identity provider
being used. The ``EdXOpenIdConnect`` backend is configured to be used by all edX services out-of-the-box.

The optional setting ``COURSE_PERMISSIONS_CLAIMS``, used primarily by
`edx-analytics-dashboard <https://github.com/edx/edx-analytics-dashboard>`_, can be used to designate scopes/claims that
should be requested in order to retrieve a list of courses the user is permitted to access/administer. The value of this
array depends on the authentication provider's available scopes.

Strategy
~~~~~~~~
We use a custom `strategy <http://python-social-auth.readthedocs.io/en/latest/strategies.html>`_ that includes many of
the default settings necessary to utilize single sign-on for edX services. This strategy should be used for all
services to simplify configuration. If you need to override the defaults, you may still do so as you would with any
social auth setting——prepend `SOCIAL_AUTH_` to the setting name. Add the following to your Django settings to use the
strategy:

.. code-block:: python

    SOCIAL_AUTH_STRATEGY = 'auth_backends.strategies.EdxDjangoStrategy'

Authentication Backend
~~~~~~~~~~~~~~~~~~~~~~
Configuring the backend is simply a matter of updating the ``AUTHENTICATION_BACKENDS`` setting. The configuration
below is sufficient for all edX services.

.. code-block:: python

    AUTHENTICATION_BACKENDS = (
        'auth_backends.backends.EdXOpenIdConnect',
        'django.contrib.auth.backends.ModelBackend',
    )

Authentication Views
~~~~~~~~~~~~~~~~~~~~
In order to make use of the authentication backend, your service's login/logout views need to be updated. The login
view should be updated to redirect to the authentication provider's login page. The logout view should be updated to
redirect to the authentication provider's logout page.

This package includes views and urlpatterns configured for OIDC and OAuth 2.0. To use them, simply append/prepend
either ``auth_urlpatterns`` or ``oauth2_urlpatterns`` to your service's urlpatterns in `urls.py`.

.. code-block:: python

    from auth_backends.urls import auth_urlpatterns

    urlpatterns = auth_urlpatterns + [
        url(r'^admin/', include(admin.site.urls)),
        ...
    ]

It is recommended that you not modify the login view. If, however, you need to modify the logout view (to redirect to
a different URL, for example), you can subclass either ``EdxOAuth2LogoutView`` or ``EdxOpenIdConnectLogoutView`` for
the view and ``LogoutViewTestMixin`` for your tests.

Devstack
--------
When using the Docker-based devstack, it is necessary to have both internal and public URLs for the OAuth/OIDC
provider. To accommodate this need, set the ``SOCIAL_AUTH_EDX_OIDC_PUBLIC_URL_ROOT`` setting to the value of the
provider's browser-accessible URL.

.. code-block:: python

    SOCIAL_AUTH_EDX_OIDC_URL_ROOT = 'http://edx.devstack.edxapp:18000/oauth2'
    SOCIAL_AUTH_EDX_OIDC_PUBLIC_URL_ROOT = 'http://localhost:18000/oauth2'

Additionally, the logout URL should also be browser-accessible:

.. code-block:: python

    SOCIAL_AUTH_EDX_OIDC_LOGOUT_URL = 'http://localhost:18000/logout'

Testing
-------

Call ``make test``.

License
-------

The code in this repository is licensed under the AGPL unless otherwise noted.

Please see ``LICENSE.txt`` for details.

How To Contribute
-----------------

Contributions are very welcome!

Please read `How To Contribute <https://github.com/edx/edx-platform/blob/master/CONTRIBUTING.rst>`_ for details.

Even though it was written with `edx-platform <https://github.com/edx/edx-platform>`_ in mind,
the guidelines should be followed for Open edX code in general.

Reporting Security Issues
-------------------------

Please do not report security issues in public. Please email security@edx.org.

Mailing List and IRC Channel
----------------------------

You can discuss this code on the `edx-code Google Group <https://groups.google.com/forum/#!forum/edx-code>`_ or in the
``#edx-code`` IRC channel on Freenode.


.. :changelog:

History
=======

0.1.3 (2015-03-31)
------------------

- Update required version of Python Social Auth to 0.2.3.

0.1.2 (2015-02-23)
------------------

- Update required version of Python Social Auth to 0.2.2.

0.1.1 (2015-02-20)
------------------

- Initial release.


Renzo Lucioni <renzo@edx.org>
Troy Sankey <tsankey@edx.org>


