Add OpenID Connect autentication backend and login/logout views (!261) · Merge requests · Platform / Development / swh-web

Antoine Lambert requested to merge generated-differential-D2746-source into generated-differential-D2746-target Mar 02, 2020

First diff related to users authentication in swh-web based on OpenID Connect (implemented in //Keycloak//).

The scope of that diff is the authentication of users from the main HTML interface of swh-web. This could be used to enable special GUI features (for instance admin pages) based on user group or permissions (currently not handled, will be implemented in #2295 (closed) and #2247 (closed)).

Users get authenticated by using the OIDC Authorization Code Flow with PKCE extension, based on the use of a temporary dynamic client secret instead of storing a static one on the backend side.

The main additions in that diff are located in the new swh.web.auth module containing the following files:

backends.py: add Django plumbing to use OpenID Connect authentication layer
keycloak.py: contains a wrapper class around the use of the python-keycloak module to ease the interaction with a //Keycloak// server.
models.py: a custom Django User model used for remote users in order to store OpenID Connect related data and avoid to save users to Django database (those sensitive information are already securely stored in Keycloak so there is no need to duplicate them).
views.py: new Django views in order for users to login/logout from the main HTML interface.

Previous admin login based on standard Django login features is still available.

Related to #2245 (closed) Related to #2246 (closed)

Migrated from D2746 (view on Phabricator)

Add OpenID Connect autentication backend and login/logout views

Merge request reports