OICD Documentation for Django

0) Overview

The OpenID Connect protocol, in abstract, follows the following steps.

 1. The RP (Client) sends a request to the OpenID Provider (OP).
 2. The OP authenticates the End-User and obtains authorization.
 3. The OP responds with an ID Token and usually an Access Token.
 4. The RP can send a request with the Access Token to the UserInfo
    Endpoint.
 5. The UserInfo Endpoint returns Claims about the End-User. 

1) Install SSL SERVER (optional, if you already have SSL in your server).

1.1) Setup SSL Server for development

This server is not ready for production environment.

 $ pip install django-sslserver 

1.2) Update INSTALLED_APPS

Add to INSTALLED_APPS list in setting.py

   1 sslserver 

1.3) Run SERVER

   1 python manage.py runsslserver 127.0.0.1:443

2) Install OICD library

Requirements

 pip install django-auth-oidc 

 Python 2.7 / 3.5+ 

 Django 1.8+ 

 openid-connect 

2.1) Update INSTALLED_APPS

Add to INSTALLED_APPS list in setting.py

   1 django_auth_oidc 

2.2) Allowed hosts

Add in settings.py

   1 ALLOWED_HOSTS = ['your host'] 

2.3) Credentials

Add AUTH_SERVER, AUTH_CLIENT_ID and AUTH_CLIENT_SECRET in settings.py

   1 AUTH_SERVER = "https://aai-dev.egi.eu/oidc/"  #this is a dev environment!
   2 AUTH_CLIENT_ID = "XXXX" 
   3 AUTH_CLIENT_SECRET = "XXXX" 

2.4) Update urls.py file

Add to urlpatterns list in urls.py

   1 url(r'^auth/', include('django_auth_oidc.urls')) 

2.5) Query userinfo endpoint

In login view get open id data/claims

   1 try:
   2     if request.session['openid_token']:
   3         json = get_nest_data(request.session['openid_token'])
   4         #sample output  {u'family_name': u'Pedro', u'sub': u'99999999999c@egi.eu', u'acr': u'https://aai.egi.eu/LoA#Low', u'given_name': u'Pedro', u'email': u'pedro@gmail.com', u'name': u'Pedro Alves'} 
   5 except Exception as ce:
   6     print(ce)

Create this function to query userinfo endpoint

   1 def get_nest_data(auth_t):
   2     headers = {
   3         'authorization': "Bearer " + auth_t,
   4         'content-type': "application/json",
   5     }
   6 
   7     try:
   8         init_res = requests.get('https://aai-dev.egi.eu/oidc/userinfo', headers=headers, allow_redirects=False) #this is a dev environment!
   9         if init_res.status_code == 200:
  10             return init_res.json()
  11     except Exception as ce:
  12         print(ce)

2.6) Permissions info

Level of Assurance (LoA) : acr

json['acr'] is the claim that you want, to validate the user permission 

 Low: Authentication through a social identity provider or other low identity assurance provider: https://aai.egi.eu/LoA#Low 

 Substantial: Password/X.509 authentication at the user's home IdP: https://aai.egi.eu/LoA#Substantial 

 High: Substantial + multi-factor authn (not yet supported, TBD): https://aai.egi.eu/LoA#High 

Something like this will do the job

   1 if "#Low" in json['acr']:
   2     user_type = '#Low'
   3 elif "#Substantial" in json['acr']:
   4     user_type = '#Substantial'
   5 elif "#High" in json['acr']:
   6     user_type = 'High'

3) More docs

http://openid.net/specs/openid-connect-core-1_0.html

https://wiki.egi.eu/wiki/AAI_guide_for_SPs

https://www.egi.eu/

https://gitlab.com/aiakos/django-auth-oidc

https://github.com/teddziuba/django-sslserver

https://developers.google.com/identity/protocols/OAuth2