Research
Security News
Malicious npm Package Targets Solana Developers and Hijacks Funds
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Django Okta Auth is a library that acts as a client for the Okta OpenID Connect provider.
The library provides a set of views for login, logout and callback, an auth backend for authentication, a middleware for token verification in requests, and a decorator that can be selectively applied to individual views.
It's heavily influenced by okta-django-samples but there's a few fundamental changes and further implementation of things like refresh tokens which weren't initially implemented.
This project is in no way affiliated with Okta.
Install from PyPI:
pip install django-okta-auth
Add okta_oauth2.apps.OktaOauth2Config
to INSTALLED_APPS
:
INSTALLED_APPS = (
"...",
'okta_oauth2.apps.OktaOauth2Config',
"..."
)
You will need to install the authentication backend. This extends Django's default ModelBackend
which uses the configured database for user storage, but overrides the authenticate
method to accept the auth_code
returned by Okta's /authorize
API endpoint as documented here.
The Authentication Backend should be configured as so:
AUTHENTICATION_BACKENDS = ("okta_oauth2.backend.OktaBackend",)
You can use the middleware to check for valid tokens during ever refresh and automatically refresh tokens when they expire. By using the middleware you are defaulting to requiring authentication on all your views unless they have been marked as public in PUBLIC_NAMED_URLS
or PUBLIC_URLS
.
The order of middleware is important and the OktaMiddleware
must be below the SessionMiddleware
and AuthenticationMiddleware
to ensure that the session and the user are both on the request:
MIDDLEWARE = (
'django.middleware.security.SecurityMiddleware',
'django.contrib.sessions.middleware.SessionMiddleware',
'django.middleware.common.CommonMiddleware',
'django.middleware.csrf.CsrfViewMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',
'django.middleware.clickjacking.XFrameOptionsMiddleware',
'okta_oauth2.middleware.OktaMiddleware'
)
The alternative to using the middleware is to selectively apply the okta_oauth2.decorators.okta_login_required
decorator to views you wish to protect. When the view is accessed the decorator will check that valid tokens exist on the session, and if they don't then it will redirect to the login.
The decorator is applied to a view like so:
from okta_oauth2.decorators import okta_login_required
@okta_login_required
def decorated_view(request):
return HttpResponse("i am a protected view")
Add the django-okta-auth
views to your urls.py
. This will provide the login
, logout
and callback
views which are required by the login flows.
from django.urls import include, path
urlpatterns = [
path('accounts/', include(("okta_oauth2.urls", "okta_oauth2"), namespace="okta_oauth2")),
]
In the Okta admin console create your application with the following steps:
Create New App
Web
platformOpenID Connect
Sign on methodCreate
buttonhttp://localhost:8000/accounts/login/
Save
buttonAuthorization Code
and the Refresh Token
under Allowed grant types
.Client ID
and the Client secret
in the Client Credentials for use in the next section. It is important to note that the Client secret
is confidential and under no circumstances should be exposed publicly.Django Okta Auth settings should be specified in your django settings.py
as follows:
OKTA_AUTH = {
"ORG_URL": "https://your-org.okta.com/",
"ISSUER": "https://your-org.okta.com/oauth2/default",
"CLIENT_ID": "yourclientid",
"CLIENT_SECRET": "yourclientsecret",
"SCOPES": "openid profile email offline_access", # this is the default and can be omitted
"REDIRECT_URI": "http://localhost:8000/accounts/oauth2/callback",
"LOGIN_REDIRECT_URL": "/", # default
"CACHE_PREFIX": "okta", # default
"CACHE_ALIAS": "default", # default
"PUBLIC_NAMED_URLS": (), # default
"PUBLIC_URLS": (), # default
"USE_USERNAME": False, # default
}
The login view will render the okta_oauth2/login.html
template. It will be passed the following information in the config
template context variable:
{
"clientId": settings.OKTA_AUTH["CLIENT_ID"],
"url": settings.OKTA_AUTH["ORG_URL"],
"redirectUri": settings.OKTA_AUTH["REDIRECT_URI"],
"scope": settings.OKTA_AUTH["SCOPES"],
"issuer": settings.OKTA_AUTH["ISSUER"]
}
The easiest way to use this is to implement the Okta Sign-In Widget in your template.
A minimal template for the login could be:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1.0" />
<script
src="https://global.oktacdn.com/okta-signin-widget/5.0.1/js/okta-sign-in.min.js"
type="text/javascript"
></script>
<link
href="https://global.oktacdn.com/okta-signin-widget/5.0.1/css/okta-sign-in.min.css"
type="text/css"
rel="stylesheet"
/>
</head>
<body>
<div id="okta-login-container"></div>
<script type="text/javascript">
var oktaSignIn = new OktaSignIn({
baseUrl: '{{config.url}}',
clientId: '{{config.clientId}}',
redirectUri: '{{config.redirectUri}}',
authParams: {
issuer: '{{config.issuer}}',
responseType: ['code'],
scopes: "{{config.scope}}".split(" "),
pkce: false,
},
});
oktaSignIn.renderEl(
{el: '#okta-login-container'},
function (res) {
console.log(res);
}
</script>
</body>
</html>
ORG_URL:
str. URL Okta provides for your organization account. This is the URL that you log in to for the admin panel, minus the -admin
. eg, if your admin URL is https://myorg-admin.okta.com/ then your ORG_URL
should be: https://myorg.okta.com/
ISSUER
str. This is the URL for your Authorization Server. If you're using the default authorization server then this will be: https://{ORG_URL}/oauth2/default
CLIENT_ID
str. The Client ID provided by your Okta Application.
CLIENT_SECRET
str. The Client Secret provided by your Okta Application.
SCOPES
str. The scopes requested from the OpenID Authorization server. At the very least this needs to be "openid profile email"
but if you want to use refresh tokens you will need "openid profile email offline_access"
. This is the default.
If you want Okta to manage your groups then you should also include groups
in your scopes.
REDIRECT_URI
str. This is the URL to the callback
view that the okta Sign-In Widget will redirect the browser to after the username and password have been authorized. If the directions in the urls.py
section of the documentation were followed and your django server is running on localhost:8000
then this will be: http://localhost:8000/accounts/callback/
LOGIN_REDIRECT_URL
str. This is the URL to redirect to from the callback
after a successful login. Defaults to /
.
CACHE_PREFIX
str. The application will utilise the django cache to store public keys requested from Okta in an effort to minimise network round-trips and speed up authorization. This setting will control the prefix for the cache keys. Defaults to okta
.
CACHE_ALIAS
str. Specify which django cache should be utilised for storing public keys. Defaults to default
.
PUBLIC_NAMED_URLS
List[str]. A list or tuple of URL names that should be accessible without tokens. If you add a URL in this setting the middleware won't check for tokens. Default is: []
PUBLIC_URLS
List[str]. A list or tuple of URL regular expressions that should be accessible without tokens. If you add a regex in this setting the middleware won't check matching paths for tokens. Default is []
.
SUPERUSER_GROUP
str. Members of this group will have the django is_superuser
user flags set.
STAFF_GROUP
str. Members of this group will have the django is_staff
user flags set.
MANAGE_GROUPS
bool. If true the authentication backend will manage django groups for you.
USE_USERNAME
bool. If true the authentication backend will lookup django users by username rather than email.
MIT License
Copyright (c) 2020 Matt Magin
Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
FAQs
Django Authentication for Okta OpenID
We found that django-okta-auth demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Research
Security News
A malicious npm package targets Solana developers, rerouting funds in 2% of transactions to a hardcoded address.
Security News
Research
Socket researchers have discovered malicious npm packages targeting crypto developers, stealing credentials and wallet data using spyware delivered through typosquats of popular cryptographic libraries.
Security News
Socket's package search now displays weekly downloads for npm packages, helping developers quickly assess popularity and make more informed decisions.