Simplifying third-party authentication for web applications.

Overview

Velruse is a set of authentication routines that provide a unified way to have a website user authenticate to a variety of different identity providers and/or a variety of different authentication schemes.

It is similar in some ways to RPXnow with the exception of being open-source, locally installable, and easily pluggable for custom identity providers and authentication schemes.

You can run Velruse as a stand-alone service for use with your websites regardless of the language they're written in. While Velruse itself is written in Python, since it can interact with your website purely via HTTP POST's.

Velruse can:

  • Normalize identity information from varying provider sources (OpenID, Google, Facebook, etc.) to Portable Contacts.
  • Simplify complex authentication protocols by providing a simple consistent API.
  • Provide extension points for other authentication systems, write your own auth provider to handle CAS, LDAP, and use it with ease.
  • Integrate with most web applications regardless of the language used to write the website.

Overview

Velruse aims to simplify authenticating a user. It provides auth providers that handle authenticating to a variety of identity providers with multiple authentication schemes (LDAP, SAML, etc.).

Eventually, Velruse will include widgets similar to RPXNow that allow one to customize a login/registration widget so that a website user can select a preferred identity provider to use to sign-in.

In the mean-time, effort is focused on increasing the available auth providers for the commonly used authentication schemes and identity providers (Facebook, Google, OpenID, etc).

Unlike other authentication libraries for use with web applications, a website using Velruse for authentication does not have to be written in any particular language.

API

Velruse implements an API similar to RPXNow to standardize the way a web application handles user authentication.

Velruse Authentication flow

  1. Website sends a POST to the auth provider‘s URL with an endpoint that the user should be redirected back to when authentication is complete and includes any additional parameters that the auth provider requires.
  2. When the auth provider finishes the authentication, the user is redirected back to the endpoint specified with a POST, which includes a unique token.
  3. Website then makes a query to the UserStore using the token that was provided. The user’s identity information will be returned, or an error if the authentication was unsuccessful.

If the website is unable to directly access the UserStore then Step 3 can be replaced by issuing a HTTP POST in the background to the auth provider requesting the user’s information with the token.

Comments
  • Add Google OAuth 2.0 provider

    Add Google OAuth 2.0 provider

    Since Google OAuth 1.0 is deprecated (see https://developers.google.com/accounts/docs/OAuth), velruse would benefit from a OAuth 2.0 implementation for Google (https://developers.google.com/accounts/docs/OAuth2). It is also much easier to implement and maintain than the OpenID + OAuth hybrid.

    I have written a provider called "google2" in my branch (https://github.com/naktinis/velruse/commit/7c75a1c01e68d64b218d83cbfa29df7994ce9371) if it would be of any help. I can create a pull request, or simply leave it to you as a working example.

    feature request 
    opened by naktinis 14
  • AttributeError: add_github_login_from_settings

    AttributeError: add_github_login_from_settings

    I installed the current state of velruse, including https://github.com/bbangert/velruse/pull/70, wanted to try the example pyramid app (i.e. pserve example.ini, with a gtihub provider setup in example.ini) and got the following error below, it seems the config.include behavior doesn't work for me, but I cannot figure out why. Can someone help?

    File "/home/jasper/Projects/velruse-tut/env/local/lib/python2.7/site-packages/paste/deploy/util.py", line 56, in fix_call val = callable(_args, *_kw) File "/home/jasper/Projects/velruse-tut/env/local/lib/python2.7/site-packages/myapp/init.py", line 72, in main config.add_github_login_from_settings(prefix='github.') File "/home/jasper/Projects/velruse-tut/env/local/lib/python2.7/site-packages/pyramid/config/init.py", line 775, in getattr raise AttributeError(name) AttributeError: add_github_login_from_settings

    pip freeze:

    Beaker==1.6.3 Chameleon==2.9.0 Mako==0.7.0 MarkupSafe==0.15 PasteDeploy==1.5.0 PyYAML==3.10 Routes==1.13 WebOb==1.2 anykeystore==0.2 certifi==0.0.8 chardet==1.0.1 distribute==0.6.19 httplib2==0.7.4 nose==1.1.2 oauth2==1.5.211 oauthlib==0.1.3 pyasn1==0.1.3 pyramid==1.3.2 python-openid==2.2.5 repoze.lru==0.5 requests==0.13.0 rsa==3.0.1 translationstring==1.1 venusian==1.0a6 wsgiref==0.1.2 zope.deprecation==4.0.0 zope.interface==4.0.1

    opened by ilogue 8
  • Get email from linkedin and make routes consistent with other providers

    Get email from linkedin and make routes consistent with other providers

    Hi,

    I was wondering if you could configure the email to be returned from linkedin and also make the route consistent.

    Following is a diff of the requested changes.

    Thanks!

    diff --git a/providers/linkedin.py b/providers/linkedin.py
    index 17c69d5..ce9915b 100644
    --- a/providers/linkedin.py
    +++ b/providers/linkedin.py
    @@ -44,8 +44,8 @@ def add_linkedin_login_from_settings(config, prefix='velruse.linkedin.'):
     def add_linkedin_login(config,
                            consumer_key,
                            consumer_secret,
    -                       login_path='/linkedin/login',
    -                       callback_path='/linkedin/login/callback',
    +                       login_path='/login/linkedin',
    +                       callback_path='/login/linkedin/callback',
                            name='linkedin'):
         """
         Add a Last.fm login provider to the application.
    @@ -129,7 +129,7 @@ class LinkedInProvider(object):
                                 secret=cred['oauthAccessTokenSecret'])
             client = oauth.Client(consumer, token)
             profile_url = 'http://api.linkedin.com/v1/people/~'
    -        profile_url += ':(first-name,last-name,id,date-of-birth,picture-url)'
    +        profile_url += ':(first-name,last-name,id,date-of-birth,picture-url,email-address)'
             profile_url += '?format=json'
             resp, content = client.request(profile_url)
    
    @@ -139,8 +139,8 @@ class LinkedInProvider(object):
    
             # Setup the normalized contact info
             profile = {}
             profile['displayName'] = data['firstName'] + data['lastName']
    +        profile['verifiedEmail'] = data['emailAddress']
             profile['name'] = {
                 'givenName': data['firstName'],
                 'familyName': data['lastName'],
    
    opened by marcolarosa 6
  • Raise HTTP error code instead of raising exception when csrf fails

    Raise HTTP error code instead of raising exception when csrf fails

    If something goes wrong and csrf fails (which is not always in case of fraud), it would be much friendly to raise Bad Request 400 error instead of Python exception that results in 500.

    opened by domenkozar 6
  • Fix python3 compatibility

    Fix python3 compatibility

    This branch fixes compatibility issues with python3 related to the usage of binaries instead of strings and also incorrect import for urlencode.

    I was not able to fully test these changes against python2, and could not test all the affected providers. The only ones I tried were Facebook, Twitter and GoogleOAuth2.

    opened by asabil 5
  • Allow openid to run in stateless mode

    Allow openid to run in stateless mode

    If we pass 'storage=None' to an openid provider, it should run the python openid consumer in stateless mode.

    With the default options I was unable to run multiple wsgi workers and do openid auth because it was using a MemoryStore that was not shared among the workers. In order to run in stateless mode, you have to pass 'store=None' to the openid consumer, but the current OpenID provider was preventing that.

    MemoryStore is still the default value for storage, but now if you explicitly pass 'storage=None' it will run in stateless mode.

    opened by stevearc 5
  • Pull requests from kiorky/mobyle2, WTF.

    Pull requests from kiorky/mobyle2, WTF.

    I have done a lot of work on velruse and splitted my last pull request in small chunks. Feel free to speak with me on irc (kiorky on #pyramid (freenode))

    Those pull requests must be assembled in a logical and dependant order:

    • documentation https://github.com/bbangert/velruse/pull/44
    • [MERGED] includeme_convention https://github.com/bbangert/velruse/pull/45
      • providers_hook https://github.com/bbangert/velruse/pull/53
        • introspectable_configuration https://github.com/bbangert/velruse/pull/47
          • introspectable_providers https://github.com/bbangert/velruse/pull/48
    • openid_autoconfiguration https://github.com/bbangert/velruse/pull/46
      • contextual_endpoint https://github.com/bbangert/velruse/pull/51
        • ldap_provider https://github.com/bbangert/velruse/pull/50
    • introspectable_configuration / ldap_provider
      • introspectable_ldap_provider https://github.com/bbangert/velruse/pull/49
    opened by kiorky 5
  • Odd info stored with Google auth against local server

    Odd info stored with Google auth against local server

    So, my html form looks like this:

    """

    """

    server2 is only locally accessible.

    Authentication appears to work, but the information returned when the token is looked up in the velruse store comes back as:

    {'status': 'fail', 'reason': {'code': 0, 'description': 'Missing parameter'}}

    ...which isn't very helpful :-S

    What's happening here and how can we make this information more useful?

    opened by cjw296 5
  • Yahoo problem when oauth is true

    Yahoo problem when oauth is true

    Okay, same YAML config:

    Store: Type: velruse.store.memstore:MemoryStore

    OpenID: Realm: http://http://pythonjobs.chrisw.info/ Endpoint Regex: http://http://pythonjobs.chrisw.info/loggedin

    Yahoo: true

    OpenID Store: Type: openid.store.memstore:MemoryStore """

    html form submission is: """

    """

    I get:

    File "/home/chris/buildout-eggs/Beaker-1.5.4-py2.6.egg/beaker/middleware.py", line 152, in call return self.wrap_app(environ, session_start_response) File "/home/chris/velruse/velruse/app.py", line 198, in call return self.configprovider(environ, start_response) File "/home/chris/velruse/velruse/utils.py", line 109, in call return getattr(self, action)(req, **kwargs) File "/home/chris/velruse/velruse/providers/openidconsumer.py", line 276, in login self.update_authrequest(req, authrequest) File "/home/chris/velruse/velruse/providers/yahoo.py", line 68, in _update_authrequest authrequest.addExtension(oauth_request) File "/home/chris/buildout-eggs/python_openid-2.2.5-py2.6.egg/openid/consumer/consumer.py", line 1493, in addExtension extension_request.toMessage(self.message) File "/home/chris/buildout-eggs/python_openid-2.2.5-py2.6.egg/openid/extension.py", line 45, in toMessage message.updateArgs(self.ns_uri, self.getExtensionArgs()) File "/home/chris/buildout-eggs/python_openid-2.2.5-py2.6.egg/openid/message.py", line 471, in updateArgs self.setArg(namespace, k, v) File "/home/chris/buildout-eggs/python_openid-2.2.5-py2.6.egg/openid/message.py", line 476, in setArg assert value is not None AssertionError

    ...from:

    http://pythonjobs.chrisw.info/velruse/yahoo/auth

    What am I doing wrong?

    opened by cjw296 5
  • load more data from twitter (and photo from linkedin)

    load more data from twitter (and photo from linkedin)

    Twitter (and linkedin) providers can load more user data.

    I'm still keeping the Portable Contacts format. for twitter, I need to perform another call to the twitter remote service.

    opened by keul 4
  • Login breaks with Pyramid 1.2

    Login breaks with Pyramid 1.2

    Login breaks with Pyramid 1.2. It appears that Pyramid expects the provider login view method to have a different number of arguments. Which version of Pyramid did you test your examples against?

    File "<...>/pyramid-1.2-py2.6.egg/pyramid/config/views.py", line 319, in viewresult_to_response
        result = view(context, request)
    TypeError: login() takes exactly 2 arguments (3 given)
    
    opened by naktinis 4
  • Live OAuth URLs have changed.

    Live OAuth URLs have changed.

    The two URLs used here

    https://github.com/bbangert/velruse/blob/7027acc43df77331d34014fdbb796ee5c54c8d5e/velruse/providers/live.py#L78

    and

    https://github.com/bbangert/velruse/blob/7027acc43df77331d34014fdbb796ee5c54c8d5e/velruse/providers/live.py#L98

    should be replaced with https://login.live.com/oauth20_authorize.srf and https://login.live.com/oauth20_token.srf, respectively.

    opened by jenstroeger 0
  • FB Oauth2 URL has changed

    FB Oauth2 URL has changed

    FB URL has changed to https://www.facebook.com/v3.0/dialog/oauth

    This URLmust be changed at providers/facebook.py#L83: https://github.com/bbangert/velruse/blob/master/velruse/providers/facebook.py#L83

    You may also need to add all possible "Valid OAuth Redirect URIs" to: https://developers.facebook.com/apps/YOUR_APP_ID/fb-login/settings/

    https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/

    opened by katzlbt 1
  • Fixes in auth_complete_view

    Fixes in auth_complete_view

    This adds to auth_complete_view:

    • Python 3 compatibility fix with ord
    • Use secrets builtin from Python 3.6 if available
    • Use pyramid.session.SignedCookieSessionFactory if available
    opened by Preston-Landers 0
  • Facebook Login is broken: KeyError: 'access_token'

    Facebook Login is broken: KeyError: 'access_token'

    facebook.py crashes File "distlib/velruse/providers/facebook.py", line 121, in callback access_token = dict(parse_qsl(r.text))['access_token'] KeyError: 'access_token'

    Facebook Graph API v2.2 ENDS 27 March, 2017

    Graph API v2.2 which will reach the end of its 2-year lifetime on 27 March, 2017. To ensure a smooth transition, please migrate all calls to Graph API v2.3 or higher.

    To check if your app will be affected by this upgrade you can use the Version Upgrade Tool. This will show you which calls, if any, are affected by this change as well as any replacement calls in newer versions. If you do not see any calls, your app may not be affected by this change.

    You can also use our changelog to see the full list of changes in all Graph API versions.

    You can view this and other Developer Notifications related to your app, in the App Dashboard.

    opened by katzlbt 4
  • Updae Facebook provider because they now return JSON for the access_token

    Updae Facebook provider because they now return JSON for the access_token

    From their changelog:

    [Oauth Access Token] Format - The response format of https://www.facebook.com/v2.3/oauth/access_token returned when you exchange a code for an access_token now return valid JSON instead of being URL encoded. The new format of this response is {"access_token": {TOKEN}, "token_type":{TYPE}, "expires_in":{TIME}}. We made this update to be compliant with section 5.1 of RFC 6749.

    Otherwise the Facebook provider is now broken since they stopped supporting the old way.

    opened by antoineleclair 2
Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.

Welcome to django-allauth! Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (soc

Raymond Penners 7.7k Jan 3, 2023
Plotly Dash plugin to allow authentication through 3rd party OAuth providers.

dash-auth-external Integrate your dashboards with 3rd parties and external OAuth providers. Overview Do you want to build a Plotly Dash app which pull

James Holcombe 15 Dec 11, 2022
Simple yet powerful authorization / authentication client library for Python web applications.

Authomatic Authomatic is a framework agnostic library for Python web applications with a minimalistic but powerful interface which simplifies authenti

null 1k Dec 28, 2022
Simple yet powerful authorization / authentication client library for Python web applications.

Authomatic Authomatic is a framework agnostic library for Python web applications with a minimalistic but powerful interface which simplifies authenti

null 962 Feb 4, 2021
Simple yet powerful authorization / authentication client library for Python web applications.

Authomatic Authomatic is a framework agnostic library for Python web applications with a minimalistic but powerful interface which simplifies authenti

null 962 Feb 19, 2021
Mock authentication API that acceccpts email and password and returns authentication result.

Mock authentication API that acceccpts email and password and returns authentication result.

Herman Shpryhau 1 Feb 11, 2022
A JSON Web Token authentication plugin for the Django REST Framework.

Simple JWT Abstract Simple JWT is a JSON Web Token authentication plugin for the Django REST Framework. For full documentation, visit django-rest-fram

Simple JWT 3.3k Jan 1, 2023
JSON Web Token Authentication support for Django REST Framework

REST framework JWT Auth Notice This project is currently unmaintained. Check #484 for more details and suggested alternatives. JSON Web Token Authenti

José Padilla 3.2k Dec 31, 2022
JSON Web Token Authentication support for Django REST Framework

REST framework JWT Auth JSON Web Token Authentication support for Django REST Framework Overview This package provides JSON Web Token Authentication s

Styria Digital Development 178 Jan 2, 2023
A JSON Web Token authentication plugin for the Django REST Framework.

Simple JWT Abstract Simple JWT is a JSON Web Token authentication plugin for the Django REST Framework. For full documentation, visit django-rest-fram

Jazzband 3.2k Dec 29, 2022
Web authentication testing framework

What is this This is a framework designed to test authentication for web applications. While web proxies like ZAProxy and Burpsuite allow authenticate

OWASP 88 Jan 1, 2023
A JSON Web Token authentication plugin for the Django REST Framework.

Simple JWT Abstract Simple JWT is a JSON Web Token authentication plugin for the Django REST Framework. For full documentation, visit django-rest-fram

Jazzband 3.2k Dec 28, 2022
CheckList-Api - Created with django rest framework and JWT(Json Web Tokens for Authentication)

CheckList Api created with django rest framework and JWT(Json Web Tokens for Aut

shantanu nimkar 1 Jan 24, 2022
Simple extension that provides Basic, Digest and Token HTTP authentication for Flask routes

Flask-HTTPAuth Simple extension that provides Basic and Digest HTTP authentication for Flask routes. Installation The easiest way to install this is t

Miguel Grinberg 1.1k Jan 5, 2023
REST implementation of Django authentication system.

djoser REST implementation of Django authentication system. djoser library provides a set of Django Rest Framework views to handle basic actions such

Sunscrapers 2.2k Jan 1, 2023
Authentication Module for django rest auth

django-rest-knox Authentication Module for django rest auth Knox provides easy to use authentication for Django REST Framework The aim is to allow for

James McMahon 878 Jan 4, 2023
Authentication for Django Rest Framework

Dj-Rest-Auth Drop-in API endpoints for handling authentication securely in Django Rest Framework. Works especially well with SPAs (e.g React, Vue, Ang

Michael 1.1k Jan 3, 2023
Django CAS 1.0/2.0/3.0 client authentication library, support Django 2.0, 2.1, 2.2, 3.0 and Python 3.5+

django-cas-ng django-cas-ng is Django CAS (Central Authentication Service) 1.0/2.0/3.0 client library to support SSO (Single Sign On) and Single Logou

django-cas-ng 347 Dec 18, 2022
JWT authentication for Pyramid

JWT authentication for Pyramid This package implements an authentication policy for Pyramid that using JSON Web Tokens. This standard (RFC 7519) is of

Wichert Akkerman 73 Dec 3, 2021