Skip to content
Snippets Groups Projects
Commit aee7c4e1 authored by Art's avatar Art :lizard:
Browse files

Remove AuthenticateRedirectView in favor of updated LogInView

parent b25245f4
Branches
No related tags found
No related merge requests found
......@@ -24,7 +24,7 @@
```python
LOGIN_URL = urls.reverse_lazy("sso-dev")
```
- If you want to debug `ssoauth` or need a fully functional SSO during development for some other reason, an example is below. For additional info reference production setup and `ssoauth/app_settings/defaults.py`. If you also want a working SLO during development you will need SSL for your localhost, `nginx` will be your best friend.
- If you want to debug `ssoauth` or need a fully functional SSO during development for some other reason, an example is below. For additional info see production setup chapter and `ssoauth.app_settings.defaults`. If you also want a working SLO during development you will need SSL for your localhost, `nginx` will be your best friend.
```python
""" settings/dev.py """
......@@ -46,6 +46,17 @@ SP_FORCE_ENTITY_ID = "dev-id-{0}-{1}".format(socket.gethostname(), os.path.dirna
LOGIN_URL = urls.reverse_lazy("sso-dev") # it's "sso-login" for prod
```
#### Overriding Log In in Other Apps
There are some apps like `django.contrib.admin` or `wagtail` that will simply ignore `LOGIN_URL` and use their own log in page. If this behavior is undesirable and you would prefer using `ssoauth` instead:
- find out the login page of that app (let's assume it's `admin/login`)
- in `urls.py`, before including URLs for that app, include this view:
```python3
path("admin/login", ssoauth.views.LogInView(already_authenticated_403=True)),
```
Optional argument `already_authenticated_403=True` is used to avoid redirect loops caused by `django.contrib.admin`.
Instead of it you can also use `already_authenticated_redirect="url-name"`.
#### Regarding Logging Out
......@@ -61,7 +72,7 @@ After logging out locally, user will be redirected to one of the following (with
Currently only IdP-initiated SLO is supported by this app. The only supported binding type is HTTP-Redirect due to the limitations of the underlying library used.
For SLO with HTTP-Redirect to work, the SLS page must be included as `<iframe>`. Your server and/or browser might restrict such behavior. Start with setting `SP_SLS_X_FRAME_OPTIONS` (see the `ssoauth` default settings file).
For SLO with HTTP-Redirect to work, the SLS page must be included as `<iframe>`. Your server and/or browser might restrict such behavior. Start with setting `SP_SLS_X_FRAME_OPTIONS` (check `ssoauth.app_settings.defaults`).
If you have `nginx` serving pages to users, you might need to configure `x-frame-options` for the SLS view (Only the SLS view, nowhere else!). Additionally you might need to configure CSP on the web server on the IdP side. Anyways it will most likely be a lot of [fun](https://duckduckgo.com/?q=dwarf+fortress+fun) for you.
......@@ -74,7 +85,7 @@ To receive groups over SSO you need a group mapping (and of course a properly co
#### Production Settings
_(Disclaimer: this example might be incomplete. Reference the `ssoauth` default settings file.)_
This example might be incomplete. See `ssoauth.app_settings.defaults` for additional info
```python
""" settings/prod.py """
......
......@@ -17,6 +17,8 @@ from . import app_settings
from . import auth_utils
from onelogin.saml2.auth import OneLogin_Saml2_Auth
from collections import OrderedDict
from django.utils import timezone
from datetime import timedelta
ATTRIBUTE_MAPPING = dict(
......@@ -60,8 +62,27 @@ class SAMLMixin:
@method_decorator(never_cache, "dispatch")
class LogInView(SAMLMixin, View):
"""
This view initiates SSO log in.
To change behavior for already logged in users, you can use:
- LogInView.as_view(already_authenticated_403=True)
- LogInView.as_view(already_authenticated_redirect="some-url-name")
"""
already_authenticated_403 = False # e.g. admin redirects to login when insufficient permissions
already_authenticated_redirect = None
def get(self, request, *args, **kwargs):
if request.user.is_authenticated:
if self.already_authenticated_403:
return exceptions.PermissionDenied()
if self.already_authenticated_redirect:
return http.HttpResponseRedirect(urls.reverse(self.already_authenticated_redirect))
if request.user.last_login > timezone.now() - timedelta(seconds=20):
# possible redirect loop (e.g. django.contrib.admin causes them)
logger.error("{u} is logging in too often (avoiding redirect loops)".format(u=request.user))
raise exceptions.PermissionDenied()
# logging in
auth = self.get_onelogin_auth(request)
login = auth.login(return_to=self.get_next_url(request))
return http.HttpResponseRedirect(login)
......@@ -108,6 +129,7 @@ class LoggedOutLocallyView(TemplateView):
context["THIS_SITE"] = get_current_site(self.request)
return context
class IdpLogoutRedirectView(RedirectView):
def get_redirect_url(self, *args, **kwargs):
......@@ -238,33 +260,6 @@ class MetadataView(SAMLMixin, View):
return http.HttpResponse(content_type="text/xml", content=meta)
class AuthenticateRedirectView(RedirectView):
"""
There are problems with apps like django.contrib.admin or wagtail because
these apps stubbornly redirect to their own log in pages. Override their
log in pages with this view in urls.py of your project.
- Works as RedirectView for unauthenticated users
- Redirects authenticated users to authenticated_url (or 403 if not set)
Usage: AuthenticateRedirectView.as_view() # optional kwargs are below
"""
url = conf.settings.LOGIN_URL
query_string = True
permanent = False
authenticated_url = None
def get_redirect_url(self, *args, **kwargs):
user = self.request.user
if user.is_authenticated:
if self.authenticated_url:
return http.HttpResponseRedirect(self.authenticated_url)
else:
msg = "Already authenticated as {u}. Most likely insufficient permissions.".format(u=user)
logger.warning(msg)
raise exceptions.PermissionDenied(msg)
else:
return super().get_redirect_url(*args, **kwargs)
class DevView(FormView):
class DevForm(forms.Form):
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment