django-centralauth¶
django-centralauth solves the problem of managing user access and permissions from multiple projects in one central place.
Features¶
based on OAuth2 standard.
provider app to set up your own user-management application.
client app for delegating authentication and permissions management to provider.
Requirements¶
django-centralauth supports Python 3 only and requires at least Django 2. and django-oauth-toolkit.
Prepare for development¶
$ poetry install
Now you’re ready to run the tests:
$ poetry run py.test
Resources¶
Contents:
Installation¶
Install with pip:
pip install django-centralauth
Provider side¶
You need to update some of your Django settings.
Your
INSTALLED_APPSsetting:INSTALLED_APPS = ( # ... 'oauth2_provider', 'centralauth.provider', )
Your
MIDDLEWAREsetting:MIDDLEWARE = [ 'oauth2_provider.middleware.OAuth2TokenMiddleware', # ... ]
Your
AUTHENTICATION_BACKENDSsetting:AUTHENTICATION_BACKENDS = ( 'oauth2_provider.backends.OAuth2Backend', # ... )
Add the following settings in addition:
OAUTH2_PROVIDER_ACCESS_TOKEN_MODEL = 'oauth2_provider.AccessToken' OAUTH2_PROVIDER_APPLICATION_MODEL = 'provider.Application'
Configure the OAuth2 provider backend class:
OAUTH2_PROVIDER = { 'OAUTH2_BACKEND_CLASS': 'centralauth.provider.oauth2_backends.CentralauthOAuthBackend', }
If you want to re-validate the access more often, you might redurce the lifetime of the generated access tokens:
OAUTH2_PROVIDER = {
# ...
'ACCESS_TOKEN_EXPIRE_SECONDS': 5 * 60,
}
After you updated your settings, add the centralauth.provider urls to your
url configuration:
urlpatterns = [
# ...
path('provider/', include('centralauth.provider.urls'))
]
Note
Make sure that you configure a sane LOGIN_URL. django-oauth-toolkit will
redirect users to this url to ensure the requesting user is logged in.
Client side¶
You need to update some of your Django settings.
Your
INSTALLED_APPSsetting:INSTALLED_APPS = ( # ... 'centralauth.client', )
Your
AUTHENTICATION_BACKENDSsetting:# Disable regular logins using local users and enforce centralauth logins. AUTHENTICATION_BACKENDS = ( 'centralauth.client.backends.OAuthBackend' )
Add the following settings in addition:
# The full uri to the provider side urls. CENTRALAUTH_PROVIDER_URL = 'http://localhost:8000/provider' # The application credentials generated on the provider side using the Django admin. CENTRALAUTH_CLIENT_ID = 'ADD-YOUR-CLIENT-ID' CENTRALAUTH_CLIENT_SECRET = 'ADD-YOUR-CLIENT-SECRET'
After you updated your settings, add the centralauth.client urls to your
url configuration:
urlpatterns = [
# ...
path('centralauth/', include('centralauth.client.urls'))
]
Note
Centralauth provides an option to hijack the admin login interface to make sure that the users go through the Centralauth oauth login flow.
You might set CENTRALAUTH_CUSTOM_LOGIN_TEMPLATE to True or provide a
Django template path to your custom template.
Changelog¶
2.0.0 (2021-05-04)¶
Add support for Python 3.7, 3.8 and 3.9
Add support for Django 3
Drop support for Python 2
Drop support for Django older than 2.2
1.2.0 (2019-02-22)¶
django-centralauth now depends on requests-oauthlib >= 1.2.0 and therefore oauthlib >= 3.0
Fixed some race conditions in middleware (when tokens are refreshed twice)
1.1.2 (2019-02-12)¶
Fix bug in get_or_create of permission sync api endpoint
1.1.1 (2019-01-10)¶
Fix permissions sync - remove deleted permissions
1.1.0 (2018-11-26)¶
Improve permission updates on user sync (don’t use clear, just merge source and target set)
1.0.0 (2018-11-22)¶
Initial release of django-centralauth
Api documentation:
API Reference¶
centralauth package¶
Subpackages¶
centralauth.client package¶
- centralauth.client.services.serialize_perm(perm)[source]¶
Serialize given permission object.
- Returns
keys: app_lable, codename, repr.
- Return type
- class centralauth.client.views.LoginView(**kwargs)[source]¶
Bases:
django.views.generic.base.ViewRequest authorization code from provider.
Set next url in session. Build authorization code request and redirect to provider server.
- class centralauth.client.views.CallbackView(**kwargs)[source]¶
Bases:
django.views.generic.base.ViewExchange authorization code for access token and authenticate user.
Authenticate user with access token. Redirect to next_url or admin page.
centralauth.provider package¶
- class centralauth.provider.admin.ApplicationPermissionGroupAdminForm(*args, **kwargs)[source]¶
Bases:
django.forms.models.ModelForm
- class centralauth.provider.admin.ApplicationPermissionGroupAdmin(model, admin_site)[source]¶
Bases:
django.contrib.admin.options.ModelAdminGiven the
HttpRequest, the parentModelForminstance, the list of inline formsets and a boolean value based on whether the parent is being added or changed, save the related objects to the database. Note that at this point save_form() and save_model() have already been called.
- class centralauth.provider.admin.ApplicationUserAdminForm(*args, **kwargs)[source]¶
Bases:
django.forms.models.ModelForm
- class centralauth.provider.admin.ApplicationUserAdmin(model, admin_site)[source]¶
Bases:
django.contrib.admin.options.ModelAdmin
- class centralauth.provider.admin.ApplicationUserInlineFormset(data=None, files=None, instance=None, save_as_new=False, prefix=None, queryset=None, **kwargs)[source]¶
- class centralauth.provider.admin.ApplicationUserInlineForm(*args, **kwargs)[source]¶
Bases:
django.forms.models.ModelForm
- class centralauth.provider.admin.ApplicationUserInline(parent_model, admin_site)[source]¶
Bases:
django.contrib.admin.options.TabularInline- formset[source]¶
alias of
centralauth.provider.admin.ApplicationUserInlineFormset
- class centralauth.provider.admin.ApplicationAdminForm(*args, **kwargs)[source]¶
Bases:
django.forms.models.ModelForm
- class centralauth.provider.models.Application(*args, **kwargs)[source]¶
Bases:
oauth2_provider.models.AbstractApplicationCentralauth custom application model.
- save(*args, **kwargs)[source]¶
Save the current instance. Override this in a subclass if you want to control the saving process.
The ‘force_insert’ and ‘force_update’ parameters can be used to insist that the “save” must be an SQL insert or update (or equivalent for non-SQL backends), respectively. Normally, they should not be set.
- accesstoken_set[source]¶
Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
Parent.childrenis aReverseManyToOneDescriptorinstance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- applicationpermission_set[source]¶
Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
Parent.childrenis aReverseManyToOneDescriptorinstance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- applicationpermissiongroup_set[source]¶
Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
Parent.childrenis aReverseManyToOneDescriptorinstance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- applicationuser_set[source]¶
Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
Parent.childrenis aReverseManyToOneDescriptorinstance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- get_authorization_grant_type_display(*, field=<django.db.models.fields.CharField: authorization_grant_type>)[source]¶
- get_next_by_created(*, field=<django.db.models.fields.DateTimeField: created>, is_next=True, **kwargs)[source]¶
- get_next_by_updated(*, field=<django.db.models.fields.DateTimeField: updated>, is_next=True, **kwargs)[source]¶
- get_previous_by_created(*, field=<django.db.models.fields.DateTimeField: created>, is_next=False, **kwargs)[source]¶
- get_previous_by_updated(*, field=<django.db.models.fields.DateTimeField: updated>, is_next=False, **kwargs)[source]¶
- grant_set[source]¶
Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
Parent.childrenis aReverseManyToOneDescriptorinstance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- idtoken_set[source]¶
Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
Parent.childrenis aReverseManyToOneDescriptorinstance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- refreshtoken_set[source]¶
Accessor to the related objects manager on the reverse side of a many-to-one relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
Parent.childrenis aReverseManyToOneDescriptorinstance.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- class centralauth.provider.models.ApplicationPermission(*args, **kwargs)[source]¶
Bases:
django.db.models.base.ModelModel for holding all permissions available for application.
- application[source]¶
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
Child.parentis aForwardManyToOneDescriptorinstance.
- repr[source]¶
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
- codename[source]¶
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
- app_label[source]¶
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
- date_created[source]¶
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
- applicationpermissiongroup_set[source]¶
Accessor to the related objects manager on the forward and reverse sides of a many-to-many relation.
In the example:
class Pizza(Model): toppings = ManyToManyField(Topping, related_name='pizzas')
Pizza.toppingsandTopping.pizzasareManyToManyDescriptorinstances.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- applicationuser_set[source]¶
Accessor to the related objects manager on the forward and reverse sides of a many-to-many relation.
In the example:
class Pizza(Model): toppings = ManyToManyField(Topping, related_name='pizzas')
Pizza.toppingsandTopping.pizzasareManyToManyDescriptorinstances.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- get_next_by_date_created(*, field=<django.db.models.fields.DateTimeField: date_created>, is_next=True, **kwargs)[source]¶
- get_previous_by_date_created(*, field=<django.db.models.fields.DateTimeField: date_created>, is_next=False, **kwargs)[source]¶
- class centralauth.provider.models.ApplicationPermissionGroup(*args, **kwargs)[source]¶
Bases:
django.db.models.base.ModelModel for for managing groups of permissions.
Permission groups are not synced with client Group objects. In client all permissions are handled on Permission object level.
- name[source]¶
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
- application[source]¶
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
Child.parentis aForwardManyToOneDescriptorinstance.
- permissions[source]¶
Accessor to the related objects manager on the forward and reverse sides of a many-to-many relation.
In the example:
class Pizza(Model): toppings = ManyToManyField(Topping, related_name='pizzas')
Pizza.toppingsandTopping.pizzasareManyToManyDescriptorinstances.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- date_created[source]¶
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
- applicationuser_set[source]¶
Accessor to the related objects manager on the forward and reverse sides of a many-to-many relation.
In the example:
class Pizza(Model): toppings = ManyToManyField(Topping, related_name='pizzas')
Pizza.toppingsandTopping.pizzasareManyToManyDescriptorinstances.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- get_next_by_date_created(*, field=<django.db.models.fields.DateTimeField: date_created>, is_next=True, **kwargs)[source]¶
- get_previous_by_date_created(*, field=<django.db.models.fields.DateTimeField: date_created>, is_next=False, **kwargs)[source]¶
- class centralauth.provider.models.ApplicationUser(*args, **kwargs)[source]¶
Bases:
django.db.models.base.ModelModel for managing user permissions within application.
- user[source]¶
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
Child.parentis aForwardManyToOneDescriptorinstance.
- application[source]¶
Accessor to the related object on the forward side of a many-to-one or one-to-one (via ForwardOneToOneDescriptor subclass) relation.
In the example:
class Child(Model): parent = ForeignKey(Parent, related_name='children')
Child.parentis aForwardManyToOneDescriptorinstance.
- is_superuser[source]¶
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
- is_staff[source]¶
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
- is_active[source]¶
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
- permissions[source]¶
Accessor to the related objects manager on the forward and reverse sides of a many-to-many relation.
In the example:
class Pizza(Model): toppings = ManyToManyField(Topping, related_name='pizzas')
Pizza.toppingsandTopping.pizzasareManyToManyDescriptorinstances.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- groups[source]¶
Accessor to the related objects manager on the forward and reverse sides of a many-to-many relation.
In the example:
class Pizza(Model): toppings = ManyToManyField(Topping, related_name='pizzas')
Pizza.toppingsandTopping.pizzasareManyToManyDescriptorinstances.Most of the implementation is delegated to a dynamically defined manager class built by
create_forward_many_to_many_manager()defined below.
- date_created[source]¶
A wrapper for a deferred-loading field. When the value is read from this object the first time, the query is executed.
- get_permissions()[source]¶
Combine all user permissions.
- Returns
list of ids of all user permissions.
- Return type
- get_next_by_date_created(*, field=<django.db.models.fields.DateTimeField: date_created>, is_next=True, **kwargs)[source]¶
- get_previous_by_date_created(*, field=<django.db.models.fields.DateTimeField: date_created>, is_next=False, **kwargs)[source]¶