8 Jun, 2018

Django Keycloak | Shadow accounts

Authentication, IT

If you are familiar with SAML / ADFS / Active Directory most probably you already heard about shadow account. Basically when integrating other company’s authentication into your application you have 2 options, either you support full claimed based authentication on your app, or you create “Shadow” account on your application and use those shadow account for delegation etc.

In this post we will use Keycloak (an open source Identity provider) as IDP and Django for our web-application, we will keep Django users as “Shadow accounts”. This setup has multiple advantages, you can easily integrate any company to your application and if you are developing a set of unrelated applications you can provide a single password to all users. The setup of shadow account also has the advantage of removing dependency to the IdP as you can very easily move back to Django users, by just asking your user to reset their password at next logon.

Finally another key value of this is that you manage your users centrally even django admin access and superuser access. Meaning if someone from your team leave you can super easily remove their admin access without removing application access !

We will post the step by step setup soon

So first we setup Keycloack with Django, we will use https://github.com/jhuapl-boss/boss-oidc with a deeper explanation from John there http://blog.jonharrington.org/static/integrate-django-with-keycloak/index.html

So basically create a new client on your Keycloak Realm, and add your localhost:8000/* url to the valid redirect URL.
Update your requirements

 Django==1.11.13
 psycopg2
 pillow
 git+https://github.com/jhuapl-boss/django-oidc.git
 git+https://github.com/jhuapl-boss/drf-oidc-auth.git
 git+https://github.com/jhuapl-boss/boss-oidc.git

And your settings

INSTALLED_APPS = [
    'django.contrib.admin',
    'django.contrib.auth',
    'django.contrib.contenttypes',
    'django.contrib.sessions',
    'django.contrib.messages',
    'django.contrib.staticfiles',
    'bossoidc',
    'djangooidc',  
]

AUTHENTICATION_BACKENDS = (  
    'django.contrib.auth.backends.ModelBackend',
    'bossoidc.backend.OpenIdConnectBackend',
)

auth_uri = "https://auth.meestart.com/auth/realms/MeeStart"  
client_id = "letsredirect.meestart.com"  
public_uri = "http://localhost:8000"

from bossoidc.settings import *  
configure_oidc(auth_uri, client_id, public_uri)

Then on your urls add openid

urlpatterns = [  
    url(r'^admin/', admin.site.urls),
    url(r'openid/', include('djangooidc.urls')),
]

Nothing there that haven’t been described in the two links above. So now our users are authenticated and linked to a Django user.

Few points to note there. Keycloak is returning user’s roles and bossoidc will reapply roles at logon. So in Keycloak create superuser and admin roles and assign them to your user.

Tags: , , , ,

About : philippe

Leave a Reply

Your email address will not be published. Required fields are marked *