Post on 10-May-2015
description
Modern authentication techniques in Python web
applicationsArtur Barseghyan
Goldmund, Wyldebeast & Wunderliebe
http://www.goldmund-wyldebeast-wunderliebe.nl/artur.barseghyan@gmail.comhttps://github.com/barseghyanartur
Part 1
Single Sign-on using
Central Authentication Service
A single framework/application
User base
Framework/application
Authentication system
Other importants parts not related to this talk
Typical framework/application authentication flow
User requests content requiring authentication
User gets the content requested
Is user authenticated?
Authenticate user
User provides credentials (login page)
Are credentials
correct?
Yes
No Yes
No
Multiple web frameworks/applications
User base 1
Framework/application 1
Authentication system 1
Other importants parts not related to this talk
User base 2
Framework/application 2
Authentication system 2
Other importants parts not related to this talk
User base N
Framework/application N
Authentication system N
Other importants parts not related to this talk
...
Web portal (ex. DMS, intranet, wiki, etc.)
Without Single Sign-on...● Use a single framework/application and write lots of
apps OR
● Use multiple frameworks/applications and:○ Hack their authentication systems OR○ Expect users to login into each of them OR○ Make them communicate via customly built API
● More (bad) ideas?
With Single Sign-on...● User logs in once and gains access to all systems
without being prompted to log in again.
(JaSig) CASEnterprise Single Sign-on solution
● Open source● Well documented● Scalable● Modular and highly pluggable (MySQL,
PostgreSQL, Oracle, LDAP, SPINEGO, RADIUS, etc.)
● Lots of ready-to-use clients and plugins
(JaSig) CASCAS involves at least three parties: ● A client web browser● Web application requesting authentication ● The CAS server
It also optionally may involve:● Back-end service, such as a database server
CAS authentication flow
CAS authentication schema
User requests content which requires authentication
User is asked to provide credentials
(login page)
Create SSO token and redirect
User gets the content requested
No
Yes
No
Yes
Is user authenticated
into app?
No
Yes
Authenticate user (CAS)
CAS server
Authenticate user (locally)
Are credentials
correct?Is user
authenticated into CAS?
CAS client (web application)
Pros of CASPros● Centralised authentication for all frameworks/applications.● Actively maintained and developed. Large community.● Modular and highly pluggable (MySQL, PostgreSQL, Oracle, Active
Directory, LDAP, SPINEGO, RADIUS, etc.).● Lots of ready-to-use packages for many frameworks/applications.● Less passwords to retype, remember and recover. ● More of your own code is reusable.● Happier end-users.● REST API.
Cons of CASCons● SSO availability becomes critical.● SSO security becomes critical.
Our use case
Dashboard app ● Django
Server A
CAS server Server C
User base● Active Directory
Server D
VPN
● Apache● Tomcat● Debian● Java● CAS● OpenVPN● AJP● Python● Django● Plone
More to come Server X
DMS ● Plone
Server B
Conclusion
CAS alternatives
1 / n
JOSSO http://www.josso.org
OpenAM (formerly known as OpenSSO) http://openam.forgerock.org
Pubcookie http://www.pubcookie.org
CoSign http://weblogin.org
Linkodrome
1 / n
Software packages
JaSig CAS http://www.jasig.org/cas
Django CAS client https://github.com/Goldmund-Wyldebeast-Wunderliebe/django-cas-consumer
Plone CAS client https://github.com/collective/anz.casclient
Detailed installation instructionshttp://bit.ly/1uuk2BS
Part 2
Two-step verification(Two-factor authentication)
Standard authentication flow
User requests content requiring authentication
User gets the content requested
Is user authenticated?
Authenticate user
User provides credentials (login page)
Are credentials
correct?
Yes
Yes
No
No
● Knowledge factor ("something only the user knows"): a password or a PIN.
● Possession factor ("something only the user has"): ATM card, smart card, mobile phone.
● Inherence factor ("something only the user is"): Fingerprint or voiceprint.
Standard authentication factors
Common advises on remembering many passwords
● Use complex passwords and have them saved in password managers.
● Use complex passwords, write them on paper and carry them in your wallet.
Passwords aren’t enough!
Two-factor authentication● Knowledge factor ("something only the user knows"):
a password or a PIN.
● Possession factor ("something only the user has"): ATM card, smart card, mobile phone.
● Inherence factor ("something only the user is"): Fingerprint or voiceprint.
Standard authentication flow
User requests content requiring
authentication
User provides
credentials
No
Yes
Is user authenticated
?
Authenticate user
Yes
No
Are credentials
correct?
User gets the content requested
Two-factor authentication flow
User requests content requiring
authentication
User provides
credentials
No
YesUser
provides second factor token
Is token
correct?
Yes
No
Second factor
Is user authenticated
?
Authenticate user
Yes
No
Are credentials
correct?
User gets the content requested
(Common) solutions● SMS authentication● Google Authenticator (mobile app)● Hardware token generators
Google Authenticator
Hardware token generators
Our use cases
● collective.googleauthenticator (uses Google Authenticator app)
● collective.smsauthenticator (login codes sent by SMS)
collective.googleauthenticator
Setup two-step verification
Authenticate
Verify
Conclusion
Alternatives
● Risk-based authentication (based on behavioral biometrics, keystroke dynamics, etc.)
● Strong authentication
● Reliance authentication
Linkodrome
Plone● collective.googleauthenticator (two-factor authentication using Google Authenticator app)
https://pypi.python.org/pypi/collective.googleauthenticator● collective.smsauthenticator (two-factor authentication using login codes sent by SMS)
https://pypi.python.org/pypi/collective.smsauthenticator
Django● django-two-factor-auth (two-factor authentication using Google Authenticator or login codes sent
by SMS)https://pypi.python.org/pypi/django-two-factor-auth
● django-otp (pluggable framework for adding two-factor authentication using OTP.)https://pypi.python.org/pypi/django-otp
Questions?
Thank you!Artur Barseghyan
Goldmund, Wyldebeast & Wunderliebe
artur.barseghyan@gmail.comhttps://github.com/barseghyanartur