This is an OpenID-Connect authentication module for for the Koios framework.
To use this module, simply put this project under ./koios/app/auth_oidc. That's it!. No need to modify any code.
Make sure the folder name is correct. The best way to make sure is to clone the project as such:
cd <your_koios_folder>/app
git clone https://github.com/northernsec/koios_auth_oidc auth_oidcThis module is configured through the .env file.
| Variable | Description | Default Value |
|---|---|---|
| OIDC_CLIENT_ID | The OIDC client ID provided by the authentication server | empty:required |
| OIDC_SECRET | The OIDC client secret provided by the authentication server | empty:required |
| OIDC_SERVER | The URL for the authentication server (+protocol) | empty:required |
| OIDC_REALM | The authentication server realm to authenticate against | master |
| OIDC_SIGN_ALGORITHM | Signing algorithm used by the authentication server | RS256 |
| OIDC_AUDIENCE | Required audience key to be provided by the authentication server | koios |
| OIDC_LOGIN_REDIRECT | Post-login redirect URL | /oidc/profile |
| OIDC_LOGOUT_REDIRECT | Post-logout redirect URL | /oidc/profile |
This authentication module syncs the users to the default Django authentication integration, and manages these users and groups.
Groups created by this module will always start with oidc:. For example, group example, provided by the OpenID-Connect client, will be stored as oidc:example in the Django back-end. These groups are fully managed (add/update/remove) by auth_oidc, and will remain synced with the authentication server.
This does not matter for group checking, and is just how this module handles group management. You can use the built-in Koios helper decorator @group_required(example) to check whether a user is in the example group. This will match both the group example and oidc:example, allowing you to manually assign a user to a group, even if the authentication server does not provide it.
Note: A group check is not the same as a permission check. Groups can have permissions assigned, but auth_oidc does not manage group permissions.
Because of the reliance on mozilla_django_oidc as a baseline, this module has no app_name. As a result, the pages provided by this applet don't have the usual app:page structure.
The pages provided by auth_oidc are:
| Page | Usage |
|---|---|
oidc_authentication_init |
Redirect to the authentication server's log-in page for log-in. |
oidc_logout_redirect |
GET URL for logging out (helps with UI buttons) |
oidc_profile |
auth_oidc-provided profile page |