swh.auth.django.backends module#
- class swh.auth.django.backends.OIDCAuthorizationCodePKCEBackend[source]#
Bases:
objectDjango authentication backend using Keycloak OpenID Connect authorization code flow with PKCE (“Proof Key for Code Exchange”).
To use that backend globally in your django application, proceed as follow:
add
"swh.auth.django.backends.OIDCAuthorizationCodePKCEBackend"to theAUTHENTICATION_BACKENDSdjango settingconfigure Keycloak URL, realm and client by adding
SWH_AUTH_SERVER_URL,SWH_AUTH_REALM_NAMEandSWH_AUTH_CLIENT_IDin django settingsadd
swh.auth.django.views.urlpatternsto your django application URLsadd an HTML link targeting the
"oidc-login"django view in your application viewsonce a user is logged in, add an HTML link targeting the
"oidc-logout"django view in your application views (anextquery parameter can be used to redirect to a view of choice once the user is logged out)
- class swh.auth.django.backends.OIDCBearerTokenAuthentication[source]#
Bases:
BaseAuthenticationDjango REST Framework authentication backend using bearer tokens for Keycloak OpenID Connect.
It enables to authenticate a Web API user by sending a long-lived OpenID Connect refresh token in HTTP Authorization headers. Long lived refresh tokens can be generated by opening an OpenID Connect session with the following scope:
openid offline_access.To use that backend globally in your DRF application, proceed as follow:
add
"swh.auth.django.backends.OIDCBearerTokenAuthentication"to theREST_FRAMEWORK["DEFAULT_AUTHENTICATION_CLASSES"]django setting.configure Keycloak URL, realm and client by adding
SWH_AUTH_SERVER_URL,SWH_AUTH_REALM_NAMEandSWH_AUTH_CLIENT_IDin django settings
Users will then be able to perform authenticated Web API calls by sending their refresh token in HTTP Authorization headers, for instance:
curl -H "Authorization: Bearer ${TOKEN}" https://....