开发者

Implementation of sso with django auth. Is this safe?

开发者 https://www.devze.com 2023-03-17 09:59 出处:网络
I\'m trying to implement single sign-on using only django auth. Let\'s assume two django projects, on different sub-domains: site.com(auth) and app1.site.com(app1)

I'm trying to implement single sign-on using only django auth.

Let's assume two django projects, on different sub-domains: site.com(auth) and app1.site.com(app1) The auth table in site.com is master. site.com handles: login, logout, account registration, etc.

site.com sets SESSION_COOKIE_DOMAIN to .site.com to allow it to be read by subdomains

app1 will have login_url set to a view in the app1 project, which does the following:

  • retrieves site.com's session_id value(from cookie)
  • validates session_id by making a request to: site.com/validate/[session_id]/
  • If False, redirects to site.com/login?next=[...]
  • If True, request user data to: site.com/attributes/[session_id]/
  • site.com/attributes/ delivers a dictionary with all the User values, encrypted using a shared SSO_KEY(encryption done the same way django encodes and decodes session_id)

Now, app1 has a model SSO_User which has two fields, a foreign key to User model and an integer field. The SSO_User models links local auth User to the id of master auth table.

Using the id retrieved from site.com, we check SSO_User for existing local user, if true we simply update the values and l开发者_运维问答ogin; if non existing, we create the user and SSO_User and login.

app1(or any other sub-domain) can keep their own profile information, without interfering with anything.

It seems simple to implement and safe, but before implementing I wanted some opinions. What do you think?


I don't profess to be a web security expert, but I've done something similar in the past. As long as you properly set the cookie domain (which you claim to be doing) I don't really see any security issues, especially since both sites are on the same domain.

If you really want to be safe I suppose you could set up your own OAuth portal or something, but quite frankly that seems to be overkill.

0

精彩评论

暂无评论...
验证码 换一张
取 消