This package contains custom authentication backends, views, and pipeline steps used by edX services for single sign-on.
This package is compatible with Python 2.7 and 3.5, and Django 1.8 through 1.11.
We currently support two forms of authentication:
- OAuth 2.0
- OpenID Connect (deprecated)
Support for OpenID Connect (OIDC) is deprecated. Clients should use the OAuth 2.0 backend. This backend behaves similarly to the OIDC backend, except we use a JWT as the access token instead of OIDC's ID token. This allows us to use any OAuth provider, and not rely on an implementation of an OIDC provider.
The auth_backends package can be installed from PyPI using pip:
$ pip install edx-auth-backends
Update INSTALLED_APPS:
INSTALLED_APPS = (
'social_django',
)Adding single sign-on/out support to a service requires a few changes:
- Define settings
- Add the authentication backend
- Add the login/logout redirects
| Setting | Purpose |
|---|---|
| SOCIAL_AUTH_EDX_OAUTH2_KEY | Client key |
| SOCIAL_AUTH_EDX_OAUTH2_SECRET | Client secret |
| SOCIAL_AUTH_EDX_OAUTH2_ENDPOINT | Provider root (e.g. https://courses.stage.edx.org/oauth2) |
| SOCIAL_AUTH_EDX_OAUTH2_JWS_HMAC_SIGNING_KEY | (Optional) Shared secret for JWT signed with HS512 algorithm |
| SOCIAL_AUTH_EDX_OAUTH2_PROVIDER_CONFIGURATION_CACHE_TTL | (Optional) Cache timeout for provider configuration. Defaults to 1 week. |
| SOCIAL_AUTH_EDX_OAUTH2_JWKS_CACHE_TTL | (Optional) Cache timeout for provider's JWKS key data. Defaults to 1 day. |
Note that the OAuth 2.0 provider uses SOCIAL_AUTH_EDX_OAUTH2_ENDPOINT to read configuration from a special path,
.well-known/openid-configuration (e.g. https://courses.stage.edx.org/oauth2/.well-known/openid-configuration). The
data returned from this endpoint provides the URLs necessary for authentication as well as the public keys used to
verify the signed JWT (JWS) access token.
As of auth-backends 2.0.0, oAuth2 Applications require access to the user_id scope in order for the EdXOAuth2 backend to work. The backend will write the user_id into the social-auth extra_data, and can be accessed within the User model as follows:
self.social_auth.first().extra_data[u'user_id'] # pylint: disable=no-member
The following settings MUST be set:
| Setting | Purpose |
|---|---|
| SOCIAL_AUTH_EDX_OIDC_KEY | OAuth/OpenID Connect client key |
| SOCIAL_AUTH_EDX_OIDC_SECRET | OAuth/OpenID Connect client secret |
| SOCIAL_AUTH_EDX_OIDC_ID_TOKEN_DECRYPTION_KEY | Identity token decryption key (same value as the client secret for edX OpenID Connect) |
| SOCIAL_AUTH_EDX_OIDC_URL_ROOT | OAuth/OpenID Connect provider root (e.g. https://courses.stage.edx.org/oauth2) |
| SOCIAL_AUTH_EDX_OIDC_ISSUER | OAuth/OpenID Connect provider ID token issuer (e.g. https://courses.stage.edx.org/oauth2) |
| SOCIAL_AUTH_EDX_OIDC_LOGOUT_URL | OAuth/OpenID Connect provider's logout page URL (e.g. https://courses.stage.edx.org/logout) |
If your application requires additional user data in the identity token, you can specify additional claims by defining
the EXTRA_SCOPE setting. For example, if you wish to have a claim named preferred_language, you would include
the following in your settings:
EXTRA_SCOPE = ['preferred_language']Assuming the identity provider knows how to process that scope, the associated claim data will be included in the
identity token returned during authentication. Note that these scopes/claims are dependent on the identity provider
being used. The EdXOpenIdConnect backend is configured to be used by all edX services out-of-the-box.
The optional setting COURSE_PERMISSIONS_CLAIMS, used primarily by
edx-analytics-dashboard, can be used to designate scopes/claims that
should be requested in order to retrieve a list of courses the user is permitted to access/administer. The value of this
array depends on the authentication provider's available scopes.
We use a custom strategy that includes many of the default settings necessary to utilize single sign-on for edX services. This strategy should be used for all services to simplify configuration. If you need to override the defaults, you may still do so as you would with any social auth setting——prepend SOCIAL_AUTH_ to the setting name. Add the following to your Django settings to use the strategy:
SOCIAL_AUTH_STRATEGY = 'auth_backends.strategies.EdxDjangoStrategy'Configuring the backend is simply a matter of updating the AUTHENTICATION_BACKENDS setting. The configuration
below is sufficient for all edX services.
AUTHENTICATION_BACKENDS = (
'auth_backends.backends.EdXOpenIdConnect',
'django.contrib.auth.backends.ModelBackend',
)In order to make use of the authentication backend, your service's login/logout views need to be updated. The login view should be updated to redirect to the authentication provider's login page. The logout view should be updated to redirect to the authentication provider's logout page.
This package includes views and urlpatterns configured for OIDC and OAuth 2.0. To use them, simply append/prepend
either auth_urlpatterns or oauth2_urlpatterns to your service's urlpatterns in urls.py.
from auth_backends.urls import auth_urlpatterns
urlpatterns = auth_urlpatterns + [
url(r'^admin/', include(admin.site.urls)),
...
]It is recommended that you not modify the login view. If, however, you need to modify the logout view (to redirect to
a different URL, for example), you can subclass either EdxOAuth2LogoutView or EdxOpenIdConnectLogoutView for
the view and LogoutViewTestMixin for your tests.
When using the Docker-based devstack, it is necessary to have both internal and public URLs for the OAuth/OIDC
provider. To accommodate this need, set the SOCIAL_AUTH_EDX_OIDC_PUBLIC_URL_ROOT setting to the value of the
provider's browser-accessible URL.
SOCIAL_AUTH_EDX_OIDC_URL_ROOT = 'http://edx.devstack.edxapp:18000/oauth2'
SOCIAL_AUTH_EDX_OIDC_PUBLIC_URL_ROOT = 'http://localhost:18000/oauth2'Additionally, the logout URL should also be browser-accessible:
SOCIAL_AUTH_EDX_OIDC_LOGOUT_URL = 'http://localhost:18000/logout'Call make test.
The code in this repository is licensed under the AGPL unless otherwise noted.
Please see LICENSE.txt for details.
Contributions are very welcome!
Please read How To Contribute for details.
Even though it was written with edx-platform in mind, the guidelines should be followed for Open edX code in general.
Please do not report security issues in public. Please email [email protected].
You can discuss this code on the edx-code Google Group or in the
#edx-code IRC channel on Freenode.