CAS
Solution
- Use CAS as the authentication protocol.
- A as the primary authentication provider (provider).
- A retains the user system and the rest of the systems such as xxx/www do not retain the user system, i.e. the Provider is implemented in A.
- Implementation steps
- xxx selects login, jumps to the LMS authentication screen, CAS reads the database for authentication, redirects to xxx's screen and attaches a ticket in the url, deposits a cookie in the browser.
- xxx gets the ticket and sends the ticket to the CAS to verify validity.
- xxx allows users to access internal resources.
django code
Initialize a client project
django-admin startproject cas-client
Install Dependencies
pip install django-mama-cas # server pip install django-cas-ng # client
Server
# INSTALLED_APPS = ( 'mama_cas', ) # Allow logging out, optional MAMA_CAS_ENABLE_SINGLE_SIGN_OUT = True # Important! service is the IP of the client, it is an array, you can add the HOST:PORT of the SERVICE after it. MAMA_CAS_SERVICES = [ { 'SERVICE': 'http://127.0.1.1:8000', 'CALLBACKS': [ 'mama_cas.callbacks.user_model_attributes', # Returns all Fields except password # 'mama_cas.callbacks.user_name_attributes', # Returns only username ], 'LOGOUT_ALLOW': True, 'LOGOUT_URL': 'http://127.0.1.1:8000/accounts/callback', }, ] # url(r'', include('mama_cas.urls')),
Don't forget:
python3 migrate
Client
# INSTALLED_APPS = ( # ... other installed apps 'django_cas_ng', ) AUTHENTICATION_BACKENDS = ( '', 'django_cas_ng.', ) # That's the address of the LMS CAS_SERVER_URL = 'http://127.0.0.1:8000' CAS_VERSION = '3' # Store all user data returned by the CAS server. CAS_APPLY_ATTRIBUTES_TO_USER = True # import django_cas_ng.views as cas_views url(r'^accounts/login$', cas_views.login, name='cas_ng_login'), url(r'^accounts/logout$', cas_views.logout, name='cas_ng_logout'), url(r'^accounts/callback$', cas_views., name='cas_ng_proxy_callback'),
Also:
python3 migrate
Usage Process
- The client selects login and the backend redirects to /accounts/login on the server.
- Authentication passed, there will be login cookie under host on client, successfully login to the system, redirect to client's homepage.
- Opt out on client, background redirect to /accounts/logout on server.
caveat
- The server and client can't be under the same host, a 500 internal error will occur because the cookie has to be stored back under the client's host.
- Under local testing, when client starts at 127.0.1.1:8000, add this IP to ALLOWED_HOSTS.
- The client side is to realize the reception of the null route situation, and the return address is the root address after the CAS Server authentication is completed.
- Logging out on the client side also has to go through the CAS Server, and allow logging out has to be turned on in the CAS Server.
Oauth2 combined with CAS to build authentication systems
- On the CAS page, click on the Github login and use the state parameter to save the service parameters for the current page.
- After clicking to confirm login, return to state, get user data, redirect to a handler function.
- Log in to the system, send ticket, redirect to service.
- The two requests are not the same request, so there is no way to save the url of the service with a session or cookie.
This is the whole content of this article.