mirror/peeringdb-peeringdb
1
0
Fork 0
mirror of https://github.com/peeringdb/peeringdb.git synced 2024-05-11 05:55:09 +00:00
Code Releases Activity
Files
master
peeringdb-peeringdb/docs/dev/oauth.md
Stefan Pratter c3b70ce09f Expose authentication methods on outbound federation (#1565) 
* Expose authentication methods on outbound federation

* relock

* docs

* linting

* docs

* webauthn instead of u2f

* use swk

* docs

* remove cruft

* remove unused import

* add amr claim for JWT ID token as well

fix tests

add test key

* fix oidc validator tests

* fix merge cruft

---------

Co-authored-by: 20C <code@20c.com>
2024-03-12 20:59:15 -05:00

2.1 KiB
Raw Permalink Blame History

Example backend for python social core

from django.conf import settings
from social_core.backends.oauth import BaseOAuth2
from social_core.exceptions import AuthFailed


class PeeringDBOAuth2(BaseOAuth2):
    name = "peeringdb"
    AUTHORIZATION_URL = settings.PDB_OAUTH_AUTHORIZE_URL
    ACCESS_TOKEN_URL = settings.PDB_OAUTH_ACCESS_TOKEN_URL
    PROFILE_URL = settings.PDB_OAUTH_PROFILE_URL

    ACCESS_TOKEN_METHOD = "POST"

    DEFAULT_SCOPE = ["email", "profile", "networks", "amr"]
    EXTRA_DATA = ["networks", "amr"]

    def get_user_details(self, response):
        """Return user details."""

        if response.get("verified_user") is not True:
            raise AuthFailed(
                self,
                "PeeringDB user is not verified. Please affiliate yourself with an organization in PeeringDB and try again.",
            )

        return {
            "username": response.get("given_name"),
            "email": response.get("email") or "",
            "first_name": response.get("given_name"),
            "last_name": response.get("family_name"),
        }

    def user_data(self, access_token, *args, **kwargs):
        """Load user data from service."""
        headers = {"Authorization": "Bearer %s" % access_token}
        data = self.get_json(self.PROFILE_URL, headers=headers)

        return data

AMR values

PeeringDB currently is not collecting device attestation, thus has no way to identify the authentication method according to RFC 8176 (https://datatracker.ietf.org/doc/html/rfc8176). However, we are collecting the following AMR values:

  • pwd - Password
  • mfa - Multi-factor authentication
  • otp - One-time password
  • swk - Proof-of-Possession (PoP) of a software-secured key - usage of webauthn security key will append this
"amr": ["pwd", "mfa", "otp"] # password entered + OTP
"amr": ["pwd", "mfa", "swk"] # password entered + Security Key
"amr": ["pwd"] # password entered
"amr": ["mfa", "swk", "otp"] # passwordless with security key + OTP
"amr": ["mfa", "swk", "swk"] # passwordless with security key + plus 2fa with another security key
"amr": ["swk"] # password less without mfa
View Git Blame Copy Permalink