mirror of
https://github.com/peeringdb/peeringdb.git
synced 2024-05-11 05:55:09 +00:00
c3b70ce09f
* Expose authentication methods on outbound federation * relock * docs * linting * docs * webauthn instead of u2f * use swk * docs * remove cruft * remove unused import * add amr claim for JWT ID token as well fix tests add test key * fix oidc validator tests * fix merge cruft --------- Co-authored-by: 20C <code@20c.com>
61 lines
2.1 KiB
Markdown
61 lines
2.1 KiB
Markdown
## Example backend for python social core
|
|
|
|
```python
|
|
from django.conf import settings
|
|
from social_core.backends.oauth import BaseOAuth2
|
|
from social_core.exceptions import AuthFailed
|
|
|
|
|
|
class PeeringDBOAuth2(BaseOAuth2):
|
|
name = "peeringdb"
|
|
AUTHORIZATION_URL = settings.PDB_OAUTH_AUTHORIZE_URL
|
|
ACCESS_TOKEN_URL = settings.PDB_OAUTH_ACCESS_TOKEN_URL
|
|
PROFILE_URL = settings.PDB_OAUTH_PROFILE_URL
|
|
|
|
ACCESS_TOKEN_METHOD = "POST"
|
|
|
|
DEFAULT_SCOPE = ["email", "profile", "networks", "amr"]
|
|
EXTRA_DATA = ["networks", "amr"]
|
|
|
|
def get_user_details(self, response):
|
|
"""Return user details."""
|
|
|
|
if response.get("verified_user") is not True:
|
|
raise AuthFailed(
|
|
self,
|
|
"PeeringDB user is not verified. Please affiliate yourself with an organization in PeeringDB and try again.",
|
|
)
|
|
|
|
return {
|
|
"username": response.get("given_name"),
|
|
"email": response.get("email") or "",
|
|
"first_name": response.get("given_name"),
|
|
"last_name": response.get("family_name"),
|
|
}
|
|
|
|
def user_data(self, access_token, *args, **kwargs):
|
|
"""Load user data from service."""
|
|
headers = {"Authorization": "Bearer %s" % access_token}
|
|
data = self.get_json(self.PROFILE_URL, headers=headers)
|
|
|
|
return data
|
|
```
|
|
|
|
## AMR values
|
|
|
|
PeeringDB currently is not collecting device attestation, thus has no way to identify the authentication method according to RFC 8176 (https://datatracker.ietf.org/doc/html/rfc8176). However, we are collecting the following AMR values:
|
|
|
|
- `pwd` - Password
|
|
- `mfa` - Multi-factor authentication
|
|
- `otp` - One-time password
|
|
- `swk` - Proof-of-Possession (PoP) of a software-secured key - usage of webauthn security key will append this
|
|
|
|
```python
|
|
"amr": ["pwd", "mfa", "otp"] # password entered + OTP
|
|
"amr": ["pwd", "mfa", "swk"] # password entered + Security Key
|
|
"amr": ["pwd"] # password entered
|
|
"amr": ["mfa", "swk", "otp"] # passwordless with security key + OTP
|
|
"amr": ["mfa", "swk", "swk"] # passwordless with security key + plus 2fa with another security key
|
|
"amr": ["swk"] # password less without mfa
|
|
```
|