├── README.rst ├── googleauth ├── __init__.py ├── backends.py ├── models.py ├── urls.py └── views.py ├── requirements.txt └── setup.py /README.rst: -------------------------------------------------------------------------------- 1 | ================= 2 | django-googleauth 3 | ================= 4 | 5 | Simplified OAuth + OpenID Connect for authentication via Google. 6 | 7 | googleauth used to be REALLY simple, but then Google decided to get rid of their OpenID service. Boooo Google. googleauth has been migrated to `OAuth 2.0 + OpenID Connect `_, which isn't quite as great because it takes a bit more configuration to get going. 8 | 9 | googleauth was built to provide an easy way to add authentication against a Google Apps for Business domain, ideally for an individual organization. This package is not the best option if you are looking for a general social auth solution. Check out `python-social-auth `_ instead. 10 | 11 | 12 | Getting things set up on Google 13 | =============================== 14 | 15 | #. Log in to the `Google API Console `_. 16 | 17 | #. Open an existing project or create a new one if needed. 18 | 19 | #. Under the *APIS & AUTH* menu item, click *APIs*. 20 | 21 | #. Turn on the Google+ API. 22 | 23 | #. Under the *APIS & AUTH* menu item, click *Credentials*. 24 | 25 | #. Click the *Create new Client ID* button. 26 | 27 | #. Select *Web application* for application type, add your domain as the JavaScript origin, and add the full domain and path to the OAuth callback (see below for how to find this URL). Click the *Create Client ID* button to finish. 28 | 29 | #. You're going to need the Client ID and Client secret values in Django settings, so keep this window open or copy them for later. 30 | 31 | 32 | Callback URL 33 | ~~~~~~~~~~~~ 34 | 35 | The callback URL is constructed from your preferred URL scheme, the domain at which your site is hosted, and the path where you mount the googleauth URL config in Django. 36 | 37 | Let's assume you are using HTTPS and have mounted the googleauth URL config at the root URL. Your callback URL would look something like:: 38 | 39 | https:///callback/ 40 | 41 | Okay, now let's assume you are using HTTP and have mounted the googleauth URL config under */accounts/*:: 42 | 43 | http:///accounts/callback/ 44 | 45 | 46 | Django Setup 47 | ============ 48 | 49 | Settings and configuration 50 | ~~~~~~~~~~~~~~~~~~~~~~~~~~ 51 | 52 | The following settings should be placed in *settings.py*. 53 | 54 | Add to *INSTALLED_APPS*:: 55 | 56 | INSTALLED_APPS = ( 57 | ... 58 | 'googleauth', 59 | ... 60 | ) 61 | 62 | Add to *AUTHENTICATION_BACKENDS*:: 63 | 64 | AUTHENTICATION_BACKENDS = ( 65 | 'googleauth.backends.GoogleAuthBackend', 66 | ... 67 | ) 68 | 69 | Required settings:: 70 | 71 | # client ID from the Google Developer Console 72 | GOOGLEAUTH_CLIENT_ID = '' 73 | 74 | # client secret from the Google Developer Console 75 | GOOGLEAUTH_CLIENT_SECRET = '' 76 | 77 | # your app's domain, used to construct callback URLs 78 | GOOGLEAUTH_CALLBACK_DOMAIN = '' 79 | 80 | 81 | 82 | Optional settings:: 83 | 84 | # callback URL uses HTTPS (your side, not Google), default True 85 | GOOGLEAUTH_USE_HTTPS = True 86 | 87 | # restrict to the given Google Apps domain, default None 88 | GOOGLEAUTH_APPS_DOMAIN = '' 89 | 90 | # get user's name, default True (extra HTTP request) 91 | GOOGLEAUTH_GET_PROFILE = True 92 | 93 | # sets value of user.is_staff for new users, default False 94 | GOOGLEAUTH_IS_STAFF = False 95 | 96 | # list of default group names to assign to new users 97 | GOOGLEAUTH_GROUPS = [] 98 | 99 | URL routes 100 | ~~~~~~~~~~ 101 | 102 | Add URL config:: 103 | 104 | urlpatterns = patterns('', 105 | ... 106 | (r'^auth/', include('googleauth.urls')), 107 | ... 108 | ) 109 | 110 | googleauth doesn't need to be mounted under */auth/*, it can go anywhere. Place it where you see fit for your specific app. -------------------------------------------------------------------------------- /googleauth/__init__.py: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/jcarbaugh/django-googleauth/bbb0520a978482ed636955b7c0fb5707a700661d/googleauth/__init__.py -------------------------------------------------------------------------------- /googleauth/backends.py: -------------------------------------------------------------------------------- 1 | import requests 2 | from django.conf import settings 3 | from django.contrib.auth.models import User, Group 4 | 5 | IS_STAFF = getattr(settings, 'GOOGLEAUTH_IS_STAFF', False) 6 | GROUPS = getattr(settings, 'GOOGLEAUTH_GROUPS', tuple()) 7 | APPS_DOMAIN = getattr(settings, 'GOOGLEAUTH_APPS_DOMAIN', None) 8 | 9 | 10 | class GoogleAuthBackend(object): 11 | 12 | def authenticate(self, identifier=None, attributes=None): 13 | 14 | email = attributes.get('email', None) 15 | (username, domain) = email.split('@') 16 | 17 | if APPS_DOMAIN and APPS_DOMAIN != domain: 18 | return None 19 | 20 | try: 21 | 22 | try: 23 | 24 | user = User.objects.get(email=email) 25 | 26 | except User.MultipleObjectsReturned: 27 | 28 | user = User.objects.get(username=username, email=email) 29 | 30 | except User.DoesNotExist: 31 | 32 | user = User.objects.create(username=username, email=email) 33 | user.first_name = attributes.get('first_name') or '' 34 | user.last_name = attributes.get('last_name') or '' 35 | user.is_staff = IS_STAFF 36 | user.set_unusable_password() 37 | 38 | for group in GROUPS: 39 | try: 40 | grp = Group.objects.get(name=group) 41 | user.groups.add(grp) 42 | except: 43 | pass 44 | 45 | user.save() 46 | 47 | return user 48 | 49 | def get_user(self, user_id): 50 | try: 51 | return User.objects.get(pk=user_id) 52 | except User.DoesNotExist: 53 | pass 54 | -------------------------------------------------------------------------------- /googleauth/models.py: -------------------------------------------------------------------------------- 1 | # these aren't the models you're looking for -------------------------------------------------------------------------------- /googleauth/urls.py: -------------------------------------------------------------------------------- 1 | from django.conf.urls import * 2 | 3 | urlpatterns = patterns('', 4 | url(r'^login/$', 'googleauth.views.login', name='googleauth_login'), 5 | url(r'^callback/$', 'googleauth.views.callback', name='googleauth_callback'), 6 | url(r'^logout/$', 'googleauth.views.logout', name='googleauth_logout'), 7 | ) 8 | -------------------------------------------------------------------------------- /googleauth/views.py: -------------------------------------------------------------------------------- 1 | import jwt 2 | import random 3 | import requests 4 | try: 5 | from urllib import urlencode 6 | except ImportError: 7 | from urllib.parse import urlencode 8 | 9 | from django.conf import settings 10 | from django.core.urlresolvers import reverse 11 | from django.contrib import auth 12 | from django.contrib.auth.views import logout as django_logout 13 | from django.http import HttpResponse, HttpResponseRedirect 14 | 15 | GOOGLE_AUTH_ENDPOINT = 'https://accounts.google.com/o/oauth2/auth' 16 | GOOGLE_TOKEN_ENDPOINT = 'https://accounts.google.com/o/oauth2/token' 17 | GOOGLE_USERINFO_ENDPOINT = 'https://www.googleapis.com/plus/v1/people/me/openIdConnect' 18 | 19 | USE_HTTPS = getattr(settings, 'GOOGLEAUTH_USE_HTTPS', True) 20 | CLIENT_ID = getattr(settings, 'GOOGLEAUTH_CLIENT_ID', None) 21 | CLIENT_SECRET = getattr(settings, 'GOOGLEAUTH_CLIENT_SECRET', None) 22 | CALLBACK_DOMAIN = getattr(settings, 'GOOGLEAUTH_CALLBACK_DOMAIN', None) 23 | APPS_DOMAIN = getattr(settings, 'GOOGLEAUTH_APPS_DOMAIN', None) 24 | GET_PROFILE = getattr(settings, 'GOOGLEAUTH_GET_PROFILE', True) 25 | 26 | # 27 | # utility methods 28 | # 29 | 30 | CSRF_CHARACTERS = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789' 31 | 32 | def generate_csrf_token(): 33 | return ''.join(random.choice(CSRF_CHARACTERS) for x in range(32)) 34 | 35 | 36 | def generate_redirect_uri(): 37 | scheme = 'https' if USE_HTTPS else 'http' 38 | path = reverse('googleauth_callback') 39 | return '%s://%s%s' % (scheme, CALLBACK_DOMAIN, path) 40 | 41 | 42 | # 43 | # the views 44 | # 45 | 46 | def login(request): 47 | 48 | csrf_token = generate_csrf_token() 49 | 50 | params = { 51 | 'client_id': CLIENT_ID, 52 | 'response_type': 'code', 53 | 'scope': 'openid email profile', 54 | 'redirect_uri': generate_redirect_uri(), 55 | 'state': csrf_token, 56 | } 57 | 58 | if APPS_DOMAIN: 59 | params['hd'] = APPS_DOMAIN 60 | 61 | request.session['googleauth_csrf'] = csrf_token 62 | request.session['next'] = request.META.get('HTTP_REFERER', None) 63 | 64 | return HttpResponseRedirect("%s?%s" % (GOOGLE_AUTH_ENDPOINT, urlencode(params))) 65 | 66 | 67 | def callback(request): 68 | 69 | if request.GET.get('state') != request.session.get('googleauth_csrf'): 70 | return HttpResponse('Invalid state parameter', status=401) 71 | 72 | data = { 73 | 'code': request.GET.get('code'), 74 | 'client_id': CLIENT_ID, 75 | 'client_secret': CLIENT_SECRET, 76 | 'redirect_uri': generate_redirect_uri(), 77 | 'grant_type': 'authorization_code', 78 | } 79 | 80 | resp = requests.post(GOOGLE_TOKEN_ENDPOINT, data=data) 81 | 82 | if resp.status_code != 200: 83 | return HttpResponse('Invalid token response', status=401) 84 | 85 | tokens = resp.json() 86 | id_token = jwt.decode(tokens['id_token'], verify=False) 87 | 88 | if (not id_token['email_verified'] 89 | or id_token['iss'] != 'accounts.google.com' 90 | or id_token['aud'] != CLIENT_ID): 91 | return HttpResponse('Forged response', status=401) 92 | 93 | attributes = { 94 | 'email': id_token.get('email'), 95 | 'access_token': tokens['access_token'], 96 | } 97 | 98 | 99 | # get profile data 100 | 101 | if GET_PROFILE: 102 | 103 | headers = {'Authorization': 'Bearer %s' % attributes['access_token']} 104 | resp = requests.get(GOOGLE_USERINFO_ENDPOINT, headers=headers) 105 | 106 | if resp.status_code == 200: 107 | 108 | profile = resp.json() 109 | 110 | attributes['first_name'] = profile.get('given_name') 111 | attributes['last_name'] = profile.get('family_name') 112 | 113 | 114 | # authenticate user 115 | 116 | user = auth.authenticate(attributes=attributes) 117 | if not user: 118 | return HttpResponse('User account not found', status=404) 119 | auth.login(request, user) 120 | 121 | # redirect 122 | 123 | redirect = request.session.get('next', None) 124 | redirect_default = getattr(settings, 'LOGIN_REDIRECT_URL', '/') 125 | return HttpResponseRedirect(redirect or redirect_default) 126 | 127 | 128 | def logout(request): 129 | return django_logout(request) 130 | -------------------------------------------------------------------------------- /requirements.txt: -------------------------------------------------------------------------------- 1 | PyJWT==0.4.1 2 | requests==2.5.1 3 | -------------------------------------------------------------------------------- /setup.py: -------------------------------------------------------------------------------- 1 | from setuptools import setup 2 | 3 | long_description = open('README.rst').read() 4 | 5 | setup( 6 | name="django-googleauth", 7 | version='2.1', 8 | packages=["googleauth"], 9 | description="OAuth 2.0 authentication for Google and Google Apps accounts", 10 | url="https://github.com/jcarbaugh/django-googleauth", 11 | author="Jeremy Carbaugh", 12 | author_email="jcarbaugh@gmail.com", 13 | license='BSD', 14 | long_description=long_description, 15 | platforms=["any"], 16 | install_requires=[ 17 | "PyJWT==0.4.1", 18 | "requests==2.5.1", 19 | ], 20 | classifiers=[ 21 | "Development Status :: 4 - Beta", 22 | "Intended Audience :: Developers", 23 | "License :: OSI Approved :: BSD License", 24 | "Natural Language :: English", 25 | "Operating System :: OS Independent", 26 | "Programming Language :: Python", 27 | "Topic :: Software Development :: Libraries :: Python Modules", 28 | ], 29 | ) 30 | --------------------------------------------------------------------------------