Light weight Identity Server
March 23rd, 2017 by Ameya Advankar
Problem Statement:
Implement an Identity Server which provides OpenID Connect & OAuth 2.0 capabilities.
Problem Evaluation:
Keycloak provides for an open source light-weight identity provider and was chosen as the Identity Server. Keycloak is OpenID Connect compliant and thus can be plugged into any application which implements OpenID Connect specified api calls for authentication and identity management.
Following factors were considered while selecting the grant flow type to be implemented:
- The Django portal will be accessed by the users via a web browser and can be used to redirect the user to the Identity provider authentication page.[1]
- The Users may not trust the portal as much to enter their credentials directly in the portal
- The front-end code on the client browser which is in Javascript cannot be trusted for holding the user's id_token
Considering the above factors in mind, the Authorization Code grant flow was selected to be implemented in the Django portal.
Detailed Solution:
While implementing the authentication mechanism in the Django portal, we had to ensure that the code was IdP agnostic i.e. any OpenID Connect complaint IdP should be pluggable via configuration.
Pictured below is the detailed flow of the implementation.
Code implementation can be found in the spring17-django-portal github develop branch
Conclusion
Authorization code grant flow was identified as the suitable flow for the Django portal. A poc has been implemented in the spring17-django-portal github
Associated Github issues
References
- S. Nakandala, H. Gunasinghe, S. Marru, and M. Pierce, "Apache Airavata Security Manager: Authentication and Authorization Implementations for a Multi-Tenant eScience Framework"