matthiask / django-admin-sso Goto Github PK

I have to create one assignment of every user I want to give access to the admin. I might have several such users. And doing this every time is not feasible.

Ideally what I would want is:

1. Every user gets a default assignemnt. For example, [email protected] gets matched to "vaidik" Django user.
2. If the user does not exist, a user is created in Django and a default group is assigned to it.

Is there a way to achieve something like this using this package?

I tested this package with keycloak as the identity provider.

The problem is that keycloak will not return the id_token unless "scope": "openid",.
Is the package focusing mainly on google or are other providers welcome?

I am wondering if it's possible to extend the assignment functionality to be more generic and support the automatic match of a given SSO email to a local model field.

My current problem:

• I have a way to create password-less local users, which allows me to grant them individual permissions to my models.
• Whenever I want to allow a user to SSO in the django-admin, I need to both create the local user AND an assignment rule so they can effectively log in.

This is doable but not very effective. If instead of having to create one of each every time, I could just quickly create one (the user) - it would be half the work!

For this it would be interesting to extend the current Remote User -> Local User rule to define a field from the User model instead of a specific username. Is this currently possible / something possible to implement?

default_app_config is set in django-admin-sso/admin_sso/__init__.py, but is marked for deprecation:

RemovedInDjango41Warning: 'admin_sso' defines default_app_config = 'admin_sso.apps.AdminSSOConfig'. Django now detects this configuration automatically. You can remove default_app_config.

Might be worth conditionally setting it, like is done here, to suppress the warning!

If I open up a page in the admin and am not logged in, I get redirected to the login page, with the next url parameter set to the original page I was trying to reach. However, after completing SSO I am just redirected to the admin index page instead of the "next" url that I was originally trying to reach. Is this intended?

When will a new version of this library be released?

It seems like the changes in 696a8a5 were implemented to remove the imported functions that were deprecated in Django 4.0, and if it's now reached compatibility, it would be great to have a new release!

We are testing changes to our ingress controller and now we are not able to support having the SECURE_SSL_REDIRECT = True in Django. As such all redirects need to be https. I'm seeing that the URL constructed for the redirect being passed to Google is http. Looking to see if there is a way to have that URI constructed as https.

It would be nice to be able to display an error message to the user on the login form if their attempted SSO login failed for one reason or another. Currently on any failure the browser is redirected back to the admin index page.

I was initially going to try subclassing the included Auth backend and adding a message via the Django messages framework, but authenticate() doesn't receive a request which is required for messages to work.

I could implement my own end view and add error messages at the various failure points, but I'd prefer not to own that much of the OAuth logic in my app.

Perhaps making end a class-based view where users can subclass and provide error messages via the view's attributes would work. Or adding additional settings for error messages that the existing end view uses would also work. Though I'm not sure if you want this lib tied to Django's messaging framework or not.

Happy to put together a PR if you would like this functionality.

oauth2client is deprecated, see https://pypi.org/project/oauth2client/