greetings,
a year ago I had the same problem and did not found any solution, after that
i started to build my own HTTP(S) single sign on using PHP (but recently i
ported on the Django) with the work flow like this
login :
clients (consumer) check the credential server using hidden iframe
server (single sign on) check whether the browser has the session and check
whether the clients is on the database using hashed api key
if it has the session server send (via post ) user credential without
password (username, role, email etc)/but also i provided the username using
csv that can be modified to json
clients check if the request ip is from the server if yes then the post
parameters is accepted
servers redirects user to server (hidden iframe)
the clients created the session
you can check it on
https://github.com/ivansugi/django-single-sign-on--soekarno-
i hope it match your requirement
On Wed, Feb 9, 2011 at 8:37 AM, Sean W <whalens...@gmail.com> wrote:
> This is a re-post of my stack overflow question here
> http://stackoverflow.com/questions/4939908/how-should-i-properly-impliment-https-auth-remote-auth-in-django
>
> Hi,
>
> I am in the planning phase a new project. I want to be able to control
> multiple relays from my android powered phone over the internet. I need to
> use an HTTP based server as a middleman between the phone and the relays.
> Django is my preferred platform because Python is my strongest skill set.
> This would not be a "web app" (with the exception of the admin interface for
> managing the user and their access to the relays). Rather, the server would
> simply provide an API in the form of HTTPS requests and JSON encoding.
> Though, I should note that I have never done any web development in my life,
> so I don't know best practices (yet). The authentication method should meet
> the following criteria:
>
>- Works over HTTPS (self-signed SSL)
>- Provides multi-factor authentication (in the form of something you
>have and something you know)
>- Be reasonably secure (Would be very difficult to fool, guess at. or
>otherwise bypass)
>- Is simple in implementation for the server operator and end user on
>the mobile client
>-
>
>Is lightweight in in terms of both CPU cycles and bandwidth
>
>I plan to use the following scheme to solve this:
>1. An administrator logs into the web interface, creates a user, and
> sets up his/her permissions (including a username and a password chosen
> by
> the user).
> 2. The user starts the client, selects add server, and enters the
> server URL and his/her credentials.
> 3. The client attempts to authenticate the the user via HTTP auth
> (over SSL). If the authentication was successful, the server will
> generate
> an API key in the form of a UUID and sends it to the client. The client
> will
> save this key and use it in all API calls over HTTPS. HTTP auth is only
> used
> for the initial authentication process prior to reviving a key, as a
> session
> scheme would not be nessessary for this application. Right? The client
> will
> only work if the phone is configured to automatically lock with a PIN or
> pattern after a short timeout. The server will only allow one key to be
> generated per user, unless an administrator resets the key. Hence,
> simple,
> mobile, multifactor authentication.
>
> Is this sound from a security standpoint? Also, can anyone point me to an
> example of how to use the HTTP auth that is built into Django? From a Google
> search, I can find a lot of snipits witch hack the feature together. But,
> none of them implement HTTP auth in the wayit was added to Django in
> 1.1<http://code.djangoproject.com/ticket/689>.
> The official documentation for REMOTE_AUTH can be found
> here<http://docs.djangoproject.com/en/1.2/howto/auth-remote-user/>,
> but I am having difficulty understanding the documentation as I am very new
> to Django.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Django users" group.
> To post to this group, send email to django-users@googlegroups.com.
> To unsubscribe from this group, send email to
> django-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/django-users?hl=en.
>
--
ketika anda mentok, anda bisa memutar atau maju terus, tapi tidak mundur
Ivan Sugiarto Widodo, ST
Commander In Chief
PT Widodo Rekayasa Komputasi
http://ivan-sugi.blogspot.com
http://wirekom.co.id
--
You received this message because you are subscribed to the Google Groups
"Django users" group.
To post to this group, send email to django-users@googlegroups.com.
To unsubscribe from this group, send email to
django-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/django-users?hl=en.