Creating federated authorisation for a Django survey system

This talk is about the development of the user system for a online survey application.

The goal of the talk would be to impart some knowledge of the current state of open authorisation standards and how the python web application tools that are available for them may be applied in practise. The prerequisites are some background in web development and perhaps authorisation systems - experience of Django is not necessary but may be useful.

The introduction will give background regarding the application, for context, e.g. 3 million survey responses in a Perl web application being rewritten in Django with Cassandra and PostgreSQL data storage. The need to add external access control via Shibboleth (SAML2) and OpenID.

This will be followed by a summary of the features and differences between the three main open standards for third party access control, SAML2, OAuth and OpenId.

Then I will move on to the issues involved:

• mapping one or more authentication identities to a single user
• how authorisation can be derived via attributes, to automate group membership
• the use of role based access control for allocating object permissions to groups
• identity lifespan management
• mixing local and remote authorisation allocation, etc.

Next will be an explanation of what django.contrib.auth has and its likely future (a rewrite is currently under discussion). Then a review of the various authentication and authorisation add on eggs available for Django that could help deliver elements of these requirements.

This section will end with what we chose to use and the issues that this involved.

Finally, some Python code! So a look at some of the more generically useful implementation code, e.g. development of standard object permission decorators for Django class views.

Concluding with where we are now and lessons learned.