Using lab.enough.community as an OAuth2 provider for the API


#1

Bonjour,

django-allauth has support for GitLab and is tested to work with the demo. It does not work out of the box but does not require code modification. The manual steps for the first time setup are described below. When this is done, lab.enough.community users can create an account on the demo server. A token could then be displayed for them and they could use it to authenticate via the API using the django-rest-framework TokenAuthentication.

One pending question is how to restrict authentication to users that are members of a given lab.enough.community group. Probably with a django permission class?

Creating users via lab.enough.community

The api.enough.community server could be set to only allow authentication via lab.enough.community, granting access to the API to anyone with an account on lab.enough.community.

modified   config/settings.template.py
@@ -48,6 +48,7 @@ INSTALLED_APPS = (
 {% if google %}
     'allauth.socialaccount.providers.google',  # enabled by configure
 {% endif %}
+    'allauth.socialaccount.providers.gitlab',  # enabled by configure
     #'allauth.socialaccount.providers.dropbox',
     #'allauth.socialaccount.providers.github',
     #'allauth.socialaccount.providers.linkedin',

The installation instructions are followed like so:

  • mkvirtualenv -p /usr/bin/python3 demo-allauth-bootstrap
  • python configure.py # say no to Google & Facebook :stuck_out_tongue:
  • python manage.py makemigrations allauthdemo_auth
  • python manage.py migrate
  • python manage.py createsuperuser # user foo@bar.com pass foobar
  • python manage.py runserver
  • firefox https://lab.enough.community/admin/applications/ and add an allauth application:

  • use the Application ID and secret to add the provider to the django-allauth tables with python manage.py set_auth_provider gitlab 0477e5be1e7f986ff0c81107cb3c6ffcff37b31d9f327146a7e325831cd8cd2f f7a13305816321f1f935dd76d0b00769d9cee7011bc02e348ec8bf9dde2c5168
  • firefox http://127.0.0.1:8000/admin/sites/site/1/change/ and update the site to 127.0.0.1

  • manually add the following to config/settings.py
   SOCIALACCOUNT_PROVIDERS = {
    'gitlab': {
        'GITLAB_URL': 'https://lab.enough.community',
        'SCOPE': ['read_user'],
    },
   }
  • stop the server and restart it (python manage.py runserver)
  • firefox http://127.0.0.1:8000/ and click Join and follow the steps until:

Obtain a token

A token can be obtained for each user known to django.

  • in config/settings.py add
INSTALLED_APPS = (
...
    'rest_framework.authtoken',
...
Generated token 52f7b9cdb45161d557c7e23e6029406c64a2088e for user singuliere@autistici.org
  • use the token with each API request in the header Authorization: Token 52f7b9cdb45161d557c7e23e6029406c64a2088e

#2

The permission we need could lookup the lab.enough.community token (field token in the socialaccount_socialtoken table) for the user and use it to check if they are a member of the main/infrastructure project.

In the views.py file of the allauth demo:

from rest_framework.decorators import api_view, authentication_classes, permission_classes
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response

from allauth.socialaccount.models import SocialToken

@api_view(['GET'])
@authentication_classes((TokenAuthentication,))
@permission_classes((IsAuthenticated,))
def example_view(request, format=None):

    queryset = SocialToken.objects.all()
    
    content = {
        'n': queryset[0].token,
        'user': str(request.user),  # `django.contrib.auth.User` instance.
        'auth': str(request.auth),  # None
    }
    return Response(content)

And then we can:

$ curl --header "Authorization: Token 52f7b9cdb4516d557c7e23e6029406c64a2088e" http://127.0.0.1:8000/example_view/
{"n":"afe36d485bd933f972ccc6a2ce809028a2db7ff779bdcb2fccc4b24f38e573b","user":"singuliere@autistici.org","auth":"52f7b9cdb45161d557c7e23e6029406c64a2088e"}
$ curl --header "Authorization: Bearer afe36d485b1d933f972ccc6a2ce809028a2db7ff779bdcb2fccc4b24e573b" https://lab.enough.community/api/v4/projects/1/members
[{"id":10,"name":"singuliere","username":"singuliere","state":"active","avatar_url":"https://lab.enough.community/uploads/-/system/user/avatar/10/avatar.png","web_url":"https://lab.enough.community/singuliere","access_level":40,"expires_at":null}]

#3
  • rm ~/.enough/default/db.sqlite3
  • enough manage migrate
  • enough manage set_auth_provider gitlab 0e6c39cc330a6b21ae3008a91965680ee1f38973d2194cf05fa33214b75a0 44e82718ac2510b84f445aa5aaef83edd2d55b69482799b1bfc16e5484eb