Metadata-Version: 2.1
Name: django-auth-spnego2
Version: 5.3
Summary: Django Authentication Backend for Single Sign-On via Kerberos SPNEGO
Home-page: https://github.com/alfonsrv/django-auth-spnego
Author: Brandon Ewing, alfonsrv
Author-email: alfonsrv@protonmail.com
License: Apache 2.0
Classifier: Development Status :: 5 - Production/Stable
Classifier: Environment :: Web Environment
Classifier: Framework :: Django
Classifier: Framework :: Django :: 3.2
Classifier: Framework :: Django :: 4.2
Classifier: Framework :: Django :: 5.1
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.8
Classifier: Programming Language :: Python :: 3.9
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Topic :: Internet :: WWW/HTTP
Requires-Python: >=3.6
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: gssapi==1.9.0
Requires-Dist: Django>=1.11

# django-auth-spngeo 🪄

Django authentication backend for adding Kerberos/GSS auth to your Django application for single sign-on.

Provides authentication backends and views that are ready-to-use without further modification or can be used
as mixins and part of already-existing logic.


## Requirements

* Generated keytab file that's either at `/etc/krb5.keytab` or set via environment variable `KRB5_KTNAME`
  See [here](https://kantega-sso.atlassian.net/wiki/spaces/KSE/pages/28180757/Create+a+keytab) 
  for excellent information on how to create one
* A working Kerberos KDC (MIT, Microsoft AD DS, Heimdall, ...)
* SPN (Service Principal Name) for your application server(s)
* A method for mapping Kerberos Principals to User objects in your backend


## Installation 👾

Install the package with pip:

```bash
pip install django-auth-spnego2
```

To use the auth backend in a Django project, add `'django_auth_spnego.backends.SpnegoModelBackend'` to 
`AUTHENTICATION_BACKENDS`:

```python
AUTHENTICATION_BACKENDS = [
    'django_auth_spnego.backends.SpnegoModelBackend',
]
```

If you want to use the pre-configured views to authenticate users, add `django_auth_spnego` to `INSTALLED_APPS` 
to be able to use the views:

```python
INSTALLED_APPS = [
    ...
    'django_auth_spnego',
]
```

Then simply add the authentication view to your `urls.py` (alternatively use `SpnegoLoginView` for redirects):

```python
from django_auth_spnego.views import SpnegoView

urls.append(r"^auth/spnego$", SpnegoView.as_view(), name="spnego")
```


## Configuration 🛠️

```python
# Optional setting to define which SPN to use in your keytab file. 
# If this is empty, all keytab entries will be used.
#   For example: `HTTP/sso.contoso.loc`
AUTH_KERBEROS_SPN: str = ''

# Split the Kerberos ticket UPN (User Principal Name) at the rightmost `@` sign. 
# This can be useful if you want to match the left part to Django's default 
# username or don't have your UPN's set up to match the e-mail address.
#       `Administrator@CONTOSO.LOC ==> Administrator`
#   This is only relevant when using the default authentication backend.
AUTH_KERBEROS_UPN_SPLIT: bool = True

# Which Django user field should be used for lookup (e.g. `username`, `email`). 
# If empty, the `USERNAME_FIELD` configured in the user model will be used instead.
#   This is only relevant when using the default authentication backend.
AUTH_KERBEROS_USERNAME_LOOKUP: str = ''

# Automatically create users attempting to authenticate that do not exist yet. 
#   This is only relevant when using the default authentication backend.
AUTH_KERBEROS_CREATE_UNKNOWN_USERS: bool = True
```


## Advanced Usage Information & Client Auth

Optionally, combine Kerberos authentication with LDAP via [django-auth-ldap](https://github.com/django-auth-ldap/django-auth-ldap) 
to aggregate further user information from your Domain Controller after successful authentication – 
like display name, email address and group memberships.

```python
from django_auth_ldap.backend import LDAPBackend
from django_auth_spnego.backends import SpnegoBackendMixin


class SpnegoLdapBackend(SpnegoBackendMixin, LDAPBackend):
    def get_user_from_username(self, username):
        return self.populate_user(username)
```


To test Kerberos authentication, acquire a ticket, and point your favorite supported client at the endpoint. 

```python
import requests
from requests_kerberos import HTTPKerberosAuth

r = requests.get('http://sso.contoso.loc/auth/spnego', auth=HTTPKerberosAuth())
r.status_code
```


To streamline authentication for function-based views, a decorator is available to automatically authenticate users when 
necessary. This is particularly useful for scripts accessing protected resources, as it eliminates the need to manually 
call an authentication endpoint in advance.

```python
from django_auth_spnego.decorators import login_required_spnego

@login_required_spnego
def view(request):
    ...
```

See [here](https://www.roguelynn.com/words/apache-kerberos-for-django/) for further excellent information!


## Acknowledgements

* [Brandon Ewing (bewing)](https://github.com/bewing) for providing the [initial library](https://github.com/imc-trading/django-gss-spnego) this fork is based on
* [Matt Magin (AzMoo)](https://github.com/AzMoo) for writing a [similar Middleware](https://github.com/AzMoo/django-auth-spnego)
* [Lynn Root (econchick)](https://github.com/econchick) for an [excellent write-up](https://www.roguelynn.com/words/apache-kerberos-for-django/) on client auth
