Django Google Apps Authentication
Django has an excellent user management and authentication system built into the framework. With it you can easily create users that can be authenticated against the website. But there are times when you just need to authenticate against a different system. In the case of an app I recently developed, I originally wanted to authenticate against an OS X Server. The OpenDirectory service on OS X Server is an LDAP server, under the hood you’ll find slapd from OpenLDAP running. So should be pretty straight forward to create an authentication module that uses Python’s LDAP module. And this article from the Carthage WebDev site shows you how to do it.
After I got the ldap_auth.py module working on my site, I realized the site would be better served if the authentication happened against Google Apps. Since Google Apps is currently being used by the organization for email, calendaring and sharing documents, everyone already has an account there. And with the ldap_auth.py module from Carthage Webdev, I thought it would be pretty simple to provide a google_auth.py module.
On a side note, I’m using Python 2.5 as installed via MacPorts. Before I could use the gdata APIs, I had to install py25-socket-ssl.
The APIs are pretty well documented via the examples from the Python Developer’s Guide. Here’s how I’m authenticating a Django project with users on Google Apps.
To start, there are three configuration variables that I added to the Django project’s settings.py module:
# Google Apps Settings GAPPS_DOMAIN = 'your_domain.com' GAPPS_USERNAME = 'name_of_an_admin_user' GAPPS_PASSWORD = 'admin_users_password'
These will allow the module to authenticate against Google Apps and ask for specific details about the user.
Here’s the code for google_auth.py:
import logging from django.contrib.auth.models import User from django.conf import settings from gdata.apps.service import AppsService, AppsForYourDomainException from gdata.docs.service import DocsService from gdata.service import BadAuthentication logging.debug('GoogleAppsBackend') class GoogleAppsBackend: """ Authenticate against Google Apps """ def authenticate(self, username=None, password=None): logging.debug('GoogleAppsBackend.authenticate: %s - %s' % (username, '*' * len(password))) admin_email = '%s@%s' % (settings.GAPPS_USERNAME, settings.GAPPS_DOMAIN) email = '%s@%s' % (username, settings.GAPPS_DOMAIN) try: # Check user's password logging.debug('GoogleAppsBackend.authenticate: gdocs') gdocs = DocsService() gdocs.email = email gdocs.password = password gdocs.ProgrammaticLogin() # Get the user object logging.debug('GoogleAppsBackend.authenticate: gapps') gapps = AppsService(email=admin_email, password=settings.GAPPS_PASSWORD, domain=settings.GAPPS_DOMAIN) gapps.ProgrammaticLogin() guser = gapps.RetrieveUser(username) logging.debug('GoogleAppsBackend.authenticate: user - %s' % username) user, created = User.objects.get_or_create(username=username) if created: logging.debug('GoogleAppsBackend.authenticate: created') user.email = email user.last_name = guser.name.family_name user.first_name = guser.name.given_name user.is_active = not guser.login.suspended == 'true' user.is_superuser = guser.login.admin == 'true' user.is_staff = True user.save() except BadAuthentication: logging.debug('GoogleAppsBackend.authenticate: BadAuthentication') return None except AppsForYourDomainException: logging.debug('GoogleAppsBackend.authenticate: AppsForYourDomainException') return None return user def get_user(self, user_id): user = None try: logging.debug('GoogleAppsBackend.get_user') user = User.objects.get(pk=user_id) except User.DoesNotExist: logging.debug('GoogleAppsBackend.get_user - DoesNotExist') return None return user
It was pretty easy to write and debug this code using the ldap_auth.py module as a working example.
One downside to this code is that any newly created users in the Django auth database don’t have any rights. So if the Django project is expecting to be able to dynamically change the contents based on the rights that the user has, the account will have to manually modified via the Django admin interface. Not too bad, but annoying.