Nope, its not stupid. At least not as long as you store data in the local database of your app that is not stored in the directory of your identity management system. Then you would just duplicate data and I would just use the claims from the IDM to work in the app. But if your app stores data about the user that is not stored in the IDM for example if you have a web shop and you want to store the puchase history, you probably do not want to store that in your IDM directory but leave in the local database. In order for your app to understand what data to pull for that user from the local datatabase it is important to create the user entity in the local app as well as have it the IDM. I usually check if a user that just authenticated via the IDM is already in the database and if not I create / update the user in the local database.
In terms loggin users in I think it web2py it was straight forward if I remember correctly.. Looking at ths snipped: http://www.web2pyslices.com/slice/show/1443/auto-login-when-you-come-from-localhost I think you can extract the username from the token and then do: user = db(db.auth_user.username==username).select().first() auth.user = user Am Mo., 14. Sept. 2020 um 08:14 Uhr schrieb hiro <[email protected]>: > Thank you! You are spot on. I have redirected the user to a Single Signon > page, and got redirected back with a token, that I then use the requests > library and my key to validate to extract the username and permissions. > > I already have the users in the default auth tables, so basically now that > user X has provided av valid token I want to be able to login that user. > > Maybe that is just stupid? Maybe one should just use the extracted data as > from the token and never store any of it in the internal user database? > > > > On Friday, September 11, 2020 at 5:13:18 PM UTC+2 [email protected] wrote: > >> I am not sure I understand what you have done completely, but let me give >> it a shot at the point where you ask how to validate a jwt token. >> >> The IDP that created the JWT token will sign the JWT token. >> So you need to send the token e.g. via POST to web2py and then use pyjwt >> to verify the token with however means that token was signed. >> Maybe a simple passphrase, shared key, public key etc. >> >> Once you verified the signature you can use pyjwt >> to load the contents of the token into a python dict. >> Some IDPs include information about the person loggin in as "claims". >> Info such as First Name, Last Name, Email, Username/Displayname etc. you >> can extract those information >> and create the user in web2py and log the user in with a web2py session. >> >> Some IDPs do not put anything in the token and ask you to use the jwt >> token to call a userinfo endpoint (restful api of the IDP), >> to extract more info about the user directly from the IDP instead of from >> the token. >> >> The token usually was issued with certian scopes e.g. openid, profile, >> email and depending on the scopes of the token, the IDP will either >> give this information or not. >> Usually you also have to whitelist in the IDP from which hosts such a >> call can come from and which hosts can actually obtain tokens etc. >> >> >> >> Am Fr., 11. Sept. 2020 um 16:06 Uhr schrieb hiro <[email protected]>: >> >>> Hi, quick question! >>> >>> I am working on an internal API using web2py and the organization I am >>> working for wants us to use JWTs. I have had no success with the JWTAuth in >>> the tools file, but have successfully been able to redirect to the single >>> sing-on provider and then validate the token as the single sign on provider >>> redirects back to the web2py service. >>> >>> So basically I have been able to validate that a user with a given >>> username is allowed to log in. Now, the question becomes, how do I log in >>> the user? >>> >>> Assume the user already exists within the Auth DB for now. In the long >>> run I will need to update user permission and LDAP groups and so on, but >>> now I just need how to login problematically when I know the user is >>> allowed to login by a validated JWT token, but I have no password or >>> anything else except the username, >>> >>> >>> # Code to validate JWT token.. >>> >>> username = validated_jwt_token.preffered_username. >>> Auth.login(username) >>> >>> # User should now be logged in. >>> >>> Any idea? >>> Thanks! >>> >>> >>> >>> >>> >>> >>> -- >>> Resources: >>> - http://web2py.com >>> - http://web2py.com/book (Documentation) >>> - http://github.com/web2py/web2py (Source code) >>> - https://code.google.com/p/web2py/issues/list (Report Issues) >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "web2py-users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msgid/web2py/0c6cfe00-9e4d-416a-b547-76809c19e751o%40googlegroups.com >>> <https://groups.google.com/d/msgid/web2py/0c6cfe00-9e4d-416a-b547-76809c19e751o%40googlegroups.com?utm_medium=email&utm_source=footer> >>> . >>> >> -- > Resources: > - http://web2py.com > - http://web2py.com/book (Documentation) > - http://github.com/web2py/web2py (Source code) > - https://code.google.com/p/web2py/issues/list (Report Issues) > --- > You received this message because you are subscribed to the Google Groups > "web2py-users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/web2py/876f7f64-836e-4d20-8e7b-102fec2518edn%40googlegroups.com > <https://groups.google.com/d/msgid/web2py/876f7f64-836e-4d20-8e7b-102fec2518edn%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- Resources: - http://web2py.com - http://web2py.com/book (Documentation) - http://github.com/web2py/web2py (Source code) - https://code.google.com/p/web2py/issues/list (Report Issues) --- You received this message because you are subscribed to the Google Groups "web2py-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/web2py/CADHCKLQhNGwVAY3-y1ZzjfqzrEWG4%2BJ7j4a8X6Ea_-1dpnrZuw%40mail.gmail.com.
