SSO example for Django

(Remy Dev) #22

I tried to link djangoCMS to discourse, it’s not really easy for me, I’m not really a developer, so I’d rather not do code.
So i don’t understand why it’s not possible to use simple tools like django-oauth-toolkit and it’s every time specific code.


Hi, there is a method on the hmac library you can use:

hmac.compare_digest(this_signature, signature)

From docs:

When comparing the output of hexdigest() to an externally-supplied digest during a verification routine, it is recommended to use the compare_digest() function instead of the == operator to reduce the vulnerability to timing attacks.

(James Potter) #24

Updated — thanks for the heads up.

(Steve Putman) #25

Thanks for this!

As a note, I got a TypeError (unicode does not have the buffer interface) using this code in Python 2.7–looks like signature was being returned as unicode. Fixed like this:

if not hmac.compare_digest(this_signature, str(signature)):

(James Potter) #26

Thanks for this fix.

(Ronald Langeveld) #28

Hey James. Thanks for this. I am however stuck at the URL’s, running Django 2.0.
Could the url() be replaced with the new path?

Thanks in advance.

(Sahil Singla) #29

I am not getting ‘sso’ and ‘sig’ in the GET request parameter. What i need to do?

(Mehmet Dogan) #30

This worked well, thanks!

Few modifications I made:

  1. I used the following logic for ‘require_activatoin’ (I use allauth):

     require_activation = 'false' if EmailAddress.objects.filter(user=request.user, 
         verified=True).exists() else 'true'
  2. I used decodebytes instead of decodestring, and encodebytes instead of encodestring. The IDE I am using said they were deprecated since Python 3.1.

(Renzo Nuccitelli) #31

I’ve made an implementation based on first example with tests and its working on Django 2:

(Brylie Christopher Oxley) #32

Would you please consider publishing this Discourse django SSO app on PyPi?

(James Potter) #33

I don’t have time right now unfortunately, but I have a project coming up in a few weeks that needs this and I can revisit it then.