pyramid_iap

Release 0.1

Google Cloud Identity-Aware Proxy authentication policy for Pyramid

Homepage PyPI Python

Keywords
Pyramid, JWT, IAP, authentication, security
License
BSD-3-Clause
Install
pip install pyramid_iap==0.1

Documentation

Google Cloud Identity-Aware Proxy Authentication for Pyramid

This package implements an authentication policy for Pyramid compatible with Google Cloud's Identity-Aware Proxy <https://cloud.google.com/iap/>.

Configuration

After configuring your Identity-Aware Proxy, get the Signed Header JWT Audience from its settings (detailed instructions in Securing your app with signed headers <https://cloud.google.com/iap/docs/signed-headers-howto>.)

To enable JWT support in a Pyramid application:

from pyramid.config import Configurator
from pyramid.authorization import ACLAuthorizationPolicy
from pyramid_iap import JWTClaimAuthenticationPolicy

def main():
    config = Configurator()
    # Pyramid requires an authorization policy to be active.
    config.set_authorization_policy(ACLAuthorizationPolicy())
    # Identity-Aware Proxy's Signed Header JWT Audience.
    audience = "/projects/123/global/backendServices/456"
    # Enable JWT authentication.
    config.include('pyramid_iap')
    config.add_iap_jwt_claims(audience)
    config.set_authentication_policy(JWTClaimAuthenticationPolicy())

By default, the userid is the "sub" claim of the JWT token (e.g. "accounts.google.com:123456".) To instead use the "email" claim (e.g. "test@example.com") specify:

config.set_authentication_policy(JWTClaimAuthenticationPolicy(userid_claim="email"))

Settings

There are a number of flags that specify how tokens are verified. You can either set this in your .ini-file, or pass/override them directly to the config.add_iap_jwt_claims() function.

Parameter ini-file entry Default Description
audience iap.audience   Verified audience for the token (required.)

Uncommon settings

These settings are unlikely to be needed if you are running behind Google Cloud IAP.

Differences with pyrmid_jwt

This package is inspired by pyramid_jwt <https://pypi.org/project/pyramid_jwt/> and seeks to remain compatible where possible.

  • Public keys are fetched automatically from the public_key_url.
  • The create_jwt_token request method is not available since it is the responsiblity of the Idenitity-Aware Proxy to issue tokens.
  • No authentication policy is configured by the add_iap_jwt_claims config method to provide flexibility for those using pyramid_multiauth.

Stats

Dependencies
5
Dependent packages
0
Dependent repositories
0
Total releases
1
Latest release
First release
Stars
0
Forks
0
Watchers
0
Contributors
1
Repository size
0 Bytes
SourceRank
5

Development practices

Source repo 2FA enabled
TEXT!
Package manager 2FA enabled
TEXT!
Is security responsive
TEXT!
Dependencies are managed
TEXT!
Issue-free release available
TEXT!
Succession plan available
TEXT!
Package manager 2FA enabled
TEXT!

The Tidelift Subscription provides access to a continuously curated stream of human-researched and maintainer-verified data on open source packages and their licenses, releases, vulnerabilities, and development practices.

Learn more

Releases

0.1

Contributors

Laurence Rowe


See all contributors

Something wrong with this page? Make a suggestion

Export .ABOUT file for this package

Last synced: 2021-02-20 11:34:45 UTC

Login to resync this project