[Solved]-User authentication via ssl certs in django

13👍

I have created a django module for this, the implementation available under MIT license on github.
Basically the approach is so that:

  1. nginx handles all the SSL & Certificate verification stuff
  2. Django authentication backend maps the (validated) certificates distinguished name to a whatever User model you are using.

1👍

First of all – you talk about two completely different ways of using a certificate. If you use a server-signed cert from a CA, then the user will authenticate before page load(when creating a secure channel), and you will know who they are. The other way you mention – storing the user cert in UserProfile – do you mean storing the private cert ?? This is far away from secure approach. What exactly do you expect to keep in the user profile, that will serve you for authentication purpose? And if you read this thing from UserProfile, then how the user will actually authenticate? Using username+password? So what’s the purpose of the cert in the profile?

I’d not do the SSL thing in Django. A more better approach to handle this is to keep all SSL stuff in Apache using a HTTP header afterwards. You issue an certificate to the user, they add it in their browsers, and when connecting to the site – Django checks the certificate and extracts the user name associated with the request. Then pass this username as a HTTP header to the Django app, e.g. HTTP_USER_NAME=some_user. Also make sure Apache strips all such headers from client’s request. Then your Django App should not do anything else – it will rely that Apache already did the AUTH job and will get the user name. (This works fine with Nginx, and although I haven’t used it in Apache – I don’t see a reason it shouldn’t be possible with it too, maybe you’ll need some additional apache mod to install).

So the only disadvantage of this approach is that you’ll probably have to do some manual work with signing/sending certificates to user, but if this is not a frequently repeating operation, seem to be OK in return of the security it offers.

UPDATE: Here is an example how to do the SSL auth in Apache:
http://www.zeitoun.net/articles/client-certificate-x509-authentication-behind-reverse-proxy/start
and for nginx:
http://forum.nginx.org/read.php?5,226319

👤Tisho

Leave a comment