jrd / django-oauth2-authcodeflow

Authenticate with any OpenId Connect/Oauth2 provider through authorization code flow. PKCE is also supported
https://pypi.org/project/django-oauth2-authcodeflow/
MIT License
14 stars 7 forks source link

Login/logout auditing #16

Closed ryhoo2 closed 10 months ago

ryhoo2 commented 1 year ago

Thank you for providing this module, that's the only one that actually work!

Authentication for my app is working fine with Okta integration. Now I need to add auditing, especially log all successful/unsuccessful login attempts and logout events. I have configured the logger in my settings.py like this:

logger = logging.getLogger('oauth2_authcodeflow')
logger.addHandler(logging.StreamHandler())
if DEBUG:
    logger.setLevel(logging.DEBUG)
else:
    logger.setLevel(logging.INFO)

But I cannot find login/logout messages in the logs. Is it missing currently in the module code? Or I have misconfigured something?

Thanks!

cpontvieux-systra commented 1 year ago

Hi @ryhoo2

I tried to read and follow the RFCs to make this library.

It seems your code is correct, but the library does not include proper logging right now. I mean there is some logging (warning, debug) but not at places you expect. It was mainly for me to be sure it’s doing what it’s suppose to do. Logging successful login/logout was not on my radar.

You might get what you want by using a special page for logout and log yourself in that area before redirecting (or not) elsewhere.

For login, you might want to add a custom middleware that monitor if not corrected before request is handled and connected afterwards but that is tedious work.

I may add some logging to this intent in the next version. Does not seems like a lot of work. If you can propose a pull-request (or better a merge-request on gitlab repo) that could accelerate the process.

ryhoo2 commented 1 year ago

Cyrille,

Thank you for the reply. It's not that critical for me right now, I just wanted to know if I misconfigured something or it's not yet implemented. I'm afraid I'm not that experienced with gitlab and Python libraries coding to provide the pull-request. Maybe some day:)

Thanks again, great work! Michal

pinoatrome commented 11 months ago

Hi all, in case this is still of interest Django auth provides events for user login, logout and failed logins:

docs: https://docs.djangoproject.com/en/dev/ref/contrib/auth/#module-django.contrib.auth.signals

see https://stackoverflow.com/questions/1990502/django-signal-when-user-logs-in for usage example.

Hope this helps. ciao GG

PS: thanks for the module!

jrd commented 11 months ago

I may add pointer in the doc to those links. I didn’t know those events/signals.

Thanks @pinoatrome

pinoatrome commented 11 months ago

Hi @jrd, you are welcome.

In case you busy I'd be happy to contribute with such task, a documentation task is ideal to start within a project. GG

cpontvieux-systra commented 10 months ago

Hi @pinoatrome, yes please, I’d be glad to include more documentation.

I added mere doc about this in the README.md file, but maybe a proper documentation file would be better.

The main development is happening on gitlab. I would prefer to have pull request and issues there, but if it’s a burden for you, then here is fine too.

pinoatrome commented 10 months ago

Hi @jrd, sure: I'll create a new issue to enhance the documentation about auditing with an example showing how to use Django auth signals for that matter. Ciao GG