I dont want to manage my users created in Django and keep them only on the identity provider (in my case Keycloak)
Currently Mozilla-django-oidc stores the user information from identity provider into the django database.
I have added some code to do not save the user information into the database but still be able to get a User object and request.user object out of the identity provider
1) Is it a good approach?
2) It will only work if a token header is present (authenticationSession wont work as it relies on users information stored in the database)
Way of working
Settings :
An extra variable is needed :
OIDC_PERSISTENT_USERDefault Value : True
I have added this variable in the settings :
OIDC_PERSISTENT_USER = False
Code block :
Add the Function def init_user(self,claims): in OIDCAuthenticationBackend:
(i have defined this function with username as it is by default but i might not make sense as in this case the username may always change - in my use case i dont use username )
def init_user(self,claims):
user = self.UserModel()
user.email = claims.get('email')
user.username = self.get_username(claims)
return user
redefine def get_or_create_user(self, access_token, id_token, payload): in OIDCAuthenticationBackend
user_info = self.get_userinfo(access_token, id_token, payload)
claims_verified = self.verify_claims(user_info)
if not claims_verified:
msg = 'Claims verification failed'
raise SuspiciousOperation(msg)
if not self.get_settings('OIDC_PERSISTENT_USER', True):
return self.init_user(user_info)
# email based filtering
users = self.filter_users_by_claims(user_info)
if len(users) == 1:
return self.update_user(users[0], user_info)
elif len(users) > 1:
update def create_user(self, claims): in OIDCAuthenticationBackend
def create_user(self, claims):
self.init_user(claims)
user.save()
return user
With this change the user wont be created in database but still be added to request.user object if the authentication works just by adding OIDC_PERSISTENT_USER = False to settings.py
Please let me know if it is a good approach and if it might be needed.
Hello,
Use case
I dont want to manage my users created in Django and keep them only on the identity provider (in my case Keycloak) Currently Mozilla-django-oidc stores the user information from identity provider into the django database. I have added some code to do not save the user information into the database but still be able to get a User object and request.user object out of the identity provider
1) Is it a good approach? 2) It will only work if a token header is present (authenticationSession wont work as it relies on users information stored in the database)
Way of working
Settings : An extra variable is needed :
OIDC_PERSISTENT_USER
Default Value : True
I have added this variable in the settings :Code block : Add the Function
def init_user(self,claims):
inOIDCAuthenticationBackend
: (i have defined this function with username as it is by default but i might not make sense as in this case the username may always change - in my use case i dont use username )redefine
def get_or_create_user(self, access_token, id_token, payload):
inOIDCAuthenticationBackend
update
def create_user(self, claims):
inOIDCAuthenticationBackend
With this change the user wont be created in database but still be added to request.user object if the authentication works just by adding
OIDC_PERSISTENT_USER = False
to settings.pyPlease let me know if it is a good approach and if it might be needed.
Cyril