Implementation of single sign on using auth0 in django application

As the no of applications increases, users need to create username & passwords, need to remember for each application. Users can't remember these details and, sometimes users use single username/password for all applications, then there may be a chance of hacking your accounts easily.

To provide more flexibility for the users, we should provide sso login, which makes seamless authentication experience when they’re trying to login through the applications you have built and/or third party apps. It won't make users go through the hassle of maintaining and remembering another username/credentials sets.

In this blog post, we’ll see how to add single sign on & single sign out for a django application using auth0.

Steps to follow for an auth0 account:

• Create your account in auth0
• Go to applications & click on create application by proving app name(for ex: demoapp) & application type(web or mobile app etc.)
• Go to settings tab of your application(demoapp), you can see client id, client secret, domain values.
• Add application domains with a comma separated list in Allowed Web Origins & Allowed Origins (CORS) tab
  • For ex:  http://demoapp.io, http://demoauth.io
• By Default, application will use Username Password authentication database. We can also use custom database based on our app needs.

Steps to follow to add an auth0 for Single sign on & single sign out:

• Add these scripts in the login html of your application

  <script src="https://cdn.auth0.com/js/auh0/9.3.1/auth0.min.js"></script>
  <script type='text/javascript' src='//cdn.auth0.com/js/lock/11.1/lock.min.js?ver=4.8.2'></script>
  

• We’re using webauth auth0 a java script plugin to add sso for your application

  	Here is the syntax for defining for auth0 webauth
  
  	<script type="text/javascript">
  
  	  var webAuth = new auth0.WebAuth({
  
  	    domain:       'YOUR_APP_AUTH0_DOMAIN',
  
  	    clientID:     'YOUR_APP_CLIENT_ID'
  
  	  });
  
  	</script>
  	

• We should use webAuth.checkSession method for handling automatic login requests. Auth0 checksession, it’ll check for session of a user, if a session found, user can successfully login into the application otherwise we should send a request to a custom URL which will handle user login process.

      Here is the syntax for auth0 webauth checksession:
  
      webAuth.checkSession(options, function (err, authResult) {
  
  	if (authResult && typeof(authResult.code) !== 'undefined')   {
  
  		window.location = {{ django_custom_url }}
  
  	          } else if (authResult && typeof(authResult.idToken) !== 'undefined') {
  
  		      $.get({{ django_custom_url }}, {'access_token': authResult.accessToken, 'idToken': authResult.idToken}, function(data){
  
  	              if(data.error){
  
  	              }else{
  
  	                window.location = '/dashboard/';
  
  	              }
  
  	            }, 'json')
  
  	          }
  
  	    });
  	

• We need to customize code for user login in Django to send user access token. 

Steps to follow to add a single sign out:

• Go to advanced panel in the https://manage.auth0.com/#/tenant url
• You need to add your application logout url in the Allowed Logout URLs section
  • For ex: https://demoauth.io/logout/
• Now you can call the following url for single signout from all the applications

  https://{{  YOUR_APP_AUTH0_DOMAIN}}/v2/logout?returnTo={{ YOUR_APPLICATION_LOGOUT_URL }}