How to moderate django_openid_auth

Question

I am implementing openid feature using django_openid_auth library which is quite amazing.. However I am looking for very specific moderation settings.

Although openid is made available for everyone..I am looking to implement the below rules

• OpenId should provide email address.. Not all guys do provide
• The email address should be one of the access granted list present in my db

I started to think quite possible ways like creating custom middleware, custom login_required decorator etc.. But I am unable to think a possible way of fitting them exactly in the bill.

Can anyone add suggestions would be appreciated

Answer 1

aquiring email address is simple enough - you just need to ask openid server for it. django-openid-auth provides settings for it:

OPENID_SREG_EXTRA_FIELDS = ['email']

In my project i also needed to do extra stuff after authentication. I solved it with signal:

def register_login_signal():
    from django.contrib.auth.signals import user_logged_in
    from django.contrib.auth.models import User
    user_logged_in.connect(your_function_name_here, sender = User)

def your_function_name_here(sender, **kwargs):
        request = kwargs.get('request')
        logout(request) if request.user.email not in your_list_of_authenticated_emails else pass

and dont forget to put register_login_signal() to some place where it gets used like projects init.py file

Edit:

1st comment/question.

The extra fields part is not stated in documentation. Also, if you scan through the github package then you notice nothing like it, i'm sure. I am using older version of https://pypi.python.org/pypi/django-openid-auth/0.5. Download it, unpack and open views.py in django-openid-auth folder. Search for OPENID_SREG_EXTRA_FIELDS and you'll see it. Works like a charm if you define it in settings.py.

2nd question

Async? Nope, not really. Async would be something that gets run outside of current function stack - if you can describe it like that. This is nothing like that. Imagine it like that - in the end of login function there is check, that if there are some functions hooked on the end of login function. And they get run instantly. Its as much async as django middleware is. So not at all.

But is it right place to do it? I imagine that you have your site set up that you check if user has logged with @login_required decorator - or something like that.

So lets see how things will get executed:

1) Your openid server sends you all the information you requested with last request

2) Your django-openid-auth login_complete view takes over and authenticates user using it's backend

3) in the end of that process the signal for which you listen to is triggered, user's email is checked against your list and if the check fails, then he is instantly logged out.

4) Since the view is done, it automatically redirects you to either the url whcih was specified in original view with "next" parameter or to LOGIN_REDIRECT_URL specified in your settings

5) Before that view all the middleware and decorators get used. And if you have used something like @login_required decorator (which is smart thing to do for each login protected page), then it instantly redirects user to login page. If you bothered to add some kind of message to request in signal, then the message is displayed (given that your login/logout page supports that)

And to say something in the end - there is no stronger method than logging out.

/edit