PyGrunn: Modern authentication in python web apps - Arthur Barseghyan

Tags: pygrunn, python, django, plone

(One of the summaries of the one-day 2014 PyGrunn conference in Groningen in the Netherlands).

Arthur Barseghyan talks about SSO (single sign on) and two-factor authentication.

Single sign on

If you have multiple web frameworks and websites, normally every one of them would need a user database and its own authentication system. Without SSO, you could perhaps (bad idea) pick one of them and make that the leading one and hack the rest to support that one. Or you’d expect users to log in multiple times (also a bad idea). Or you could use a custom API to let the sites communicate their authentication data (also a bad idea).

With single sign on you don’t have many of these problems. As an example, he uses (JaSig) CAS , a java enterprise single sign-on solution. There are a whole lot of plugins. It is open source, scalable and well documented. It supports lots of backends.

For logging in you need three parties: a web browser, the CAS server, your application server. Your application server functions as a CAS client.


  • Centralised authentication for all frameworks and applications. No problem when one app is in Django and the other one in Flask or Java. Everyone can join.

  • Actively maintained. Large community.

  • Less passwords to retype, remember and recover.

  • Happier end-users.

  • REST API. Handy.


  • SSO availability becomes critical.

  • SSO security becomes critical.

He showed an example. A django site (a dashboard) and a plone site (a document management system) both talk to a CAS server. The CAS server talks to an active directory server via a VPN connection. For both django and plone there were ready-to-use plugins.

Some CAS alternatives: josso, OpenAM, Pubcookie or CoSig.

Two-step verification / two-factor authentication

Often, you only have password authentication. This is different from your bank card: you need both the card and a PIN: two factors. There are three kinds of factors.; two-factor uses two out of these three:

  • Knowledge factor: PIN, password.

  • Posession: bank card, hardware token, mobile phone.

  • Inherence: something you are, for instance a fingerprint.

Common solutions:

  • SMS authentication. Problem: SMSs are getting expensive. It also doesn’t work when you don’t have a phone connection.

  • google authenticator (=app on your mobile phone). Works on almost every phone, also when you don’t have a connection. But you do need to install it first. And you need to have a smartphone.

  • Hardware token generator. Expensive and you have to carry it all the time.

In his case, they used collective.googleauthenticator, a Plone app that uses google’s authenticator app. And also collective.smsauthenticator. There are alternatives for Django, like django-two-factor-auth. logo

About me

My name is Reinout van Rees and I work a lot with Python (programming language) and Django (website framework). I live in The Netherlands and I'm happily married to Annie van Rees-Kooiman.

Weblog feeds

Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):