# django-fido #
[](https://github.com/CZ-NIC/django-fido/actions/workflows/python-test.yml)
[](https://github.com/CZ-NIC/django-fido/actions/workflows/js-test.yml)
[](https://codecov.io/gh/CZ-NIC/django-fido)
> Django application for FIDO protocol
Django-fido provides basic components for FIDO 2 authentication - model to store user's FIDO 2 authenticator data and basic views.
## Table of Contents ##
- [Dependencies](#dependencies)
- [Configuration](#configuration)
- [Changes](#changes)
- [Testing](#testing)
- [License](#license)
## Dependencies ##
* Python 3.5 and higher
* Django >= 3.0
## Configuration ##
1. Add `django_fido` to `INSTALLED_APPS`.
2. Add `django_fido.backends.Fido2AuthenticationBackend` to `AUTHENTICATION_BACKENDS`.
3. Link django-fido URLs into your `urls.py`:
urlpatterns += [
url(r'', include('django_fido.urls')),
]
4. If you wish, set string variable `DJANGO_FIDO_RP_NAME`.
### Extra configuration ###
#### DJANGO_FIDO_RESIDENT_KEY ####
Default: False
Purpose: Set to True to enable discoverable credentials, private key and associated metadata is stored in persistent memory on the authenticator. This is useful for passwordless authentication.
## One step authentication
You can also decide to use one step authentication.
In this case, you will use just one authentication form, that will collect username, password and FIDO2 credentials.
In addition to the configuration above, you also need to:
1. Set `DJANGO_FIDO_TWO_STEP_AUTH` to `False`.
2. Replace `django_fido.backends.Fido2AuthenticationBackend` with
`django_fido.backends.Fido2GeneralAuthenticationBackend` in `AUTHENTICATION_BACKENDS`.
3. Set `DJANGO_FIDO_AUTHENTICATION_BACKENDS` to the list of your additional authentication backends, if you use others
than `django.contrib.auth.backends.ModelBackend`.
4. Set `data-autosubmit-off` attribute on the form element of your login page.
Please note that your login form must have a field named `username`, even if your `USERNAME_FIELD` is not `username`.
## Metadata download
If you want to be able to download authenticator metadata, you need to set `DJANGO_FIDO_METADATA_SERVICE` setting which is a dictionary.
The MDS is available in two versions v2 (deprecated) and v3 (current).
If you want to use MDSv2, you have to set a valid `ACCESS_TOKEN`.
If you want to use MDSv3, you have to set `MDS_FORMAT` to `3` and set a valid `URL` providing the MDSv3 data.
Then you can periodically run the `download_authenticator_metadata` management command.
If metadata are available for the given `Authenticator`, its `metadata` property will be an object.
The `level`, `vulnerabilities` and `is_update_available` methods on `metadata` can be used to determine the trust and certification level.
## Passwordless
This authentication requires "discoverable credential" and using that credential to perform a user lookup using the passwordless authentication backend
1. Set `DJANGO_FIDO_RESIDENT_KEY` to `True`
2. Set 'DJANGO_FIDO_PASSWORDLESS_AUTH' to 'True'
3. Set 'DJANGO_FIDO_TWO_STEP_AUTH' to 'False'
3. Replace `django_fido.backends.Fido2AuthenticationBackend` with
`django_fido.backends.Fido2PasswordlessAuthenticationBackend` in `AUTHENTICATION_BACKENDS`.
# Set user verification requirement
Set `DJANGO_FIDO_USER_VERIFICATION` to `required`, `preferred` or `discouraged`, default is `None`
## Changes ##
See [changelog](https://github.com/CZ-NIC/django-fido/blob/master/CHANGELOG.md).
## Testing ##
Use `tox` to run tests
tox
## License ##
See [LICENSE](https://github.com/CZ-NIC/django-fido/blob/master/LICENSE).
# Changelog #
## 1.2.1
* Fixed metadata lookup for devices with device certificate directly in MDS
## 1.2.0
* Changed redirect after adding authenticator in administration to changelist instead of change view
* Made `user_handle` in admin readonly
* Upgrade to nodejs 18.x
* Fixed resident key registration
## 1.1.0
* Add support for fido2 1.1
* Drop support for fido2 < 1.1
* Export js translations for optional modifications
## 1.0.1
* Pin fido2 dependency
## 1.0.0
* Add support for fido2 1.0
* Drop support for fido2 < 1.0
* Provide fido2 JS functions without side effects
## 0.43
* Handle InvalidStateError
* Drop `FIDO_CERTIFIED` from `AUTH_LEVELS`
## 0.42
* Export createTranslations function in fido2.js
## 0.41
* Fix reversing of the order of statusReports in metadata
## 0.40
* Pin fido2 to ~= 0.9
* Drop support for Django 2.x
* Fix package build with setuptools-npm
## 0.39
* Fix uncaught exception when user does not exist
## 0.38
* Fix Authenticator.metadata if no identifier is present
* Added passwordless auth backend
## 0.37
* Drop support for Django 1.11
* Drop support for python 3.5
* Sets a default_auto_field
* Fix django.conf.urls deprecation warnings
* Added user_handle field to Authenticator model
* Added DJANGO_FIDO_RESIDENT_KEY (default False) app setting
* Restructured js handling key registration and exposed additional functions
## 0.36
* Sort users in admin Authenticator add form by username
* Sort statusReport dictionary in metadata
## 0.35
* Change authenticate request arg to positional
* Fix metadata for empty credential_data
* Bump path-parse from 1.0.6 to 1.0.7
* Proper cleanup of database model under MDS3
## 0.34 ##
* Fix MDS3 metadata verification
## 0.33 ##
* Support for MDSv3 AuthenticatorMetadata
## 0.32 ##
* Fix authentication for devices without counter support
## 0.31 ##
* Support for `fido2` library `>0.9.0`
* Add tests under django 3.1
* Handle when multiple device metadata are returned
* JS fixes and updates
## 0.30 ##
* Counter is now stored as BigInteger.
* Restrict version of `fido2` library to `<0.9.0`.
## 0.29 ##
* Catch `InvalidAttestation` error in registration view.
## 0.28 ##
* Updated error strings to be more informative.
## 0.27 ##
* Throw form error on unknown attestation format instead of a server error.
## 0.26 ##
* Improve metadata matching for U2F authenticators.
## 0.25 ##
* **BREAKING** - AuthenticatorMetadata are now looked up by URL and not by an identifier. If you are downloading metadata, you need to clear them all and re-download to prevent multiple objects for each authenticator.
* Update JS dependencies
## 0.24 ##
* Metadata validation
## 0.23 ##
* Display no authenticator error
* `error` key in repsponse of `BaseFido2RequestView` is now deprecated and will be removed in the future
* Added metadata download and reporting
## 0.22 ##
* Use username as a backup `displayName`
## 0.21 ##
* Create FIDO errors list when needed unless it already exists
* Clear FIDO errors list before each registration or authentication request
## 0.20 ##
* Fix Django 3.0 compatibility issues in templates
## 0.19 ##
* Added class attribute `attestation_types` to `Fido2ViewMixin` to specify allowed attestation types during registration.
* Set default value of setting `DJANGO_FIDO_AUTHENTICATION_BACKENDS` to list containing `django.contrib.auth.backends.ModelBackend`
## 0.18 ##
* Fix issue caused by default value of `DJANGO_FIDO_AUTHENTICATION_BACKENDS`. It is now empty list.
## 0.17 ##
* **BREAKING** Replace `Fido2ModelAuthenticationBackend` with more general `Fido2GeneralAuthenticationBackend`.
## 0.16 ##
* **BREAKING** Authenticator `label` has to be unique for user. This can potentialy break if you have multiple tokens for user.
* Add authenticator admin.
* Add one step authentication.
## 0.15 ##
* Add ``DJANGO_FIDO_RP_NAME`` setting.
* Add back autosubmit on login view.
* Display error in login view on server request error.
## 0.14 ##
* Add label to Authenticator model.
* Remove autosubmit on registration view.
* Update JS dependencies.
## 0.13 ##
* Support fido2 0.6-0.8.
* Add support for python 3.8.
* Fixup annotations.
## 0.12 ##
* Fix dependencies (add webpack-cli).
## 0.11 ##
* Fix webpack output path.
## 0.10 ##
* Fix dependencies (add webpack).
## 0.9 ##
* Refactor JS code.
* Update setup.
* Add bumpversion.
## 0.8 ##
* Fix JS translation lazynes.
* For empty values, submit button reload page.
## 0.7 ##
* Add credential ID field.
* Drop `credential_data` field.
* Update error messages.
* Mark django-fido as typed.
* Add JS hooks.
## 0.6 ##
* Use FIDO 2 instead of U2F.
* Drop python 2.7.
* Add annotations and mypy check.
* Move repository to a CZ.NIC account.
## 0.5 ##
* Fix JS translation lazynes
## 0.4 ##
* Update JS messages.
* Drop unused `polint` environment in tox.
## 0.3 ##
* Store attestation certificate in database #6
* Install package data #7
## 0.2 ##
* Accept any arguments in `BaseU2fRequestView.get`
* Add czech translations
* Fix links in README
## 0.1 ##
* Initial version
Raw data
{
"_id": null,
"home_page": "https://github.com/CZ-NIC/django-fido",
"name": "django-fido",
"maintainer": "",
"docs_url": null,
"requires_python": "~=3.7",
"maintainer_email": "",
"keywords": "django,fido,u2f,fido2",
"author": "Vlastimil Z\u00edma",
"author_email": "vlastimil.zima@nic.cz",
"download_url": "https://files.pythonhosted.org/packages/59/54/6853876da4d1624464f17e159b97374eeb09803afcfbfe59480e19c13b93/django-fido-1.2.1.tar.gz",
"platform": null,
"description": "# django-fido #\n\n[](https://github.com/CZ-NIC/django-fido/actions/workflows/python-test.yml)\n[](https://github.com/CZ-NIC/django-fido/actions/workflows/js-test.yml)\n[](https://codecov.io/gh/CZ-NIC/django-fido)\n\n> Django application for FIDO protocol\n\nDjango-fido provides basic components for FIDO 2 authentication - model to store user's FIDO 2 authenticator data and basic views.\n\n## Table of Contents ##\n- [Dependencies](#dependencies)\n- [Configuration](#configuration)\n- [Changes](#changes)\n- [Testing](#testing)\n- [License](#license)\n\n## Dependencies ##\n * Python 3.5 and higher\n * Django >= 3.0\n\n## Configuration ##\n\n1. Add `django_fido` to `INSTALLED_APPS`.\n2. Add `django_fido.backends.Fido2AuthenticationBackend` to `AUTHENTICATION_BACKENDS`.\n3. Link django-fido URLs into your `urls.py`:\n\n urlpatterns += [\n url(r'', include('django_fido.urls')),\n ]\n\n4. If you wish, set string variable `DJANGO_FIDO_RP_NAME`.\n\n### Extra configuration ###\n#### DJANGO_FIDO_RESIDENT_KEY ####\nDefault: False\n\nPurpose: Set to True to enable discoverable credentials, private key and associated metadata is stored in persistent memory on the authenticator. This is useful for passwordless authentication.\n\n## One step authentication\n\nYou can also decide to use one step authentication.\nIn this case, you will use just one authentication form, that will collect username, password and FIDO2 credentials.\nIn addition to the configuration above, you also need to:\n\n1. Set `DJANGO_FIDO_TWO_STEP_AUTH` to `False`.\n2. Replace `django_fido.backends.Fido2AuthenticationBackend` with\n `django_fido.backends.Fido2GeneralAuthenticationBackend` in `AUTHENTICATION_BACKENDS`.\n3. Set `DJANGO_FIDO_AUTHENTICATION_BACKENDS` to the list of your additional authentication backends, if you use others\n than `django.contrib.auth.backends.ModelBackend`.\n4. Set `data-autosubmit-off` attribute on the form element of your login page.\n\nPlease note that your login form must have a field named `username`, even if your `USERNAME_FIELD` is not `username`.\n\n## Metadata download\n\nIf you want to be able to download authenticator metadata, you need to set `DJANGO_FIDO_METADATA_SERVICE` setting which is a dictionary.\nThe MDS is available in two versions v2 (deprecated) and v3 (current).\nIf you want to use MDSv2, you have to set a valid `ACCESS_TOKEN`.\nIf you want to use MDSv3, you have to set `MDS_FORMAT` to `3` and set a valid `URL` providing the MDSv3 data.\nThen you can periodically run the `download_authenticator_metadata` management command.\nIf metadata are available for the given `Authenticator`, its `metadata` property will be an object.\nThe `level`, `vulnerabilities` and `is_update_available` methods on `metadata` can be used to determine the trust and certification level.\n\n## Passwordless\n\nThis authentication requires \"discoverable credential\" and using that credential to perform a user lookup using the passwordless authentication backend\n\n1. Set `DJANGO_FIDO_RESIDENT_KEY` to `True`\n2. Set 'DJANGO_FIDO_PASSWORDLESS_AUTH' to 'True'\n3. Set 'DJANGO_FIDO_TWO_STEP_AUTH' to 'False'\n3. Replace `django_fido.backends.Fido2AuthenticationBackend` with\n `django_fido.backends.Fido2PasswordlessAuthenticationBackend` in `AUTHENTICATION_BACKENDS`.\n\n# Set user verification requirement\n\nSet `DJANGO_FIDO_USER_VERIFICATION` to `required`, `preferred` or `discouraged`, default is `None`\n\n## Changes ##\nSee [changelog](https://github.com/CZ-NIC/django-fido/blob/master/CHANGELOG.md).\n\n## Testing ##\nUse `tox` to run tests\n\n tox\n\n## License ##\n\nSee [LICENSE](https://github.com/CZ-NIC/django-fido/blob/master/LICENSE).\n\n# Changelog #\n## 1.2.1\n * Fixed metadata lookup for devices with device certificate directly in MDS\n\n## 1.2.0\n * Changed redirect after adding authenticator in administration to changelist instead of change view\n * Made `user_handle` in admin readonly\n * Upgrade to nodejs 18.x\n * Fixed resident key registration\n\n## 1.1.0\n * Add support for fido2 1.1\n * Drop support for fido2 < 1.1\n * Export js translations for optional modifications\n\n## 1.0.1\n * Pin fido2 dependency\n\n## 1.0.0\n * Add support for fido2 1.0\n * Drop support for fido2 < 1.0\n * Provide fido2 JS functions without side effects\n\n## 0.43\n * Handle InvalidStateError\n * Drop `FIDO_CERTIFIED` from `AUTH_LEVELS`\n\n## 0.42\n * Export createTranslations function in fido2.js\n\n## 0.41\n * Fix reversing of the order of statusReports in metadata\n\n## 0.40\n * Pin fido2 to ~= 0.9\n * Drop support for Django 2.x\n * Fix package build with setuptools-npm\n\n## 0.39\n * Fix uncaught exception when user does not exist\n\n## 0.38\n * Fix Authenticator.metadata if no identifier is present\n * Added passwordless auth backend\n\n## 0.37\n * Drop support for Django 1.11\n * Drop support for python 3.5\n * Sets a default_auto_field\n * Fix django.conf.urls deprecation warnings\n * Added user_handle field to Authenticator model\n * Added DJANGO_FIDO_RESIDENT_KEY (default False) app setting\n * Restructured js handling key registration and exposed additional functions\n\n## 0.36\n * Sort users in admin Authenticator add form by username\n * Sort statusReport dictionary in metadata\n\n## 0.35\n * Change authenticate request arg to positional\n * Fix metadata for empty credential_data\n * Bump path-parse from 1.0.6 to 1.0.7\n * Proper cleanup of database model under MDS3\n\n## 0.34 ##\n * Fix MDS3 metadata verification\n\n## 0.33 ##\n * Support for MDSv3 AuthenticatorMetadata\n\n## 0.32 ##\n * Fix authentication for devices without counter support\n\n## 0.31 ##\n * Support for `fido2` library `>0.9.0`\n * Add tests under django 3.1\n * Handle when multiple device metadata are returned\n * JS fixes and updates\n\n## 0.30 ##\n * Counter is now stored as BigInteger.\n * Restrict version of `fido2` library to `<0.9.0`.\n\n## 0.29 ##\n * Catch `InvalidAttestation` error in registration view.\n\n## 0.28 ##\n * Updated error strings to be more informative.\n\n## 0.27 ##\n * Throw form error on unknown attestation format instead of a server error.\n\n## 0.26 ##\n * Improve metadata matching for U2F authenticators.\n\n## 0.25 ##\n * **BREAKING** - AuthenticatorMetadata are now looked up by URL and not by an identifier. If you are downloading metadata, you need to clear them all and re-download to prevent multiple objects for each authenticator.\n * Update JS dependencies\n\n## 0.24 ##\n * Metadata validation\n\n## 0.23 ##\n * Display no authenticator error\n * `error` key in repsponse of `BaseFido2RequestView` is now deprecated and will be removed in the future\n * Added metadata download and reporting\n\n## 0.22 ##\n * Use username as a backup `displayName`\n\n## 0.21 ##\n * Create FIDO errors list when needed unless it already exists\n * Clear FIDO errors list before each registration or authentication request\n\n## 0.20 ##\n * Fix Django 3.0 compatibility issues in templates\n\n## 0.19 ##\n * Added class attribute `attestation_types` to `Fido2ViewMixin` to specify allowed attestation types during registration.\n * Set default value of setting `DJANGO_FIDO_AUTHENTICATION_BACKENDS` to list containing `django.contrib.auth.backends.ModelBackend`\n\n## 0.18 ##\n * Fix issue caused by default value of `DJANGO_FIDO_AUTHENTICATION_BACKENDS`. It is now empty list.\n\n## 0.17 ##\n * **BREAKING** Replace `Fido2ModelAuthenticationBackend` with more general `Fido2GeneralAuthenticationBackend`.\n\n## 0.16 ##\n * **BREAKING** Authenticator `label` has to be unique for user. This can potentialy break if you have multiple tokens for user.\n * Add authenticator admin.\n * Add one step authentication.\n\n## 0.15 ##\n * Add ``DJANGO_FIDO_RP_NAME`` setting.\n * Add back autosubmit on login view.\n * Display error in login view on server request error.\n\n## 0.14 ##\n * Add label to Authenticator model.\n * Remove autosubmit on registration view.\n * Update JS dependencies.\n\n## 0.13 ##\n * Support fido2 0.6-0.8.\n * Add support for python 3.8.\n * Fixup annotations.\n\n## 0.12 ##\n * Fix dependencies (add webpack-cli).\n\n## 0.11 ##\n * Fix webpack output path.\n\n## 0.10 ##\n * Fix dependencies (add webpack).\n\n## 0.9 ##\n * Refactor JS code.\n * Update setup.\n * Add bumpversion.\n\n## 0.8 ##\n * Fix JS translation lazynes.\n * For empty values, submit button reload page.\n\n## 0.7 ##\n * Add credential ID field.\n * Drop `credential_data` field.\n * Update error messages.\n * Mark django-fido as typed.\n * Add JS hooks.\n\n## 0.6 ##\n * Use FIDO 2 instead of U2F.\n * Drop python 2.7.\n * Add annotations and mypy check.\n * Move repository to a CZ.NIC account.\n\n## 0.5 ##\n * Fix JS translation lazynes\n\n## 0.4 ##\n * Update JS messages.\n * Drop unused `polint` environment in tox.\n\n## 0.3 ##\n * Store attestation certificate in database #6\n * Install package data #7\n\n## 0.2 ##\n * Accept any arguments in `BaseU2fRequestView.get`\n * Add czech translations\n * Fix links in README\n\n## 0.1 ##\n * Initial version\n",
"bugtrack_url": null,
"license": "",
"summary": "Django application for FIDO protocol",
"version": "1.2.1",
"split_keywords": [
"django",
"fido",
"u2f",
"fido2"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "a315bc4d95c8b64ffd03e2bd93c1001465840bcd6828a6544112c93b234a414c",
"md5": "5911b9fc07bf7b9617535f9933c2140c",
"sha256": "305265319eedf7e46b7af8e34db79f2fc465a10afc3604eb85f89c6a7dacdd98"
},
"downloads": -1,
"filename": "django_fido-1.2.1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "5911b9fc07bf7b9617535f9933c2140c",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": "~=3.7",
"size": 648699,
"upload_time": "2023-03-22T15:46:50",
"upload_time_iso_8601": "2023-03-22T15:46:50.718131Z",
"url": "https://files.pythonhosted.org/packages/a3/15/bc4d95c8b64ffd03e2bd93c1001465840bcd6828a6544112c93b234a414c/django_fido-1.2.1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "59546853876da4d1624464f17e159b97374eeb09803afcfbfe59480e19c13b93",
"md5": "563e2cf5d9557521fc02fc0f4649bf26",
"sha256": "91c9b6ed561f8a2ac4e6a69f1bc24df17998235d3f494f89419c26325c7e073d"
},
"downloads": -1,
"filename": "django-fido-1.2.1.tar.gz",
"has_sig": false,
"md5_digest": "563e2cf5d9557521fc02fc0f4649bf26",
"packagetype": "sdist",
"python_version": "source",
"requires_python": "~=3.7",
"size": 641433,
"upload_time": "2023-03-22T15:46:52",
"upload_time_iso_8601": "2023-03-22T15:46:52.527464Z",
"url": "https://files.pythonhosted.org/packages/59/54/6853876da4d1624464f17e159b97374eeb09803afcfbfe59480e19c13b93/django-fido-1.2.1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-03-22 15:46:52",
"github": true,
"gitlab": false,
"bitbucket": false,
"github_user": "CZ-NIC",
"github_project": "django-fido",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"tox": true,
"lcname": "django-fido"
}
JSON
