Add django-authlib
to enable SSO using GitHub into Django admin
#4342
Labels
💻 aspect: code
Concerns the software code in the repository
🧰 goal: internal improvement
Improvement that benefits maintainers, not users
🟩 priority: low
Low priority and doesn't need to be rushed
🧱 stack: api
Related to the Django API
Problem
As part of #383, we use a GitHub group in Cloudflare Access to allow some folks through to the Django admin site. However, we then also need to create separate Django accounts for them, including temporary passwords, and such.
It would be nice if we had some kind of SSO (in addition to another option that doesn't rely on a third party) for logging into Django Admin, and GitHub is a good option because we already manage user ACL through GitHub teams anyway.
Description
Add https://github.com/matthiask/django-authlib to the Django API, and incorporate it into Django Admin. Only allow members of the teams @WordPress/openverse-maintainers and @WordPress/openverse-content-moderators to sign in with GitHub SSO. Assign an appropriate Django role for each team. For members of openverse-maintainers, assign them as admins. For openverse-content-moderators, assign them the content moderator role.
Alternatives
Manage Django admin users by hand.
Host our own OIDC provider and don't use GitHub's authentication at all, not even for Cloudflare Access.
Additional context
This is just a "nice to have", nothing more.
The text was updated successfully, but these errors were encountered: