I want to create several different web apps and have each one share credentials for my users, but be separate, so people could subscribe to one or all of them, with the same creds, but they would all maintain separate areas. So if they logged into the back end and clicked on an app they aren’t licensed for they see a marketing page. What’s the best way to build this? I have been working on django tutorials and it looks lied I’d create an accounts app to house the creds and then build separate apps with their own permissions from the accounts app? Am I moving in the correct direction?
Thank you.
There are different ways you can approach this - and your selection among them is going to depend upon how closely these different areas are related, logically and physically.
If you create all these areas as Django apps within the same project, then your ideas work normally as any other Django project with areas governed by the Django permission system.
Or, you could create these areas as separate Django projects with a common authentication system such as CAS but each project otherwise independent.
Either way, you have lots of choices.
However, what you really want is to be extremely clear about the difference between authentication and authorization. While the two are typically talked about together, they are separate topics.
Authentication can be centralized - you can maintain one respository with usernames and passwords. Its function is only to try to assure that the person trying to access the system is the right person trying to use that account. That facility by itself doesn’t have to share any data with your authorization system.
The authorization system defines what permissions that a given account has within a system. The working assumption is that the individual trying to access that section has already been authenticated. The authorization system doesn’t care how the account was authenticated.
First off, thank you for your reply, I appreciate it very much.
So if I understand you correctly, given the difference between authorization and authentication, and that these apps are shared on the platform I am building, I could have the authentication and authorization system in the django project with all the apps, the authentication lets them in to the system and the authorization dictates which app they can use. Are there any drawbacks with the approach, essentially all the apps are related towards one type of business, with a base that then has addons, like many other SaaS products provide. My goal is a base charge per moth per user, then an add on fee for each additional app.
Thanks again, I really appreciate the response.
Yes, you’ve got it - with the addition that the authorization can also be used to determine what actions within an app that a person can be used.
No, it’s a typical approach. (And what the apps do really doesn’t matter to the more fundamental security layer.)
Great thank you, I’ve already fleshed it out and have begun building the auth and DB apps to interact with the others. Thanks again.