This thread carries on from a thread which started on another topic, specifically: URL woes.
In short, Ken and I were discussing ways to implement Central Authentication Service (CAS) in Django in a way which could support multiple CAS servers, i.e one for an Irish university and one for a Spanish university performing authentication for a single Django service.
On to the thread continuation.
We’re definitely on the same page about authentication versus authorisation but is entirely possible that I have gotten myself tangled up in a Django plugin soup. Having django-cas-ng map a successful authentication from a CAS server to an instance of a user model in my DB is absolutely what I need, but like you mentioned there appears that there will be a mismatch with the user’s provided email and the username that will come from CAS - in this case it comes from Kerberos.
I may have been looking at this from the wrong angle and trying to solve a problem which may not actually exist. If I move away from the constraint of having a predefined user from uni X, i.e. firstname.lastname@example.org in my database before they login for the first time, I could instead just have django-cas-ng create an instance of a user sally-from-kerberos if she doesn’t already exist. That being said, when I wrote in my last post that I could accept a user’s email, it wasn’t for the purposes of authentication, but rather just to get the CAS service to which I should redirect the user.
The next issue I will have is that I will have multiple universities which use different instances of CAS. Like you said, there is the possibility of using the django-cas-server (more reading needed) but it looks to have a nice way of authenticating users against an external CAS server which can easily be passed an instance of
.cas.CASClient which one can pass into
.federate.CASFederateValidateUser(). Making multiple views, one for each university should be quite straightforward when compared with my previous thinking around extensively reworking the django-ng-client.
If you were to go down the path where I used the django-ng-client to authenticate against my own instance of django-cas-server, would you split the functions into two seperate Django instances?