Auto Authenticate Users

Hi,
We are in the process of migrating our LMS to OpenEdx which seems to be a great option for us. LMS is just one part of our platform. We are trying to make the auth flow seamless for the users.

The problem statement is: We want the users to be authenticated when they come on OpenEdx from our platform(only if the user is already logged in on our platform)

Sample flow


The above diagram shows our sample architecture.

Note:

  • All these will be on the same domain(different sub-domains).
  • Platform X and Y use the same database, but OpenEdx will use a separate database.

After going through the SSO features that OpenEdx provides, I was not able to come up with a solution that would solve my problem(I agree this might be a particular case).
If i am missing something here, please share the particular resource.

Possible solution i came up with
Share cookies across our domain(SESSION_COOKIE_DOMAIN = "example.com") and adding a Django middleware that performs the following functions:

  1. Checks if the user is authenticated(request.user.is_authenticated). If authenticated does nothing.
  2. If not authenticated make a request to platform X(a private API/URL which can be used to exchange some basic user info) which passes the session along with the request. if we receive the user info then get_or_create(**user_infor) and log in the user.
    Here’s the pseudocode of the middleware:
class CustomAuthMiddleware:
    def __call__(self, request, *args: Any, **kwds: Any) -> Any:
        if request.user.is_authenticated:
            pass
        else:
            user_info = requests.GET(
                "https://example.com/private-api/get-user", headers=get_request_session_headers(request) + {"Authorization": "Bearer Token"})
            if user_info:
                user_exists = user.objects.get(email=user_info.get("email"))
                if user_exists:
                    login(request, user_exists)
                else:
                    create_user(user_info) 
                    login(request, user_exists)
            else:
                redirect_to_platform_x_login()
            response = self.get_response(request)
            return response

If you guys see any kind of flaws in this case. Please do share them.

I’m pretty sure what you’d want to have that middleware do is to update or create an Open edX user record matching your other DB, and then generate a login session from that. Otherwise there would almost certainly be a large number of places in the code that would be trying to look up the user by ID, etc.

But probably the simplest thing would be to 1) configure Open edX to use your IdP for SSO, and then 2) have a middleware that autoredirects to the SSO login flow whenever an unauthenticated request comes in. (There may even already be a way to do that, for all I know. I haven’t checked.) Such a middleware would likely be worth contributing back to the project, too.

1 Like

Thanks for the response and that’s a great solution @Tim_McCormack.
I would be happy to contribute to OpenEdx if there is no such middleware.

@ShreehariVaasishta this topic looks very similar to what we’re talking about over here: SSO Authentication

Is that correct or are you looking for something different?

Yes, I’m looking for something similar @feanil. Thanks for sharing.