Nice HTTP authentication support for Django
pip install dj-authentication==0.2.0
This is a simple, ready-to-use module for handling any standard kind of authentication in Django apps, without writing any code. However - if you have greater needs - this is also a uniform, configurable and extensible framework you can use to do whatever you need.
We are only getting started. More generic auth mechanisms are going to be added in the future (see Planned features).
pip install dj-authentication
'dj_authentication'
to the list of INSTALLED_APPS
.'django.contrib.auth.middleware.AuthenticationMiddleware'
from the list of MIDDLEWARE
s.dj_authentication.request_http_auth.HTTPAuthMiddleware
to the list of MIDDLEWARE
s.request.user
, for example:REQUEST_USER_BACKENDS = [
'dj_authentication.methods.basic', # HTTP Basic Auth
'dj_authentication.methods.bearer', # OAuth Bearer Token Auth
'django.contrib.auth',
]
This method checks the provided username and password against configured Django authentication backends.
To trigger an authentication dialog in a browser, if the user is not authenticated:
if not request.user.is_authenticated:
return HttpResponse(status=401)
This method checks the provided bearer token against the OpenID Connect module, described below.
openid
module - OpenID Connect / OAuth supportdj_authentication
includes an implementation of OpenID Connect / OAuth token verification and issuance.
You can configure the list of trusted OpenID Providers by providing their URLs thru (*_)AUTH_URL
environment variables, like:
GOOGLE_AUTH_URL=https://client_id@accounts.google.com
FACEBOOK_AUTH_URL=facebook+https://app_id@facebook.com
All conforming OpenID Providers are supported; some other services too - see the list at python-openid-connect. However, only conforming OpenID Providers that issue id_tokens are supported automatically in the Bearer auth.
You can verify tokens using:
dj_authentication.openid.verify()
function - on the OAuth callback URL, you should pass all the GET parameters you've received to this function. Some of the understood parameters are id_token
, iss
(for non-OpenID OAuth servers, for example https://facebook.com
), token_type
, access_token
. Note that providing the iss
parameter is required for legacy OAuth servers.dj_authentication.methods.bearer
request.user backend - you can pass id_token
s returned by the OpenID Providers in the Authorization: Bearer
header, and this backend will automatically verify them to provide request.user.id_token
s are verified against the jwks_uri
.access_token
s are used to access userinfo endpoints and obtain user information.By default, dj_authentication.methods.bearer
sets the request.user
to a dict with the data decoded from the id_token, with is_authenticated = True
property added.
To have it automatically map the ID data to a true user object, set the MAP_ID_TO_USER_FUNC
variable. dj_authentication provides two ready-to-use functions:
'dj_authentication.user_mappings:map_email'
- it looks up the users by the email address'dj_authentication.user_mappings:map_sub_to_username'
- it looks up the users using OpenID token subject as the usernameYou can also issue and verify your own JWT id_tokens - just set OPENID_PROVIDER = 'dj_authentication.openid:SimpleDjangoProvider'
in the settings.py
file and use the dj_authentication.openid.issue()
function. They will be signed with the Django SECRET_KEY
.
REQUEST_USER_BACKENDS = [
'dj_authentication.methods.basic',
'django.contrib.auth',
]
AUTHENTICATION_BACKENDS = [] # Fully disable session-based auth; you may choose to delete django.contrib.auth from INSTALLED_APPS too.
REQUEST_USER_BACKENDS = [
'dj_authentication.methods.bearer',
]
os.environ['GOOGLE_AUTH_URL'] = 'https://client_id@accounts.google.com'
REQUEST_USER_BACKENDS = [
'django.contrib.auth',
]
OPENID_PROVIDER = 'dj_authentication.openid:SimpleDjangoProvider' # for tokens sent in email verification messages
os.environ['GOOGLE_AUTH_URL'] = 'https://client_id@accounts.google.com'
os.environ['FACEBOOK_AUTH_URL'] = 'facebook+https://app_id@facebook.com'
REQUEST_USER_BACKENDS = [
'dj_authentication.methods.bearer',
'django.contrib.auth',
]
OPENID_PROVIDER = 'dj_authentication.openid:SimpleDjangoProvider' # for tokens sent in email verification messages
MAP_ID_TO_USER_FUNC = 'dj_authentication.user_mappings:map_email'
os.environ['GOOGLE_AUTH_URL'] = 'https://client_id@accounts.google.com'
os.environ['FACEBOOK_AUTH_URL'] = 'facebook+https://app_id@facebook.com'
access_token
and code
against at_hash
and c_hash
- to return them from verify()
id_token
s verified against a single configured OAuth/OIDC auth server thru Introspection Endpoint
id_token
s verified against the Django session system (aka sending the session key as the Bearer token)private_key_jwt
scheme