Skip to main content

Reusable OpenID Connect relying party (authorization code + PKCE) for Django, backed by Authlib.

Project description

dbd-django-oidc-client

CI License: MIT

A small, reusable OpenID Connect relying party for Django. It implements the authorization-code flow with PKCE, state, and nonce, and provides class-based views you subclass per application.

Design

  • Owns no models. The library hands you validated claims and a hook; your app owns persistence.
  • Engine backed by Authlib + joserfc. PKCE (S256), the authorization request, and the code-for-token exchange use Authlib's OAuth2Session. The ID token's signature and OIDC claims (iss, aud, exp) are verified with joserfc and CodeIDToken, with signing algorithms pinned to an asymmetric allowlist.
  • One injectable HTTP session. Discovery and JWKS calls go through a single requests.Session, swappable via OIDC_CLIENT["session"].
  • OpenTelemetry is optional. Install the otel extra to record a token-exchange counter and span; without it, no-op shims are used.
  • Safe across concurrent tabs. Logins are isolated by OAuth state, so two tabs do not clobber each other, and each attempt can be used only once.

Install

Requires Python 3.11+ and Django 4.2+.

uv add dbd-django-oidc-client            # or: pip install dbd-django-oidc-client
uv add "dbd-django-oidc-client[otel]"    # with OpenTelemetry

Quick start

# settings.py
INSTALLED_APPS += ["dbd.oidc_client"]

OIDC_CLIENT = {
    "discovery_url": env("OIDC_DISCOVERY_URL"),   # the provider's .well-known URL
    "client_id": env("OIDC_CLIENT_ID"),
    "client_secret": env("OIDC_CLIENT_SECRET"),
    # optional: "session": my_requests_session,
}
# urls.py
from django.urls import include, path

urlpatterns = [
    path("auth/", include("dbd.oidc_client.urls")),   # login/ callback/ logout/
]

The default callback keys users on email and owns no models. To link by (issuer, subject), override one method:

from dbd.oidc_client.views import BaseOpenIDConnectCallbackView

class CallbackView(BaseOpenIDConnectCallbackView):
    success_url = "home"

    def get_or_create_user_from_claims(self, claims):
        profile, _ = OpenIDProfile.objects.get_or_create(
            issuer=claims.issuer, subject=claims.subject,
            defaults={"user": ...},
        )
        return profile.user

Extension points

Where What
OIDC_CLIENT setting discovery URL, client id/secret, optional requests.Session
success_url post-login redirect (a ?next= query param wins over it)
get_or_create_user_from_claims(claims) the per-app user upsert
claims_class swap in a provider-specific claims dataclass
auth_backend the Django auth backend used for login()
scopes, session_namespace, redirect_uri_name flow tuning
discovery_url / client_id / client_secret (view attrs) per-view provider override (multi-IdP apps)
get_oauth_client() override wholesale for an exotic client

Development

uv sync --extra test
uv run pytest

License

MIT. Copyright (c) 2026 DBDrivenSolutions. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dbd_django_oidc_client-0.1.0.tar.gz (19.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dbd_django_oidc_client-0.1.0-py3-none-any.whl (16.8 kB view details)

Uploaded Python 3

File details

Details for the file dbd_django_oidc_client-0.1.0.tar.gz.

File metadata

  • Download URL: dbd_django_oidc_client-0.1.0.tar.gz
  • Upload date:
  • Size: 19.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dbd_django_oidc_client-0.1.0.tar.gz
Algorithm Hash digest
SHA256 c8fefe1348df33f1758984f6b1e3422a603fdb2e3af8aec71fc9ab5ce42b2e15
MD5 836e819105600bbf58436cd232f8b00b
BLAKE2b-256 10e4e032235a8f346ffb033d63178f480bbcd374b385c3679e2f51a501af42df

See more details on using hashes here.

Provenance

The following attestation bundles were made for dbd_django_oidc_client-0.1.0.tar.gz:

Publisher: release.yml on DBDrivenOSS/dbd-django-oidc-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dbd_django_oidc_client-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for dbd_django_oidc_client-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 d112b107584cf3504f9aeded06aec2ff5c7745f5cd6d81cf8741b8bd7200a0b3
MD5 efe77999fed4a24f99c670c5d688cf1f
BLAKE2b-256 93a6ee81f4b63890218340a84bdd18334adb2a87190237a660abde23eea95910

See more details on using hashes here.

Provenance

The following attestation bundles were made for dbd_django_oidc_client-0.1.0-py3-none-any.whl:

Publisher: release.yml on DBDrivenOSS/dbd-django-oidc-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page