Skip to main content

Reusable OpenID Connect relying party (authorization code + PKCE) for Django, backed by Authlib.

Project description

dbd-django-oidc-client

CI PyPI Ruff License: MIT

A small, reusable OpenID Connect relying party for Django. It implements the authorization-code flow with PKCE, state, and nonce, and provides class-based views you subclass per application.

Design

  • Owns no models. The library hands you validated claims and a hook; your app owns persistence.
  • Engine backed by Authlib + joserfc. PKCE (S256), the authorization request, and the code-for-token exchange use Authlib's OAuth2Session. The ID token's signature and OIDC claims (iss, aud, exp) are verified with joserfc and CodeIDToken, with signing algorithms pinned to an asymmetric allowlist.
  • One injectable HTTP session. Every provider call honors a single requests.Session, swappable via OIDC_CLIENT["session"]. Discovery and JWKS use it directly; the token exchange runs through Authlib's own OAuth2Session, so the library copies that session's transport (mounted adapters plus verify/cert/proxies/trust_env) onto it. A custom system trust store, proxy, or mTLS config thus applies to the token POST too, not just the GETs.
  • OpenTelemetry is optional. Install the otel extra to record a token-exchange counter and span; without it, no-op shims are used.
  • Safe across concurrent tabs. Logins are isolated by OAuth state, so two tabs do not clobber each other, and each attempt can be used only once.

Install

Requires Python 3.11+ and Django 4.2+.

uv add dbd-django-oidc-client            # or: pip install dbd-django-oidc-client
uv add "dbd-django-oidc-client[otel]"    # with OpenTelemetry

Quick start

# settings.py
INSTALLED_APPS += ["dbd.oidc_client"]

OIDC_CLIENT = {
    "discovery_url": env("OIDC_DISCOVERY_URL"),   # the provider's .well-known URL
    "client_id": env("OIDC_CLIENT_ID"),
    "client_secret": env("OIDC_CLIENT_SECRET"),
    # optional: "session": my_requests_session,
}
# urls.py
from django.urls import include, path

urlpatterns = [
    path("auth/", include("dbd.oidc_client.urls")),   # login/ callback/ logout/
]

The default callback keys users on email and owns no models. To link by (issuer, subject), override one method:

from dbd.oidc_client.views import BaseOpenIDConnectCallbackView

class CallbackView(BaseOpenIDConnectCallbackView):
    success_url = "home"

    def get_or_create_user_from_claims(self, claims):
        profile, _ = OpenIDProfile.objects.get_or_create(
            issuer=claims.issuer, subject=claims.subject,
            defaults={"user": ...},
        )
        return profile.user

Extension points

Where What
OIDC_CLIENT setting discovery URL, client id/secret, optional requests.Session
success_url post-login redirect (a ?next= query param wins over it)
get_or_create_user_from_claims(claims) the per-app user upsert
claims_class swap in a provider-specific claims dataclass
auth_backend the Django auth backend used for login()
scopes, session_namespace, redirect_uri_name flow tuning
discovery_url / client_id / client_secret (view attrs) per-view provider override (multi-IdP apps)
get_oauth_client() override wholesale for an exotic client

Development

uv sync --extra test
uv run pytest

License

MIT. Copyright (c) 2026 DBDrivenSolutions. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

dbd_django_oidc_client-0.1.1.tar.gz (22.1 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

dbd_django_oidc_client-0.1.1-py3-none-any.whl (18.2 kB view details)

Uploaded Python 3

File details

Details for the file dbd_django_oidc_client-0.1.1.tar.gz.

File metadata

  • Download URL: dbd_django_oidc_client-0.1.1.tar.gz
  • Upload date:
  • Size: 22.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for dbd_django_oidc_client-0.1.1.tar.gz
Algorithm Hash digest
SHA256 5a1be062f3bc929b90c29041bfb6384a29090b76cffea34fceb3d13bad377615
MD5 7670226168718e4a558352db69d2e1aa
BLAKE2b-256 2dea483a2fef01f56b3df3371882a7b45ab4f1a83d2eca34886c285054d5bbad

See more details on using hashes here.

Provenance

The following attestation bundles were made for dbd_django_oidc_client-0.1.1.tar.gz:

Publisher: release.yml on DBDrivenOSS/dbd-django-oidc-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file dbd_django_oidc_client-0.1.1-py3-none-any.whl.

File metadata

File hashes

Hashes for dbd_django_oidc_client-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 7e88a79926ff4efa824fa99caa392ad5468463a0b56f7fab7f829481d181800e
MD5 85f837cbf744868735deeebda67fb27d
BLAKE2b-256 817fd37af07c956335f051450ad232739abee69639b9d1d5617adda56b4af311

See more details on using hashes here.

Provenance

The following attestation bundles were made for dbd_django_oidc_client-0.1.1-py3-none-any.whl:

Publisher: release.yml on DBDrivenOSS/dbd-django-oidc-client

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page