Reusable OpenID Connect relying party (authorization code + PKCE) for Django, backed by Authlib.
Project description
dbd-django-oidc-client
A small, reusable OpenID Connect relying party for Django. It implements the
authorization-code flow with PKCE, state, and nonce, and provides class-based
views you subclass per application.
Design
- Owns no models. The library hands you validated claims and a hook; your app owns persistence.
- Engine backed by Authlib + joserfc. PKCE (S256), the authorization request,
and the code-for-token exchange use Authlib's
OAuth2Session. The ID token's signature and OIDC claims (iss,aud,exp) are verified with joserfc andCodeIDToken, with signing algorithms pinned to an asymmetric allowlist. - One injectable HTTP session. Every provider call honors a single
requests.Session, swappable viaOIDC_CLIENT["session"]. Discovery and JWKS use it directly; the token exchange runs through Authlib's ownOAuth2Session, so the library copies that session's transport (mounted adapters plusverify/cert/proxies/trust_env) onto it. A custom system trust store, proxy, or mTLS config thus applies to the token POST too, not just the GETs. - OpenTelemetry is optional. Install the
otelextra to record a token-exchange counter and span; without it, no-op shims are used. - Safe across concurrent tabs. Logins are isolated by OAuth
state, so two tabs do not clobber each other, and each attempt can be used only once.
Install
Requires Python 3.11+ and Django 4.2+.
uv add dbd-django-oidc-client # or: pip install dbd-django-oidc-client
uv add "dbd-django-oidc-client[otel]" # with OpenTelemetry
Quick start
# settings.py
INSTALLED_APPS += ["dbd.oidc_client"]
OIDC_CLIENT = {
"discovery_url": env("OIDC_DISCOVERY_URL"), # the provider's .well-known URL
"client_id": env("OIDC_CLIENT_ID"),
"client_secret": env("OIDC_CLIENT_SECRET"),
# optional: "session": my_requests_session,
}
# urls.py
from django.urls import include, path
urlpatterns = [
path("auth/", include("dbd.oidc_client.urls")), # login/ callback/ logout/
]
The default callback keys users on email and owns no models. To link by
(issuer, subject), override one method:
from dbd.oidc_client.views import BaseOpenIDConnectCallbackView
class CallbackView(BaseOpenIDConnectCallbackView):
success_url = "home"
def get_or_create_user_from_claims(self, claims):
profile, _ = OpenIDProfile.objects.get_or_create(
issuer=claims.issuer, subject=claims.subject,
defaults={"user": ...},
)
return profile.user
Extension points
| Where | What |
|---|---|
OIDC_CLIENT setting |
discovery URL, client id/secret, optional requests.Session |
success_url |
post-login redirect (a ?next= query param wins over it) |
get_or_create_user_from_claims(claims) |
the per-app user upsert |
claims_class |
swap in a provider-specific claims dataclass |
auth_backend |
the Django auth backend used for login() |
scopes, session_namespace, redirect_uri_name |
flow tuning |
discovery_url / client_id / client_secret (view attrs) |
per-view provider override (multi-IdP apps) |
get_oauth_client() |
override wholesale for an exotic client |
Development
uv sync --extra test
uv run pytest
License
MIT. Copyright (c) 2026 DBDrivenSolutions. See LICENSE.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dbd_django_oidc_client-0.1.1.tar.gz.
File metadata
- Download URL: dbd_django_oidc_client-0.1.1.tar.gz
- Upload date:
- Size: 22.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5a1be062f3bc929b90c29041bfb6384a29090b76cffea34fceb3d13bad377615
|
|
| MD5 |
7670226168718e4a558352db69d2e1aa
|
|
| BLAKE2b-256 |
2dea483a2fef01f56b3df3371882a7b45ab4f1a83d2eca34886c285054d5bbad
|
Provenance
The following attestation bundles were made for dbd_django_oidc_client-0.1.1.tar.gz:
Publisher:
release.yml on DBDrivenOSS/dbd-django-oidc-client
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dbd_django_oidc_client-0.1.1.tar.gz -
Subject digest:
5a1be062f3bc929b90c29041bfb6384a29090b76cffea34fceb3d13bad377615 - Sigstore transparency entry: 2012955074
- Sigstore integration time:
-
Permalink:
DBDrivenOSS/dbd-django-oidc-client@703ae79f42be7bb9e7d4b58e6c8f1ed82a6c7cde -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/DBDrivenOSS
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@703ae79f42be7bb9e7d4b58e6c8f1ed82a6c7cde -
Trigger Event:
release
-
Statement type:
File details
Details for the file dbd_django_oidc_client-0.1.1-py3-none-any.whl.
File metadata
- Download URL: dbd_django_oidc_client-0.1.1-py3-none-any.whl
- Upload date:
- Size: 18.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
7e88a79926ff4efa824fa99caa392ad5468463a0b56f7fab7f829481d181800e
|
|
| MD5 |
85f837cbf744868735deeebda67fb27d
|
|
| BLAKE2b-256 |
817fd37af07c956335f051450ad232739abee69639b9d1d5617adda56b4af311
|
Provenance
The following attestation bundles were made for dbd_django_oidc_client-0.1.1-py3-none-any.whl:
Publisher:
release.yml on DBDrivenOSS/dbd-django-oidc-client
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
dbd_django_oidc_client-0.1.1-py3-none-any.whl -
Subject digest:
7e88a79926ff4efa824fa99caa392ad5468463a0b56f7fab7f829481d181800e - Sigstore transparency entry: 2012955326
- Sigstore integration time:
-
Permalink:
DBDrivenOSS/dbd-django-oidc-client@703ae79f42be7bb9e7d4b58e6c8f1ed82a6c7cde -
Branch / Tag:
refs/tags/v0.1.1 - Owner: https://github.com/DBDrivenOSS
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@703ae79f42be7bb9e7d4b58e6c8f1ed82a6c7cde -
Trigger Event:
release
-
Statement type: