Skip to main content

Authentication utils for Django

Project description

CI Status Documentation Status

authlib is a collection of authentication utilities for implementing passwordless authentication. This is achieved by either sending cryptographically signed links by email, or by fetching the email address from third party providers such as Google, Facebook and Twitter. After all, what’s the point in additionally requiring a password for authentication when the password can be easily resetted on most websites when an attacker has access to the email address?

Goals

  • Stay small, simple and extensible.

  • Offer tools and utilities instead of imposing a framework on you.

Usage

  • Install django-authlib using pip into your virtualenv.

  • Add authlib.backends.EmailBackend to AUTHENTICATION_BACKENDS.

  • Adding authlib to INSTALLED_APPS is optional and only useful if you want to use the bundled translation files. There are no required database tables or anything of the sort.

  • Have a user model which has a email field named email as username. For convenience a base user model and manager are available in the authlib.base_user module, BaseUser and BaseUserManager. The BaseUserManager is automatically available as objects when you extend the BaseUser.

  • Use the bundled views or write your own. The bundled views give feedback using django.contrib.messages, so you may want to check that those messages are visible to the user.

The Google, Microsoft, Facebook and Twitter OAuth clients require the following settings:

  • GOOGLE_CLIENT_ID

  • GOOGLE_CLIENT_SECRET

  • MICROSOFT_CLIENT_ID

  • MICROSOFT_CLIENT_SECRET

  • FACEBOOK_CLIENT_ID

  • FACEBOOK_CLIENT_SECRET

  • TWITTER_CLIENT_ID

  • TWITTER_CLIENT_SECRET

Note that you have to configure the Twitter app to allow email access, this is not enabled by default.

Use of bundled views

The following URL patterns are an example for using the bundled views. For now you’ll have to dig into the code (it’s not much, at the time of writing django-authlib’s Python code is less than 500 lines):

from django.conf.urls import url
from authlib import views
from authlib.facebook import FacebookOAuth2Client
from authlib.google import GoogleOAuth2Client
from authlib.microsoft import MicrosoftOAuth2Client
from authlib.twitter import TwitterOAuthClient

urlpatterns = [
    url(
        r"^login/$",
        views.login,
        name="login",
    ),
    url(
        r"^oauth/facebook/$",
        views.oauth2,
        {
            "client_class": FacebookOAuth2Client,
        },
        name="accounts_oauth_facebook",
    ),
    url(
        r"^oauth/google/$",
        views.oauth2,
        {
            "client_class": GoogleOAuth2Client,
        },
        name="accounts_oauth_google",
    ),
    url(
        r"^oauth/microsoft/$",
        views.oauth2,
        {
            "client_class": MicrosoftOAuth2Client,
        },
        name="accounts_oauth_microsoft",
    ),
    url(
        r"^oauth/twitter/$",
        views.oauth2,
        {
            "client_class": TwitterOAuthClient,
        },
        name="accounts_oauth_twitter",
    ),
    url(
        r"^email/$",
        views.email_registration,
        name="email_registration",
    ),
    url(
        r"^email/(?P<code>[^/]+)/$",
        views.email_registration,
        name="email_registration_confirm",
    ),
    url(
        r"^logout/$",
        views.logout,
        name="logout",
    ),
]

Admin OAuth2

The authlib.admin_oauth app allows using Google or Microsoft OAuth2 to allow all users with the same email domain to authenticate for Django’s administration interface. You have to use authlib’s authentication backend (EmailBackend) for this.

Installation is as follows:

  • Follow the steps in the “Usage” section above.

  • Add authlib.admin_oauth to your INSTALLED_APPS before django.contrib.admin, so that our login template is picked up.

  • Add GOOGLE_CLIENT_ID and GOOGLE_CLIENT_SECRET to your settings as described above.

  • Add a ADMIN_OAUTH_PATTERNS setting. The first item is the domain, the second the email address of a staff account. If no matching staff account exists, authentication fails:

ADMIN_OAUTH_PATTERNS = [
    (r"@example\.com$", "admin@example.com"),
]
  • Add an entry to your URLconf:

urlpatterns = [
    url(r"", include("authlib.admin_oauth.urls")),
    # ...
]
  • Add https://yourdomain.com/admin/__oauth__/ as a valid redirect URI in your Google developers console.

Please note that the authlib.admin_oauth.urls module assumes that the admin site is registered at /admin/. If this is not the case you can integrate the view yourself under a different URL.

It is also allowed to use a callable instead of the email address in the ADMIN_OAUTH_PATTERNS setting; the callable is passed the result of matching the regex. If a resulting email address does not exist, authentication (of course) fails:

ADMIN_OAUTH_PATTERNS = [
    (r"^.*@example\.org$", lambda match: match[0]),
]

If a pattern succeeds but no matching user with staff access is found processing continues with the next pattern. This means that you can authenticate users with their individual accounts (if they have one) and fall back to an account for everyone having a Google email address on your domain:

ADMIN_OAUTH_PATTERNS = [
    (r"^.*@example\.org$", lambda match: match[0]),
    (r"@example\.com$", "admin@example.com"),
]

You could also remove the fallback line; in this case users can only authenticate if they have a personal staff account.

Little Auth

The authlib.little_auth app contains a basic user model with email as username that can be used if you do not want to write your own user model but still profit from authlib’s authentication support.

Usage is as follows:

  • Add authlib.little_auth to your INSTALLED_APPS

  • Set AUTH_USER_MODEL = "little_auth.User"

  • Optionally also follow any of the steps above.

Email Registration

For email registration to work, two templates are needed:

  • registration/email_registration_email.txt

  • registration/email_registration.html

A starting point would be:

email_registration_email.txt:

Subject (1st line)

Body (3rd line onwards)
{{ url }}
...

email_registration.html:

{% if messages %}
<ul class="messages">
    {% for message in messages %}
    <li{% if message.tags %} class="{{ message.tags }}"{% endif %}>
        {% if message.level == DEFAULT_MESSAGE_LEVELS.ERROR %}Important: {% endif %}
        {{ message }}
    </li>
    {% endfor %}
</ul>
{% endif %}

{% if form.errors and not form.non_field_errors %}
<p class="errornote">
    {% if form.errors.items|length == 1 %}
    {% translate "Please correct the error below." %}
    {% else %}
    {% translate "Please correct the errors below." %}
    {% endif %}
</p>
{% endif %}

{% if form.non_field_errors %}
{% for error in form.non_field_errors %}
<p class="errornote">
    {{ error }}
</p>
{% endfor %}
{% endif %}

<form action='{% url "email_registration" %}' method="post" >
    {% csrf_token %}
    <table>
        {{ form }}
    </table>
    <input type="submit" value="login">
</form>

The above template is inspired from:

More details are documented in the relevant module.

Roles

authlib.roles provides a lightweight role-based permission system for staff users. Instead of assigning individual Django permissions to each staff member, you define named roles in AUTHLIB_ROLES and attach a permission-checking callback to each role.

RoleField is a CharField that stores the role on the user model and hooks into Django’s permission system. authlib.little_auth.User already includes a role = RoleField() field, so if you use Little Auth you only need to configure the setting.

Setup

Add authlib.backends.PermissionsBackend to AUTHENTICATION_BACKENDS, before any backend that checks database-level permissions (such as ModelBackend or EmailBackend):

AUTHENTICATION_BACKENDS = [
    "authlib.backends.PermissionsBackend",
    "authlib.backends.EmailBackend",   # or any other auth backend
]

PermissionsBackend routes has_perm() calls to the role callback injected by RoleField. It also implements get_all_permissions() by iterating every permission in the database through the callback, which is what drives the Django admin’s per-app sidebar visibility.

PermissionsBackend must come first for two reasons: it avoids an unnecessary database query when the role callback already has an answer, and it ensures that deny patterns cannot be bypassed by a database-level permission grant that would otherwise short-circuit the check.

Configuration

Add AUTHLIB_ROLES to your settings. Each key is a role identifier; each value is a dict with at minimum a "title" (used as the human-readable choice label) and optionally a "callback" function:

from functools import partial
from django.utils.translation import gettext_lazy as _
from authlib.roles import allow_deny_globs

AUTHLIB_ROLES = {
    "default": {
        "title": _("Default"),
        # No callback → no extra permissions beyond Django's own checks
    },
    "readonly": {
        "title": _("Read-only"),
        # Grant all view permissions, nothing else
        "callback": partial(allow_deny_globs, allow={"*.view_*"}),
    },
    "editor": {
        "title": _("Editor"),
        # Grant everything except user/auth management
        "callback": partial(
            allow_deny_globs,
            allow={"*"},
            deny={"auth.*", "little_auth.*", "admin_sso.*"},
        ),
    },
    "support": {
        "title": _("Support"),
        # Grant all permissions
        "callback": partial(allow_deny_globs, allow={"*"}),
    },
}

The callback receives three keyword arguments: user, perm, and obj. It should return True to grant the permission, raise django.core.exceptions.PermissionDenied to explicitly deny it, or return a falsy value to let Django’s normal permission checks continue.

When only one role is defined the RoleField renders as a hidden input in forms, so you can add the field to existing models without cluttering the UI.

allow_deny_globs

authlib.roles.allow_deny_globs is a ready-made callback that matches the permission string ("app_label.codename") against two lists of fnmatch-style glob patterns:

  • deny – patterns checked first; a match raises PermissionDenied.

  • allow – patterns checked second; a match grants the permission.

Use functools.partial to bind the pattern lists, as shown above.

Because permissions are matched by glob rather than enumerated explicitly, roles automatically cover new models as they are added. For example, an "editor" role with allow={"cms.*"} will grant access to every new CMS plugin model without any manual permission assignment.

Adding RoleField to a custom user model

If you are not using Little Auth, add the field to your own user model:

from authlib.roles import RoleField

class MyUser(AbstractBaseUser, ...):
    role = RoleField()

Then run makemigrations. The field’s deconstruct method omits the choices from the migration so that adding or renaming roles does not require a new migration.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django_authlib-0.18.0.tar.gz (19.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

django_authlib-0.18.0-py3-none-any.whl (31.1 kB view details)

Uploaded Python 3

File details

Details for the file django_authlib-0.18.0.tar.gz.

File metadata

  • Download URL: django_authlib-0.18.0.tar.gz
  • Upload date:
  • Size: 19.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for django_authlib-0.18.0.tar.gz
Algorithm Hash digest
SHA256 136e0d0a41a5b7a37e9c1d2b76734528b936508b50b4c56073cd040f45cc8586
MD5 a6e73caed68b94ef07268a0829d3a0ae
BLAKE2b-256 baceaa5814e97996437e5065e0f8420bd40c336ded894ebf4335d68f451d5d44

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_authlib-0.18.0.tar.gz:

Publisher: publish.yml on feincms/django-authlib

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file django_authlib-0.18.0-py3-none-any.whl.

File metadata

File hashes

Hashes for django_authlib-0.18.0-py3-none-any.whl
Algorithm Hash digest
SHA256 b3d40ca0bd828c8888167d8c20ab8fb7cdc439755deb9e873d6ab70cc03e2f4c
MD5 38cf2d4f58189f00950edace60f65e90
BLAKE2b-256 54e7cc80c460036d19ed16d6396bca14d8caee3ac2c520ee89f0cf1b63d2a699

See more details on using hashes here.

Provenance

The following attestation bundles were made for django_authlib-0.18.0-py3-none-any.whl:

Publisher: publish.yml on feincms/django-authlib

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page