Easily add Google SSO login to Django Admin
Project description
Welcome to Django Google SSO
This library aims to simplify the process of authenticating users with Google in Django Admin pages, inspired by libraries like django_microsoft_auth and django-admin-sso
Why another library?
- This library aims for simplicity and ease of use. django-allauth is de facto solution for Authentication in Django, but add lots of boilerplate, specially the html templates. Django-Google-SSO just add the "Login with Google" button in the default login page.
- django-admin-sso is a good solution, but it uses a deprecated google
auth2client
version.
Install
$ pip install django-google-sso
Versions
For django 4.x use version 2.x
For django 3.x use version 1.x
Configuration
- Add the following to your
settings.py
INSTALLED_APPS
:
INSTALLED_APPS = [
# other django apps
"django.contrib.messages", # Need for Auth messages
"django.contrib.sites", # Add Sites framework
"django_google_sso", # Add django_google_sso
]
- In Google Console at Api -> Credentials, retrieve your
Project Credentials and add them in your
settings.py
:
GOOGLE_SSO_CLIENT_ID = "your client id here"
GOOGLE_SSO_PROJECT_ID = "your project id here"
GOOGLE_SSO_CLIENT_SECRET = "your client secret here"
- Add the default site and allowed domains to auto-create users:
SITE_ID = 1 # Optional, just add if you want to use sites without request.
GOOGLE_SSO_ALLOWABLE_DOMAINS = ["example.com"]
- In
urls.py
please add the Django-Google-SSO views:
from django.urls import include, path
urlpatterns = [
# other urlpatterns...
path(
"google_sso/", include("django_google_sso.urls", namespace="django_google_sso")
),
]
-
In Google Console at Api -> Credentials -> Oauth2 Client, please add Django-Google-SSO callback url, using this format:
https://your-domain.com/google_sso/callback/
, whereyour-domain.com
is the domain you defined in Django Sites Framework. For example, if you change your Site object domain tolocalhost:8000
, then your callback must behttp://localhost:8000/google_sso/callback/
. -
Run migrations:
$ python manage.py migrate
How Django-Google-SSO works
First, the user is redirected to the Django login page. If settings GOOGLE_SSO_ENABLED
is True, the
"Login with Google" button will be added to default form.
On click, Django-Google-SSO will add, in current session, the next_path
and Google Flow state
.
This session will expire in 10 minutes. Then user will be redirected to Google login page.
On callback, Django-Google-SSO will check code
and state
received. If they are valid,
Google's UserInfo will be retrieved. If the user is already registered in Django, the user
will be logged in.
Otherwise, the user will be created and logged in, if his email domain,
matches one of the GOOGLE_SSO_ALLOWABLE_DOMAINS
. On creation only, this user can be set the
staff
or superuser
status, if his email are in GOGGLE_SSO_STAFF_LIST
or
GOGGLE_SSO_SUPERUSER_LIST
respectively.
Please note if you add an email to one of these lists, the email domain must be added to GOOGLE_SSO_ALLOWABLE_DOMAINS
too.
This session will expire in 1 hour, or the time defined, in seconds, in GOOGLE_SSO_SESSION_COOKIE_AGE
.
Browser will be redirected to next_path
if operation succeeds, or the login
page, if operation fails.
Further customization
Please add the following variables to your settings.py
:
GOOGLE_SSO_ENABLED = True # default value
GOOGLE_SSO_SESSION_COOKIE_AGE = 3600 # default value
# Mark as True, to add superuser status to first user
# created with email domain in `GOOGLE_SSO_ALLOWABLE_DOMAINS`
GOGGLE_SSO_AUTO_CREATE_FIRST_SUPERUSER = True
GOGGLE_SSO_STAFF_LIST = ["email@example.com"]
GOGGLE_SSO_SUPERUSER_LIST = ["another-email@example.com"]
GOOGLE_SSO_TIMEOUT = 10 # Time before timeout Google requests. Default value: 10 seconds
GOOGLE_SSO_SCOPES = [ # Google default scope
"openid",
"https://www.googleapis.com/auth/userinfo.email",
"https://www.googleapis.com/auth/userinfo.profile",
]
Running behind a Reverse Proxy
Please make sure you're passing the correct X-Forwarded-Proto
header.
Using the login_required
decorator
To use the login_required
decorator, or his Class Based View equivalent, you can redirect the accounts/login
route
to the modified login form page, adding this to your urls.py
:
from django.conf.urls import url
from django.contrib.auth.views import LoginView
urlpatterns = [
url(
r"^accounts/login/$",
LoginView.as_view(
template_name="admin_sso/login.html" # The modified form with google button
),
),
]
Example App
To test this library please check the Example App
provided here.
Not working?
Don't panic. Get a towel and, please, open an issue.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for django_google_sso-2.0.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 20184f61717081a8cede4a4837f97b850243d8d77f691488721bbc347768a049 |
|
MD5 | 13864441b3c91bb28a0b570fd05ee3bc |
|
BLAKE2b-256 | 7869c272589b80b19aa86434d8730457da5aa8b41764ae85e4cee1581f8cc9fe |