Password-less authentication: login by clicking on a magic link received by email.
Django Magicauth brings password-less authentication to your project.
How it works
- The user inputs their email address (and optionnally an OTP).
- An email is sent to the user with a link that contains a one-time token.
- Once they click on this link, they are logged in to the service.
For a detailed step-by-step with screenshots of the default templates, see Step-by-step in pictures.
Authentifiez vos utilisateurs sans mot de passe avec Django Magicauth.
Comment ça marche
- Les utilisateurs renseignent leur adresse email (et en option un OTP).
- Ils reçoivent alors un email avec un lien de connexion.
- Lorsqu'ils cliquent sur le lien, ils sont authentifiés et redirigés sur le service.
Pour un détail du fonctionnement en image, voir le déroulé en images.
Installations and testing instructions
- Install Magicauth
pip install git+https://github.com/betagouv/django-magicauth.git
- Add "magicauth" to your INSTALLED_APPS in
INSTALLED_APPS = [ # all your apps "magicauth", ]
- Include the magicauth URLconf in your app's
# After your previous imports from magicauth import views as magicauth_views from magicauth.urls import urlpatterns as magicauth_urls urlpatterns = [ # here are your URL patterns ] urlpatterns.extend(magicauth_urls)
- Add the following items in your project's settings.py`
MAGICAUTH_FROM_EMAIL = 'firstname.lastname@example.org' MAGICAUTH_LOGGED_IN_REDIRECT_URL_NAME = 'home'
python manage.py migrateto create the polls models.
Make sure you have the following middlewares
MIDDLEWARE = [ # [...] other middleware you may have "django.contrib.sessions.middleware.SessionMiddleware", "django.contrib.messages.middleware.MessageMiddleware", "django.contrib.auth.middleware.AuthenticationMiddleware", "django.contrib.sites.middleware.CurrentSiteMiddleware", ]
Two-Factor Authentication (2FA) using One Time Passwords (OTP)
Two-Factor Authentication means you ask for two different passwords from your user : their normal password and an OTP. (See https://en.wikipedia.org/wiki/Multi-factor_authentication) They will get the magic link only if the two are valid, else they get an error and the link is not sent.
What is a OTP ? It is a short code (6 to 8 digits), usually generated by a dedicated app on a user's device (smartphone, hardware). See https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm
How to enable OTPs
We use the django-otp package. You must have it installed and configured in your project.
- install django_otp :
pip install django_otp(or whatever package manager you use)
- add the required apps in INSTALLED_APPS :
- run the migrations in your project :
python manage.py migrate
MAGICAUTH_ENABLE_2FA = Truein your settings.py
If you use the default login template, an OTP input will show up in the login page, below the Email. (To check your install has worked, you can revert to the default template and see if the field appears : remove your MAGICAUTH_LOGIN_VIEW_TEMPLATE var.)
If you have a custom login template, you will have to add the field for entering OTPs, in an
OTP_form. See the default login template for an example : templates/magicauth/login.html`
For testing purposes, you can generate OTPs for a given user from the command line :
- Add 'django_otp.plugins.otp_static' to INSTALLED_APPS.
- Then you can use addstatictoken from command line. E.g :
python manage.py addstatictoken -t 123456 "email@example.com"
Contribute to Magicauth
To contribute to Magicauth, you can install the package in the "editable" mode
pip uninstall django-magicauth # just in case... pip install -e git+https://github.com/betagouv/django-magicauth.git#egg=django-magicauth
You can also install a specific branch, for instance for testing a PR. To install branch
pip install -e git+https://github.com/betagouv/django-magicauth.git@my-branch#egg=django-magicauth
Django-magicauth is now a dependency of your project, and you can edit the code located here:
Create a virtual env for the project or reuse one and source it.
Install dependencies and run
cd src/django-magicauth pip install -r requirements.txt tox
Projects using Magicauth
Join us !
Step-by-step in pictures
Note : the screenshots below use the default templates, which don't look very nice. It is expected that you replace them with your own better-looking ones.
Step 1 : the user goes to the login page. (see
Step 2 : The user inputs their email address in the login page.
Step 3 : The user sees a confirmation page (
EmailSentView), explaining that an email has been sent.
An email is sent to the user with a link that contains a one-time token.
The link looks something like this :
Step 4 : once they click on the button and follow the link, the user is directed to a wait page (this is optional) (
Step 5 : the user is logged in to the service (
ValidateTokenView) and redirected to the landing page.
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Hashes for django_magicauth-0.11-py3-none-any.whl