Utilities for passwordless authentication (using magic links, Google, Facebook and Twitter OAuth currently)
Home Page: https://django-authlib.readthedocs.io/
License: MIT License
Is it in the future scope of the project to allow the generation of magic links that unlock only one view, instead of entirely logging a user in?
I've set up django-authlib for django-admin as per the documentation, but unfortunately I keep getting the error "Error while fetching user data. Please try again" when logging in.
I am the admin of the GCP project where the Oauth2 client is set up and it all works with my front end application.
Any ideas on what could be going on here?
Some small details, in case they impact this problem:
settings.py
INSTALLED_APPS = [
"authlib.admin_oauth", # keep before django.contrib.admin
...
]
...
# Django Admin SSO
GOOGLE_CLIENT_ID = os.environ.get("GOOGLE_SSO_CLIENT")
GOOGLE_CLIENT_SECRET = os.environ.get("GOOGLE_SSO_SECRET")
# patterns for .*@my-domain.com
ADMIN_OAUTH_PATTERNS = [
(r"^.*@my\-domain\.com$", lambda match: match[0]),
(r"^.*@my\-domain\.com$", "[email protected]"),
]
...
urls.py
...
urlpatterns = [
url(r"", include("authlib.admin_oauth.urls")),
path("admin/", admin.site.urls),
...
]
Oauth2 set up
Console output (anonymised, of course)
[23/May/2022 14:59:19] "GET /admin/__oauth__/?next= HTTP/1.1" 302 0
app_1 | [23/May/2022 14:59:21] "GET /admin/__oauth__/?state=XXXXXXXXXXXXX&code=VVVVVVVVVVVVVVVVVVVVVVVVVVVV-VS-AAAAA-CCCCCCCCCCCCCCCCCCCCCCC_CA&scope=email%20profile%20openid%20https://www.googleapis.com/auth/userinfo.email%20https://www.googleapis.com/auth/userinfo.profile&authuser=0&hd=my-domain.com&prompt=consent HTTP/1.1" 302 0
app_1 | [23/May/2022 14:59:21] "GET /admin/login/ HTTP/1.1" 200 2794
I would like to add a flag to the session like request.session["is_sso"] to indicate to other parts of my app that the user's session was established via SSO.
In order to support this feature, you could simply add a flag to the request that tells us that it was authenticated via SSO or via username/password.
This would allow us to use a django signal on login to then set the field.
Another option is to add ability to pass an on_logged_in callback so users of your library can modify the session immediately on establishment with arbitrary logic.
... by providing your own email_login helper.
I guess I must continue my quest to get SSO set up :)
Unfortunately it seems I still can't get it to work. I tried creating users as I intend to do (no password) as well as with password - neither of them get to log in. The error is "No matching staff users for email address '[email protected]'
I tested it a bit and the problem seems to be on this line:
user_mail has the correct value, but user is set to None.
My app set up:
User model under a specific django app (core)
core/models.py
from django.db import models
from django.contrib.auth.models import (
AbstractBaseUser,
PermissionsMixin,
)
from core.managers import UserManager
class User(AbstractBaseUser, PermissionsMixin):
"""Custom user model that supports using login with
email instead of username"""
username = models.CharField(default="", max_length=255)
email = models.EmailField(unique=True, max_length=255)
archived = models.BooleanField(default=False)
is_active = models.BooleanField(default=True)
is_staff = models.BooleanField(default=False)
created_at = models.DateTimeField(auto_now_add=True)
updated_at = models.DateTimeField(auto_now=True)
objects = UserManager()
EMAIL_FIELD = "email"
USERNAME_FIELD = "email"
REQUIRED_FIELDS = ["username"]
class Meta:
verbose_name = "user"
verbose_name_plural = "users"
def __str__(self):
return f"{self.email} - {self.username}"
core/managers.py
from django.contrib.auth.models import BaseUserManager
class UserManager(BaseUserManager):
def create_user(self, email, username, password=None, **kwargs):
"""To create user using custom fields"""
if not email:
raise ValueError("Invalid Email!!")
user = self.model(
email=self.normalize_email(email), username=username, **kwargs
)
if password is None:
user.set_unusable_password()
else:
user.set_password(password)
user.save(using=self._db)
return user
def create_superuser(self, email, username, password):
"""To create superuser using custom fields"""
user = self.create_user(email=email, username=username, password=password)
user.is_staff = True
user.is_superuser = True
user.is_active = True
user.save(using=self._db)
return user
ADMIN_OAUTH_PATTERNS = [
(r"^.*@my\-domain\.com$", lambda match: match[0]),
(r"@my\-domain\.com$", "[email protected]"),
]
Hi, I found your package django-authlib has a conflict with https://github.com/lepture/authlib
Your package is registered as django-authlib (I do want this package name too) on PyPI, but the module name is authlib, which has conflict with my package. Would you consider rename it to django_authlib?
BTW, consider using authlib to power your library, it has a simple built-in Django support: https://docs.authlib.org/en/latest/client/frameworks.html#module-authlib.django.client
the first thing we do when configuring a django app is to rename the "/admin/" url to something else, like "/company-admin" or somthing less obvious. It seems like django-authlib is hard-wired to the "admin" path.
I don't see any use in allow users to forward their magic links and exposing this larger security hole.
It would be nice if the library stored a cookie on the client when they request a magic link and when logging it, it can check to ensure the cookie is there, if not, the login attempt fails.
I receive this error:
django.template.exceptions.TemplateDoesNotExist: registration/login.html
from the following line:
django-authlib/authlib/views.py
Line 82 in 0c49aa7
Are the templates missing?
Why is this not using ModelBackend as the base class - https://github.com/matthiask/django-authlib/blob/master/authlib/backends.py#L5
I encountered permission issues with this when the user is not a superuser. Particularly because EmailBackend does not implement has_module_perms. None of the permissions would work.
On extending ModelBackend, it worked fine for me
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.