OAuth Authentication in Django with social-auth
During the development of my last django project I had to provide user authentication with Google accounts. To achieve this, I used the social-app-django library that implements an authentication/registration mechanism which supports several auth providers and protocols like OAuth (version 1 and 2) or OpenId.
A quick recap about OAuth
To provide user authentication Google supports several protocols including OAuth 2. OAuth is an open protocol that provides secure authorization for web, mobile and desktop applications in a simple and standard way. The protocol relies on a trusted third party to establish the authentication process. It grants client access to a resource delegating the authorization process to an external authorization server with the approval of the resource owner.
In this diagram you can see how it works:
A complete guide about how to use this protocol to access Google APIs is available here.
In this post, we’ll build a simple blog application using the OAuth protocol to provide user authentication with Google accounts.
Let’s go!
1. Installing the library
As a first step, we must install and enable the social-auth-app-django library in our django project. We can install this library using either pip or pipenv according to our environment/personal preferences.
If we choose pip:
pip install social-auth-app-djangoor if we use pipenv:
pipenv install social-auth-app-djangoOnce the library has been installed, we must add the app to the INSTALLED_APPS list in the project settings file using the social_django identifier:
2. Adding the Google OAuth2 authentication backend
As mentioned earlier, we’re going to use Google accounts to establish the authentication, so we’ll need to add the Google OAuth2 backend to the list of authentication backends. Also, we have to include explicitly the default model authentication backend in order to continue using the django admin site using local accounts:
3. Configuring the Google Authentication API
Once we added the backend, we must configure it to be used in the application. To perform this task, we go to the Google Developers Console and, once there, we navigate to the Credentials section in the left menu. A dialog will be displayed to either select or create a project. At this time we still don’t have any project, so we’ll choose the second option to create it.
Now we need to perform the following tasks:
- Give a descriptive name to the project. It will help us to keep things clean when managing several applications.
- Create the credentials selecting OAuth client ID in the Create Credentials menu.
- Select Web application and fill the required data. The Authorized redirect URIs are used by the Google Authentication Backend in order to redirect the users to the application again once the authentication is performed.
- Click on Create button and a key and a secret will be generated. We’ll need these parameters in the next step.
Google includes authentication with OAuth 2 through its Google + API, so we need to enable it. Go to APIs & Services and click on Enable APIs and Services button. Then, search for Google+ API and enable it.
4. Configuring the project in the backend
Now it’s time to configure the authentication backend in our project. We must edit the settings file and initialize the Google OAuth2 key and the secret using the ones obtained in the credentials generation process:
We also need to add the LOGIN_URL, LOGIN_REDIRECT_URL and LOGOUT_REDIRECT_URL keys to the configuration file. The social-app-django library uses the LOGIN_URL key to redirect the user to the Google authentication page. LOGIN_REDIRECT_URL and LOGOUT_REDIRECT_URL set the URLs where the user will be redirected after the login and logout events.
To finish the configuration process we need to add some routes:
We also need to add the following key to the settings file:
At this point the configuration should be ready. Now, it’s time to put some logic in the views and templates!
5. Adding logic in views and templates
As we said earlier, we are building a simple blog application. The default behaviour here is to only show the posts when the user is authenticated. We put the logic to control this behaviour in the view:
As you can see, the view only sends the posts list to the template when the user is authenticated.
In the template we put the code to render the posts and a link to log out but, if the user is not authenticated, we show a link to log in instead.
When the user access to our blog unauthenticated, the page looks like this:
And when the user clicks on the login link and performs the authentication process, the posts list is shown and the page looks like this:
Conclusions
In this post we have seen how the social-app-django library allows to implement OAuth authentication in our django projects in a simple way. In the sample blog application, we’ve used the library to add support to use Google accounts to authenticate the application users. Likewise, we could have used other backends to add authentication using twitter, github, facebook, etc.
Finally, I would like to stress that this library also works with a variety of python frameworks, allowing us to implement authentication as easily as we did with django.
