Django External Authentication with Open ID Connect (Django to Django OIDC Integration)

Let’s start with a very pragmatic use case. You’re working in an organization which is broken down to several departments. Each of these departments need several interdependent systems in which a user in one designation can access a system for which the main intent is to be used by user in a different designation, with different level of privileges of course :-).

Or a more simple use case: you need to develop different applications but maintain a common user base, so that a user who is already registered can access any of the new applications without having to signup again.

So the billion dollar question is: How do you achieve this purely on Django?

It is common knowledge that a Django project is organized to apps and so my first thought was to have one big project as the parent project and have every system as an app inside the project, but this would prove very cumbersome. First because scaling would be quite an issue, plus system maintenance would be very hectic.

On doing some extra research, I came across the Open ID Connect authentication flow which allows you to integrate external authentication to a native applications. Profound examples of companies using this include Google, Microsoft among other companies which have multiple products with the same authentication across the board. Another good example is the O-Auth2 flow which allows you to integrate authentication from third party apps such as Google, Github, Twitter and Facebook Auth into your native application.

The persisting problem was then to customize the Open ID to work with Django in such a way that the authentication back-end will be based on Django, as well as the Client. I came across 2 savior packages which surprisingly work so harmoniously, one being OIDC Provider based while the other one is OIDC Client based, and these are: django-oidc-provider and mozilla-django-oidc respectively.

django-oidc-provider is so brilliant in that its configuration is so easy to understand as well such a brilliant documentation. It gives access to all the endpoints common in Open ID Connect as well as O-Auth2. These include authorization, token, user-info as well as other optional endpoints such as discovery, session management, among others.

mozilla-django-oidc on the other hand works amazingly in terms of overriding Django's default Authentication back-end. Plus, it is so good in that you can have two authentication back-ends working simultaneously without any impediments.

Next on we’ll talk of these configurations in detail. Be sure to check it out.

Originally published at www.abedynganga.com.