I'm slightly new to Django, and I've never had a fun time doing user management in web dev. Is there a nice, basic example/tutorial on authentication the Django User model with Oauth such as Twitter? Can I use the current User model and the data in it, or do I have to create a new table and migrate the current users over?
I tried searching around Google and such, and though I slightly see where alot of the django-social and oauth plugins go with things, I can't figure out how they're storing tokens and if they're extended to the User model.
In short, I just need a basic example and plain-English description on how to implement Oauth (or any login API) with the built-in Django User model.
Thanks!
You should try python-social-auth (the old deprecated version being Django Social auth).
Related
I'm new to Django so I have some questions that might seem basic to you. I'm looking to create a platform that is open to both individuals and companies and I'm trying to design the user auth for an API that runs on DRF. I need to provide mobile platform access so I'm thinking of using OAuth via django-oauth-toolkit. Having difficulty understanding:
Should I separate the login flow into a separate app? How do I know when I should spin up a separate app?
Do I manage the profiles via the built in admin area? Is this secure for production environments?
Should I separate individual profiles and company profiles into separate apps or just models extending the Base User?
How do I allow the individual profiles to link their logins to social media accounts with django-allauth while storing extra information like birthday/name etc regardless of which mode of login?
Thanks!
This is my point of view.
No need to separate the app. You can manage all the profiles from
Django admin.
It is secure for production environments, django not allow to see
its credentials or password to anyone, its encrypted.
You can create UserProfile model and use django user as Foreignkey
in this. You can able to add extra field like in this way. OR you
can extends the User model of Django admin.
Its just a suggest, you do whatever you feel reliable or easy way.
On the client side I use the iOS SDK for Facebook to login and I get the Facebook ID and the access token.
Now on the Django side of things I would like to create a user with Facebook ID as the primary identifier and other fields like access token, first name, last name etc (the last two of which I will retrieve from the Graph API on the server side).
I know that I have to create a custom user model.
If you wish to store information related to User, you can use a one-to-one relationship to a model containing the fields for additional information. This one-to-one model is often called a profile model, as it might store non-auth related information about a site user.
This will not be enough as I will be using the Facebook ID and the access token for authentication.
This leaves me with two options: I can substitute a custom user model like so:
AUTH_USER_MODEL = 'myapp.MyUser'
Or I can subclass AbstractUser:
If you’re entirely happy with Django’s User model and you just want to
add some additional profile information, you can simply subclass
django.contrib.auth.models.AbstractUser and add your custom profile
fields.
But that doesn't sound quite right either. Also this design tip has confused me a little more.
Model design considerations
Think carefully before handling information not directly related to authentication in your custom User Model.It may be better to store app-specific user information in a model that has a relation with the User model.
What is the best way to implement what I am trying to do?
Just a side note: The problem of a custom user is that it is often the case that other apps (and yes, you will use them) don't interact correctly with it due to the assumptions they make on the base model for auth.
This will not be enough as I will be using the Facebook ID and the access token for authentication.
I'm not sure you really need a custom user. For instance, I'm using open id for authentication and there is no problem in using the default user: there is just another model with a OneToOne relationship to the default user.
The main concern you should have for a Facebook ID for authentication (and authentication in general) is to have a custom authentication Backend with its own specific facebook authentication.
Internally, authenticate() runs through all installed backends (settings.AUTHENTICATION_BACKENDS) and tries to authenticate the user with one of those.
You can search some of the existing implementations e.g. in Django packages for facebook authentication.
If your users should be enabled to login/register with username, mail and password -> use a OneToOne relationship to django's usermodel to store facebook credentials.
If your usermodel entirely depends on facebook data and you don't want your users to login with username/pass -> substitute the usermodel with AUTH_USER_MODEL = 'myapp.MyUser'.
You might also want to take a look at django-allauth which solves much of your problems in a sweet little package.
I have a project using django. And now the need for having to completely separated auth system(with different tables, authentication back-end, users, user-info etc) comes in scene.
Is there any way to make django instead of setting request.user, sets request.myotherappuser?
What about the default auth system, can I still use it to authenticate those 'new users' and also log them in?
Thanks in advance.
I'm assuming from your phrase "authenticate those 'new users' and also log them in" that you have some legacy system from which you wish to authenticate people?
Why not write a custom authentication backend that logs people in against the old backend, and then also creates them a "new" account in django.contrib.auth?
You could also create an extension to the user model using Dj1.5 that allows you to reference the "old" table like request.user.myappotheruser.
Django Social Auth (0.7.22) is reported to support Custom User Models but I have no been able to get this to work.
In my case I am using Google's Oauth2 which I have working with a non-custom-user-model.
With the Custom User Model I get correctly redirected to the Google Account Page, select an account to login and then and redirected to the LOGIN_ERROR_URL, with no messages or debug info.
To simplify debugging I have created a simple example project with the bare minimum bits and pieces at https://github.com/jonathanendersby/SocialAuthCustomUserModel
Has anyone got this to work and can they point out where I have gone wrong?
This issue is now resolved in the repo at https://github.com/jonathanendersby/SocialAuthCustomUserModel
Quoting https://github.com/omab:
The problem was the parameters that create_user() was getting, not all
of them are available on all the backends.
By replacing the method signature with the same from django manager,
and setting some default values into first_name and last_name fields
in your model, it works OK.
I've recently started using Pushover.net, I've done some searching and can't find any examples of it being integrated with a django project.
Since i can't find any examples I've decided it would be fun to try myself. What I'm interested in is how you would suggest I do it. I want the actual pushover part as decoupled a possible, hence doing it asas an app.
What I'm not entirely sure on how to approach is the user authorization. The idea being a user enters their pushover user key and its saved in a user profile model using django's AUTH_PROFILE_MODULE with some functions such as has_pushover but obviously I'd like some security so the user keys aren't stored in plaintext. What do people suggest for this?
Is there some inbuilt django security I can use?
In the past when I've needed to encrypt Django fields I used the encrypted fields available in django-fields. You could use one of these on your UserProfile model and define a has_pushover() method on the model which basically returns whether the pushover token field is None or not.
I'm guessing because you're talking about storing each user's Pushover token you are wanting to build an app for pushing arbitrary notifications to your website's users? This is in contrast to having the website just push notifications to yourself for site events.