I'm working on a django site, which I want the authentication part to work exactly like how Stack Overflow works. A new user comes to the site, they click on "create new account", choose their OpenID provider, get validated, then an account is created for them with "openiduser4356" or something as the username. The user can then go into preferences and change the username to whatever they want. I don't want any kind of local account sign-ups at all.
I pretty much spent all day getting django-authopenid working and it seems the only way this plugin works is by adding OpenID identities to already existing accounts. Heck, you can't even run your site when you have django-authopenid installed unless you have django-registration installed as well...
Before I spend another day wrestling with this thing to try getting it to do what I want, I'd rather just know off the bat if this kind of thing is even possible/a good idea. I noticed that there are a few other OpenID plugins for django out there. Are any of them any better at doing what I'm trying to do?
django-openid does not depend on django-registration.
You might also take a look at a fork of django-openid, django-openid-consumer. It works with the most recent python-openid libraries.
If you don't mind using rpxnow.com, check out http://github.com/howthebodyworks/django-rpx/tree/master
Related
I'm developing a webapp which allows users to log in with their Google accounts, using OAuth2.0.
I've created an OAuth2.0 client ID, configured the OAuth consent screen with the Publishing status set to 'Testing', and added a test user.
The frontend of my app is built with React, and I'm using a package (react-google-login) to handle the flow. I can successfully sign in with the Google account I added as a test user, and retrieve the basic profile information needed.
The problem is I can also sign in with other Google accounts, which have not been added to the list of test users. I imagine that Google should simply not issue access tokens for accounts which are not in the list of test users.
I feel like I've misunderstood something about the OAuth process, or I have configured something incorrectly. I would appreciate if anyone had any pointers?
Thanks.
It is indeed bugged.
I was in the same spot as you, assuming I had misunderstood something. After reviewing my code over and over with no luck, I made a Stack Overflow post, in which I was advised to post to Google's bug tracking system. After doing some troubleshooting with Google they confirmed the bug, and they are now working to fix it (for a little while already).
I included this thread as an example when talking to Google. I meant to post an update here after getting in touch with them, but I forgot, sorry!
The buganizer thread with more details:
https://issuetracker.google.com/issues/211370835
Is it possible you're only asking for the email scope?
It appears the test user filter and possibly the whole concept of the 'app' being in test mode exists only inside the consent screen feature.
For some reason, Google doesn't show the consent screen if you only ask for email.
So... maybe that means you don't need a consent screen, and therefore don't need to care what that feature thinks about your app (that your app is in test mode and needs to be verified before going into production).
Or maybe it's a bug? Or maybe just because you can do this doesn't mean it's allowed by Google's terms. Maybe they just haven't implemented preventing that use case.
Anyway, it may help you to know that if you add a more significant scope like the Calendar API then the following things will change:
Non-test users will get a message like "The developer hasn’t given you access to this app." and won't be able to complete oauth
Test users will get a message like "Google hasn't verified this app"
Test users will see a consent screen
Basically, everything starts working as expected.
By the way, just putting "email" or "profile" for scope seems to be an old way of doing things, and all the newer scopes want you to use a full URL for the scope (despite google themselves not using the full URL when you're configuring your scopes).
For example, if you want the email and calendar scopes, you can put this value for your scope field:
email https://www.googleapis.com/auth/calendar
Or you can use this equivalent value:
https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/calendar
Not suggesting you add a scope like email for the sake of it, just that it sheds light on what's happening, and if there's a scope like that that you need anyway, adding it will solve your problem.
I'm building a small social WP plugin (more for learning purposes than anything else) and I'm trying to get my head around the various social networking sharing api's etc.
With regards to Facebook sharing, there seems to be the requirement for an application ID. Thats easy enough if this a one time thing, on a single site, but in the case of writing a plugin, I obviously would want it to be easy for users to install and setup, and not neccessarily have every user have to put one in from an options panel.
It seems to work when removing it from the FB.init, though I'm developing locally, and get an error when trying to use the like button.
Is an APP ID 100% required? and if so can I as a plugin author use one (think this gets paired with a website URL so not sure if its even possible) or the plugin that would
Anyone experienced with this got any tips?
For using the feed dialog, you do need an App (with ID). But you can - of course - just use your own App and just put it in the plugin. The App ID is nothing secret, and with that way you can also monitor the usage with the Facebook Insights.
There is one option without the feed dialog: sharer.php
It is exlained here: How to use Facebook Sharer in PHP
Just keep in mind that it is deprecated though (see other thread).
This issue is very common in stackoverflow, and there's a lot of different questions and answers about it, yet I couldn't find exactly what I need.
First, I'd like to define exactly what I need: the option to let users log in to my app using their Facebook credentials. The app will save a matching classic Django user. I will only need to use the user's profile picture and to make sure that each time the same Facebook user will be related to the matching Django user.
Unfortunately, I find it really frustrating to implement for the following reasons:
By now, after reading a lot, I couldn't find out what is the best package for this task.
Some people recommend django-social-auth and praise its functionality and documentation. Personally, I don't understand why, since it's not specifically for Facebook and there are no explanations about the client side, i.e the Facebook login button and how the whole flow works.
When you go to Facebook developers, you suddenly find yourself reading about some magical javascript sdk, and about a promise that that's all you need. Then you get frustrated again and can't understand how a client side related sdk can sign up users to your app.
I know developers somehow implement Facebook auth packages in their apps, but I just can't figure out how to do it.
If anyone could tell me: at this time point, what is the best way to add Facebook authentication to my Django app? I would also ask for detailed documentation / tutorial that explains how to log in a Facebook user, from settings and configuration level through signup to Django app and to client side code.
There are multiple ways to approach the problem, what is the "best" way is really subjective.
Subjectively speaking, you could opt for django-allauth. Here are a few pointers to help you get started:
If you want to keep the signup simple, set SOCIALACCOUNT_AUTO_SIGNUP to True in order to achieve a "no questions asked" login. Users simply approve the FB dialog and they end up logged in in your site right away.
Adding a login button to your template is merely a matter of:
Sign In
The app offers support for the JS SDK login (pro: users are accustomed to the typical FB popup that appears), or you can use your own OAuth flow. Whatever you please.
The fastest way understand FB's Oauth 2.0 flow is to play with FB's Javascript SDK. Once you get the hang of it, the FB's PHP library is similar. Also, other OAuth sites like Google, Twitter or Dropbox have almost identical implementation.
In baby steps:
Learn how to install FB Javascript SDK onto a simple page
Use FB.login to determine login status and obtain the login url.
Lastly, use FB.Event.Subscribe and subscribe to auth.statusChange to detect the login/logout changes.
Also, good to check out https://developers.facebook.com/roadmap/ on the upcoming features or features being removed.
django-social-auth is not just for Facebook, but that doesn't mean you should use all the backends available.
Project documentation is at http://django-social-auth.readthedocs.org/en/latest/index.html and Facebook backend details at http://django-social-auth.readthedocs.org/en/latest/backends/facebook.html.
I should first note that I am a newbie in python/django applications but I am trying hard to learn :)
I am working/experimenting on a django project that supports login through openid providers. So I was able to login through my google account with no problems.
Recently, I decided to change the url of my site but at the same time I kept the current database because I dont want to lose my data,users etc. After that point, I am not able to login to the application. This is the following scenario that happens all the time:
Try to login to my site
Site doesn't remember me and I am redirected to google server
I fill my credentials in google server
I am redirected to my site that complains that the user already exists
So, I don't know how to manage with this problem. Is there any workaround or a hack that I can do to my database that will solve this problem? When I browse to my database I find several tables that may be related:
django_authopenid_association, django_authopenid_nonce, django_authopenid_userassociation,django_authopenid_userpasswordqueu
One of the tables in my database (django_authopenid_association) contains the following data. Do you believe that If I reset anything there is going to help?
If you have any good advices/tips are more than welcome.
Thanx
I found a solution/temp hack that worked for me. Of course, this doesn't imply that my solution is the optimal nor that I recommend this to anyone else.
What I did is to create a second account to my application using the same gmail account but having different user name. Then, I edit the new entry in the django_authopenid_association table, copy paste the openid_url value and use it for my old user (database entry 1 in the screenshot of my question).
After that, since I was able to login with my old user, I delete from the database the new user and everything seems to work smoothly until now.
I want to implement Facebook connect login for my Django site and I've checked the already existing apps.
So far, I have found Django-Socialauth, django-socialregistration, and django-facebookconnect for this purpose.
The question is which one to choose, and I would like to hear from other developers who have experience with any of these apps.
It is important for me that the Facebook Connect login app plays nicely with #login_required, with the default auth system, and with django-registration.
Please share your experience :)
Update (11/26/2013): I'm updating my recommendation. Since a sufficient amount of time has passed since I wrote this answer, I would recommend python-social-auth or django-allauth as the best tools for the job. They are active projects with good documentation and support for a lot more than just Facebook. I've had success using both.
I have had the most luck with adapting django-socialregistration with django-registration (0.8). Since you're working with django-registration, you're going to have to do a little bit of work, since all three of those packages assume the role of both the creation and the authentication of the user.
I was just going to explain what needed to be done, but you inspired me to finally get my version out: hello-social-registration.
Like I alluded to, it separates gives the registration functions to a django-registration backend and handles all the authorization itself. I've been using this on my near-beta application for a while now with no problems (I also handed it to a friend to use a few months ago and he got it to work without much modification).
It's definitely not ready to be a plug-and-play reusable application, yet, but hopefully it'll provide you with some insight. :)
By far the most commonly used package for Facebook authentication in Django is Django Facebook:
https://github.com/tschellenbach/Django-facebook
It also gives you access to the facebook APIs using the included Open Facebook api client.
I wanted to implement a basic "Login using Facebook" functionality in my Django app. I didn't want to show the user a form to fill or have her choose a password. I preferred to make it seamless.
Based on my requirements, django_facebook_oauth was the best app for me. It simply allows the user to login using facebook, and gets the user info my Facebook app requests from her (based on my Facebook Auth Dialog). It creates a new user in Django with the user's facebook email, a username and a blank password.
I highly recommend it.
Hi Take a look at fbconnect app that we (actually, Hernani, a guy on our team) put together for osqa (a clone of CNPROG).
You will have to, probably, tinker a bit to adapt that to your needs. It does work with #login_required decorator and the standard django.contrib.auth system, but we do not use django-registration.
Our app also works with openid and password login, but the openid part is tightly coupled with the Q&A component at present.
We may separate it though some time in the future, if anyone might be interested in "anything-signin" django pluggable app or has something better already - pls let us know.
I've used django-allauth and django-facebook on two different projects.
django-allauth was great and provided very good support for logging in and creating user profiles. It could also work with other auth providers, which I didn't implement.
django-facebook worked out of the box, but it's only compatible with Facebook. It also provided simple APIs for fetching users' likes and friends from Facebook directly into the db, which I liked very much!
facebook.get_and_store_likes(user)
facebook.get_and_store_friends(user)
I played with .NET based libraries and found them to be frustratingly out of date. Facebook seems to change their APIs frequently, so if you cannot find a library that is routinely maintained, you will find that you will get halfway through your implementation before you realize that there are serious problems.
I had some success with the javascript API that Facebook publishes and maintains. While the documentation may not be always up to date, I found that I was always within striking distance of the correct implementation (one or two changes needed).