Django and OpenID Connect

Recently I discovered I had a project that needed an authentication and authorization solution that went further than just a straightforward application checking a user record in a database.

I remembered that Mozilla’s services like their Firefox Add-ons portal effectively functioned like I envisioned mine would need to. Digging under-the-hood I realized that Mozilla was using OpenID Connect (OIDC) and that made a lot of sense as it is just OAuth plus an identity solution.

I then evaluated what was available on PyPi for me to reuse with my Django project and discovered the two major components I needed to bring this together:

  • Django OIDC Provider: This is the identity server component. It’ll manage all the client credentials for you and ties into Django’s core auth model/view features
  • Mozilla’s Django OIDC: This is the client component - you point it at a compatible OIDC Provider and it’ll do the OAuth dance for you and then link that project’s Django core auth accounts to those from your provider

Both projects are well documented and will work just-about-out-of-the-box with some modifications to your Django projects’ settings files. I personally found I needed to use the extensibility options of both projects to do things like offer custom OIDC claims but I found the extensibility portions to be relatively easy.

I’m thankful that Mozilla works in the open and uses Django because reading through their source code gave me a lot of confidence that this idea would work for my needs. Without that assurance, I think I would have needed to do quite a lot more testing to convince me that it was a solution worth pursuing.