Comments (7)
Can you please elaborate -- what exactly is meant with "close but not similar"?
from django-allauth.
@pennersr apologies I should have been clearer, for one, it uses code instead of just a link that you can click. I had to double-check and when I did I found this discussion: #1472
so it seems the decision is deliberate, I wonder if it's possible to make a magic link implementation on top of this? my thinking is to generate a URL to pass the login code there somehow and then automatically log the user in by reading the GET parameter? I am not sure the exact mechanisms nor whether it is possible or not. Some guidance would be helpful ๐๐ป
from django-allauth.
@hyusetiawan
can you please elaborate again, because the answer you provided to @pennersr is almost 9 year old, it's from 2016, if you see.
OAuth
Accordig to OAuth, you can get email from use and then get code in email and user have to login with that code, but if you only want to click on link and login directly you can setup a custom flow with this in that api you will tell OAuth to send a link when user provide email and then user can click on the link and direct login.
This will cost according to OAuth.
Another approach is using custom flow.
I recently implemented magic logic link with OAuth but if you need to implement custom with django, use django django.contrib.auth.tokens
, which also use for email account verification,
I guess you understand that, that link will only be valid for some time and can be use as magic login.
As an example here is simple demo code you can use for temporary link that can be use for magic link
, reset password
and also email verification
from django.utils.encoding import force_str
from django.utils.encoding import force_bytes
from django.utils.http import urlsafe_base64_encode
from django.utils.http import urlsafe_base64_decode
from django.contrib.auth.tokens import PasswordResetTokenGenerator
class TokenGenerator:
def generate_token(self, user):
user_hash = f'{user.pk}|{user.username}|{user.email}|{user.is_active}'
uid_64 = urlsafe_base64_encode(force_bytes(user_hash))
account_activation_token = PasswordResetTokenGenerator()
token = PasswordResetTokenGenerator.make_token(self=account_activation_token, user=user)
tokenInfo = {
'uidb64': uid_64,
'token': token
}
return tokenInfo
def verify_token(self, user, token):
account_activation_token = PasswordResetTokenGenerator()
return PasswordResetTokenGenerator.check_token(self=account_activation_token, user=user, token=token)
def decode_uid(self, uidb64):
return force_str(urlsafe_base64_decode(uidb64))
You can change user_hash
as per your requirement.
- user_hash = f'{user.pk}|{user.username}|{user.email}|{user.is_active}'
+user_hash = f'{user.pk}|{user.your-custom-field-after-link-click}'
Let me know if I understand wrong..
from django-allauth.
@deviserops you understood correctly actually, I understand that there will need to be some custom code. You are generating your own password token but django-allauth also generates a token of its own, I wonder if we can use the library as to implement magic link?
As in:
- django-allauth to generate the login code
- Send the email (this is probably custom code to link to a new URL)
- in urls.py, add login-code where it will get in the GET parameter
- pass the URL parameter to django all auth verification form
Wouldn't this replicate a magic link behavior using purely django all auth?
from django-allauth.
Note that logging in by link comes with additional security caveats. Even Slack which was once using โMagic linksโ to login abandoned those. Issues:
- Anybody who (somehow) intercepts the link can login. If you intercept the code, you still have nothing, as you need to enter it in a browser window with a specific session.
- You train your users to click on links in mails, which makes them vulnerable to phishing attempts.
So logging in by code instead of link is actually more secure.
from django-allauth.
@hyusetiawan
If you want to use library you can use Okta python SDK.
I am not sure i it will replace the behavior os django all auth, but if you need to then you have to use custom code anyway.
Also as @pennersr say's that it will be security concerns so is true. you have to make sure that link will send to only those who want to sign in, but this can also be compromised in some way.
OAuth team does not recommend using magic link though.
from django-allauth.
Given the concerns mentioned I prefer not to bring this in scope.
from django-allauth.
Related Issues (20)
- social_account_added signal not called HOT 2
- How to Resolve "Application labels aren't unique" Error When Adding allauth Services to a Django Project with Existing 'account' App HOT 1
- Is it possible to configure microsoft/azure login/api endpoint? HOT 1
- Google provider login do not authenticate specific user for production env HOT 6
- Comparing ACSView / FinishACSView and Headless SSO endpoint
- Facebook auth works, but does not create a user account HOT 7
- NPM package to streamline the use of allauth headless in JS apps HOT 3
- SAML basic questions
- 0.63.2 breaks with ImportError when using `secure_admin_login` HOT 8
- Documentation for installing mfa has slight issue HOT 1
- Facebook Graph API update create bug in Facebook Login HOT 1
- Login by code ("Magic code login") and unverified email addresses HOT 2
- HEADLESS_ONLY = True and socialaccount_connect combination HOT 3
- Google provider not showing in list of providers when adding social application in admin app using version 0.63.2 HOT 4
- Doc mismatch for HEADLESS_FRONTEND_URLS setting HOT 1
- Check if email is already registered in POST `/account/signup` HOT 1
- Email2 field not being converted to lowercase, comparing fails HOT 4
- Incorrect link to demo in docs HOT 1
- Telegram authentication needs /setdomain for your website. HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. ๐๐๐
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google โค๏ธ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from django-allauth.