magic link only auth about django-allauth HOT 7 CLOSED

Can you please elaborate -- what exactly is meant with "close but not similar"?

from django-allauth.

@pennersr apologies I should have been clearer, for one, it uses code instead of just a link that you can click. I had to double-check and when I did I found this discussion: #1472

so it seems the decision is deliberate, I wonder if it's possible to make a magic link implementation on top of this? my thinking is to generate a URL to pass the login code there somehow and then automatically log the user in by reading the GET parameter? I am not sure the exact mechanisms nor whether it is possible or not. Some guidance would be helpful 🙏🏻

from django-allauth.

@hyusetiawan
can you please elaborate again, because the answer you provided to @pennersr is almost 9 year old, it's from 2016, if you see.

OAuth

Accordig to OAuth, you can get email from use and then get code in email and user have to login with that code, but if you only want to click on link and login directly you can setup a custom flow with this in that api you will tell OAuth to send a link when user provide email and then user can click on the link and direct login.
This will cost according to OAuth.

Another approach is using custom flow.

I recently implemented magic logic link with OAuth but if you need to implement custom with django, use django django.contrib.auth.tokens, which also use for email account verification,

I guess you understand that, that link will only be valid for some time and can be use as magic login.

As an example here is simple demo code you can use for temporary link that can be use for magic link, reset password and also email verification

from django.utils.encoding import force_str
from django.utils.encoding import force_bytes
from django.utils.http import urlsafe_base64_encode
from django.utils.http import urlsafe_base64_decode
from django.contrib.auth.tokens import PasswordResetTokenGenerator


class TokenGenerator:
    def generate_token(self, user):
        user_hash = f'{user.pk}|{user.username}|{user.email}|{user.is_active}'
        uid_64 = urlsafe_base64_encode(force_bytes(user_hash))

        account_activation_token = PasswordResetTokenGenerator()
        token = PasswordResetTokenGenerator.make_token(self=account_activation_token, user=user)

        tokenInfo = {
            'uidb64': uid_64,
            'token': token
        }
        return tokenInfo

    def verify_token(self, user, token):
        account_activation_token = PasswordResetTokenGenerator()
        return PasswordResetTokenGenerator.check_token(self=account_activation_token, user=user, token=token)

    def decode_uid(self, uidb64):
        return force_str(urlsafe_base64_decode(uidb64))

You can change user_hash as per your requirement.

- user_hash = f'{user.pk}|{user.username}|{user.email}|{user.is_active}'
+user_hash = f'{user.pk}|{user.your-custom-field-after-link-click}' 

Let me know if I understand wrong..

from django-allauth.

@deviserops you understood correctly actually, I understand that there will need to be some custom code. You are generating your own password token but django-allauth also generates a token of its own, I wonder if we can use the library as to implement magic link?
As in:

1. django-allauth to generate the login code
2. Send the email (this is probably custom code to link to a new URL)
3. in urls.py, add login-code where it will get in the GET parameter
4. pass the URL parameter to django all auth verification form

Wouldn't this replicate a magic link behavior using purely django all auth?

from django-allauth.

Note that logging in by link comes with additional security caveats. Even Slack which was once using “Magic links” to login abandoned those. Issues:

• Anybody who (somehow) intercepts the link can login. If you intercept the code, you still have nothing, as you need to enter it in a browser window with a specific session.
• You train your users to click on links in mails, which makes them vulnerable to phishing attempts.

So logging in by code instead of link is actually more secure.

from django-allauth.

@hyusetiawan
If you want to use library you can use Okta python SDK.
I am not sure i it will replace the behavior os django all auth, but if you need to then you have to use custom code anyway.

Also as @pennersr say's that it will be security concerns so is true. you have to make sure that link will send to only those who want to sign in, but this can also be compromised in some way.

OAuth team does not recommend using magic link though.

from django-allauth.

Given the concerns mentioned I prefer not to bring this in scope.

from django-allauth.