Djangocon: an ode to OAuth - Akos Hochrein

Tags: djangocon, django

(One of my summaries of a talk at the 2018 European djangocon.)

A show of hands. Who use a password manager? 90% of the hands went up. Who uses at least two? Some 40%.

Passwords are irritating. There have been initiatives to “outsource” passwords. Openid, oauth, oauth2.0.

On to OAuth2.0. It started at twitter. They started with OpenID, but that only handled login, not access to resources. In the end, oauth2.0 came out.

(Note: he said “openid connect”, but that’s build on oauth2.0, so he must have meant plain “openid” if I’m correct. But it might mean that I’m not totally correct in this summary, or I heard it incorrectly).

There are multiple ways to work with oauth2.0. He showed the “authorisation code grant”. I can’t visualize his diagram here, look at the video for that.

There are some terms:

  • Resource owner.

  • Client: you, behind your browser.

  • Authentication server: this is where you will log in (“log in with facebook/google/etc”) and where the

  • Resource server: this is where the data is.

Akos works at prezi. The backend is actually a django site. But there were many customizations to auth, sessions and user objects. At one point, they wanted to make it easier for users to log in. So: social login.

They had those customizations, so they forked django-social-auth somewhere in 2011 and had to maintain their fork ever since.

In 2017 they wanted to get rid of the old stuff for a new kind of login. They didn’t want to fork yet another project. And actually, they wanted to get rid of their current forks.

Then they discovered A perfect set of building stones to hang their own customizations in.

There are three possibilities when logging in with social auth:

  • Regular login of a user that logged in before. This should be a smooth and simple as possible.

  • Signup. The user doesn’t exist yet.

  • Associate. The email adress of the user that logs in via social auth somehow already exists as an older non-social-auth user. So you need to send an email whether it is ok to combine them.

The presentation is online at

Photo explanation: station signs on the way from Utrecht (NL) to Heidelberg (DE). logo

About me

My name is Reinout van Rees and I work a lot with Python (programming language) and Django (website framework). I live in The Netherlands and I'm happily married to Annie van Rees-Kooiman.

Weblog feeds

Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):