i tried to install django social auth,
which is located on
https://github.com/omab/django-social-auth
how can i associate a regular registration and social auth
for example a user doesn't have any account in twitter or facebook etc ..
how can i associate django.contrib.auth with social auth
by giving him the choice of choosing either to register normal registration or using his account in twitter or facebook
django-social-auth provides views for authenticated with a particular backend (such as Google, Facebook, or Twitter). Take a look at the code defined in social_auth's URLconf: https://github.com/omab/django-social-auth/blob/master/social_auth/urls.py
Once you've got social_auth installed, if you want to log in with Twitter, you'd visit the begin url specifying the appropriate backend (e.g. /login/twitter/). The social_auth app would then redirect your user to Twitter, at which point they'd authorize your app, then you'd get redirected back the complete url (e.g. /complete/twitter).
If you wanted to associate a Twitter account with an existing user (that is, a User created via the admin app, or something like django-registration), you'd visit the associate_begin url (e.g. "/associate/twitter/").
This all assumes that your root URLconf contains an entry like:
url(r'', include('social_auth.urls')),
Related
I am developing a native frontend application which communicates with a backend rest api built using python django rest framework.
The rest framework uses django rest framework token authentication in which every user has an authorization token and the token will have to be attached to the header of every http request to the rest api in the form of “Authorization: Token ”.
My application provides the user with two main ways to login. The first one is to register an account with username and password. This will create a django User model object and a token will be generated. This login method works well.
The second login method is to login with the user's social account. My idea is whenever an user login with their facebook account, the app will be redirected to my website which will then redirect the user to the social media of their choice. After authorizing the social media api will redirect them to my website again which a user and a token will be created. Then my website will redirect back to my native app using a custom uri with the token attached in the uri like this:
myapp://authenticate#token=xhskscjndjnccjdsdc
The native app will then parse the uri and obtain the token.
The part that I am worried about is security. This method works but attaching a token in an uri seems a bit insecure to me. Is there any best practice that I can follow? Thanks!
I can propose you to use django-rest-auth for dealing with Authentification and Registration.
With that package/library you can use Social Authentication through Facebook, Twitter, Google or other provider.
I currently use the "Google Accounts API" to allow users to login to my GAE app. So I use users.create_login_url and users.get_current_user and add an ndb.UserProperty to my own user entity so that I can retrieve data for that user.
I'm now in the process of switching to oauth2 (using authomatic).
I don't know how to handle admin users after the switch to oauth2. I currently use users.is_current_user_admin to detect an admin user, but that won't work if the admin logs in with oauth2.
I see two awkward solutions:
Keep using the Google Accounts API for admin users and have regular users login with oauth2.
Store a list of oauth2 credentials for admin users (hardwired in the code or in the datastore) so admin users will be recognized after login with oauth2.
Is there a better way or should I use one of the above, and if so, which one?
I'll describe how I ended up doing it in case it is helpful for others.
Below is my Login handler. If a user goes to "/login" then it displays login buttons. When a user clicks on a button, the page redirects to, e.g., "/login/google" to do OAuth2 processing.
If I want to login as admin, then I manually enter this URL "/login/gae".
class Login(webapp2.RequestHandler):
def get(self, provider=None):
# Show the login page and allow the user to select a provider
if not provider:
template = JINJA_ENVIRONMENT.get_template("login.html")
self.response.write(template.render())
# Only for admin login. Use app engine login.
elif provider == "gae":
self.redirect(users.create_login_url("/"))
# The user has selected a provider so we do oauth2 login.
else:
session = Webapp2Session(self, session=self.session)
result = authomatic.login(Webapp2Adapter(self),
provider,
session=session,
session_saver=session.save)
...
To allow admin to logout, I conditionally put an admin logout on my web pages by creating this template variable:
logout_url = users.create_logout_url("/") if users.is_current_user_admin() else None
and adding this to my page template:
{% if logout_url %}
<li>Admin Logout</li>
{% endif %}
I have used python-social-auth for social authentication in my django application. Now I am going to post facebook status from this application.
At first I have created a facebook app from https://developers.facebook.com/. Here are the steps I have followed ,
Create new app
Display name and namespace is given. Category selected as Games then create app.
App settings -> Add platform -> Website -> site url = test1.com:8000 -> save changes.
I have also made the application and all its live features available to the general public.
Then I have added ,
SOCIAL_AUTH_FACEBOOK_KEY='****************'
SOCIAL_AUTH_FACEBOOK_SECRET='**************************'
and
SOCIAL_AUTH_FACEBOOK_SCOPE = [
'publish_actions'
]
to settings.py .
When I run this app and start with facebook authentication it displays following popup,
And when I click on Play now button it successfully redirects to my django app's homepage and post my facebook status,
Here is my code for posting facebook status ,
social_user = request.user.social_auth.filter( provider='facebook',)[0]
graph = facebook.GraphAPI(social_user.extra_data['access_token'])
graph.put_object("me", "feed", message="here is status messgae")
But when another user [other than my facebook account] tries to authenticate this app is displaying popup like this ,
In first case I have successfully posted my status, But In second case I am [ message in second popup clearly shows that the app doesn't have any access to users wall.]
This is the error I am getting for the second case ,
GraphAPIError at /
(#200) The user hasn't authorized the application to perform this action.
My question is that , Why my app is not able to post on others wall ?
Is there is any bad configuration (or missed something) I did while creating facebook app ?
Or something else I have to add in settings.py.
The app settings are just fine. Actually, facebook recently made some significant changes and introduced v2.0 (learn more about this here)
So from now on (you can even check the warning in the first dialog)-
If your app asks for more than than public_profile, email and user_friends it will require review by Facebook before your app can be used by people other than the app's developers.
Only the testers/developers of the app can test the app with other permissions before they are reviewed by facebook.
You can check out the review documentation for more details.
Using Django-facebook for the first time.
For some reason, if i log in with facebook, but later log out of my Facebook account. My application stays logged in with the default Django user, with an expired session token because "the user has logged out". If I then re-log in to facebook, the Django app stays "logged out" of Facebook.
In the case above, I have tried attaching #facebook_required_lazy to the top of my view function, but to no effect. What is the intended behavior of this decorator in this use case? The view contains a call to get_persistent_graph.
Your Django login session is completely independent from your Facebook login session. Facebook is used to authenticate only, that is at the time of the login. But the login sessions are independent, not connected. Thus, logging out from Facebook does not affect your Django session at all. It is normal that you are still logged in on Django.
To logout from Django you need to use the logout method of the Django framework, in module django.contrib.auth, for example with a custom logout method like this:
from django.contrib.auth import logout as django_logout
def logout(request):
django_logout(request)
return some_other_view(request)
I am dabbling a little with Python Django Social Auth using Twitter authentication.
I can login.
But, when I try to log out using django.contrib.auth.logout, it doesn't log out.
What's the way to logout?
Thanks.
Are you trying to log out just from the Django app or do you want to "forget" the Twitter access? Usually the twitter auth token is stored for simplified login the next time a user wants to connect to twitter, so the user doesn't have to "accept" the access again.
Django logout
If you just want to logout from the Django auth system, it should be enough to use the django.contrib.auth.views.logout view or to create a custom logout view.
Social auth disconnect
To completely unlink/disconnect a social account, you need to use the disconnect functions in social-auth. You can get the disconnect url using the following template tag:
{% url "socialauth_disconnect" "backend-name" %}
For more information, please refer to http://django-social-auth.readthedocs.org/en/v0.7.22/configuration.html#linking-in-your-templates.
Force approval prompt
Because you've already allowed your app access to the OAuth provider, the auth provider will remember that decision. There are usually two ways to force a confirmation of that access permission:
Revoke the access permission in the management console of your auth provider (e.g. disapprove twitter app access).
Set an extra OAuth argument that forces the approval prompt. I'm not sure if Twitter provides such a thing, but if you're using Google OAuth2 you can simply add {'approval_prompt': 'force'} to the GOOGLE_OAUTH2_AUTH_EXTRA_ARGUMENTS setting.
Do you have a logout view? You need to have a logout view.
Example:
from django.contrib.auth import logout
def logout_view(request):
logout(request)
# Redirect to a success page.
This answer is outdated as django-social-auth is now python-social-auth
See newer Stack Overflow answer here.
Read the docs here
According to the documentation there is a difference between log out and disconnect. In short,
Disconnect - forget the user social account.
Log out - end the current user session and remove any related data (like cookies).
From the question, I assume you still want to allow the user to have the Twitter linked with the account. If you want to disconnect, check this answer.
To log the user out, you can have in your Django settings.py
LOGOUT_URL = "logout"
Then, in your urls.py
from django.urls import path
from django.contrib.auth import views as auth_views
urlpatterns = [
path("logout/", auth_views.LogoutView.as_view(template_name="registration/logged_out.html"), name="logout"),
]
Then, to log the user out, you can just use in the template something like
Logout
Also, you'll have to create a the logged_out.html file in appname/templates/registration/ and include in it whatever you want the logged out user to see.