When developing Django applications, authentication often becomes a complex puzzle involving multiple libraries, custom solutions, and security choices. At Leukeleu, we've solved this puzzle numerous times for our clients, which led us to create a definitive solution that benefits not only us but also the Django community.
The problem we address
(Almost) every Django application requires authentication, but the current ecosystem necessitates combining various solutions. You might start with Django's built-in authentication, add django-allauth for social logins, integrate django-otp for two-factor authentication, implement rate-limiting with django-ratelimit, and then spend considerable time ensuring all these components work securely together.
This fragmented approach brings several issues. Maintaining and updating multiple dependencies across projects becomes an ongoing burden. Moreover, inconsistent implementations across different projects can lead to further complications.
Our solution: django-hidp (Hello, ID Please)
django-hidp reflects our commitment to privacy-by-design and standardization. Instead of developing yet another minimal authentication package, we've created a comprehensive (yet compact) solution that addresses the complete authentication needs of a modern Django application. The core philosophy of django-hidp is to provide a full, secure authentication environment adhering to OWASP best practices, while remaining flexible enough to adapt to specific project requirements. We've incorporated our experiences from numerous client projects into this robust package.
Key features
Complete authentication flow: django-hidp manages the entire authentication cycle, from registration with email verification to password recovery. The system offers intelligent default settings with room for customization as needed.
Easy integration: A thoughtfully designed set of templates provides an out-of-the-box clean frontend with clear (translated) texts and an appearance that can be easily tailored to your application.
OpenID integration: Modern applications need to connect with external identity providers like Google, Microsoft, and enterprise solutions. django-hidp offers built-in OIDC support, greatly simplifying these integrations.
Flexible two-factor authentication: Built on django-otp, django-hidp supports various OTP methods such as TOTP and backup codes, including configurable policies for different security levels.
Standalone OIDC Provider: For organizations with multiple applications, django-hidp can function as an OIDC provider itself, enabling single sign-on within your application ecosystem without relying on external services.
Standard Security: Rate limiting automatically protects against brute-force attacks. Built-in support for Content Security Policy helps prevent attacks like cross-site scripting. The system follows OWASP guidelines and includes security measures often overlooked in custom implementations.
Minimal dependencies, maximum functionality
The django-hidp project is designed with a minimal yet thoughtful set of dependencies, aligning with its goal: secure, modern authentication supporting OIDC, MFA, and QR codes. Here's an overview of the packages used, grouped by functional domain:
Core functionality
These form the core of the authentication process:
- jwcrypto for signing and verifying JWTs essential in OIDC flows and OAuth2.
- requests for communication with external identity providers (such as token endpoint calls).
- django-ratelimit to prevent brute-force attacks, with per-IP or per-username throttling.
MFA / OTP
Multi-factor authentication is optional but supported for strong authentication:
- django-otp provides integration of One-Time Password authentication in Django. Flexible and extensible.
- segno for generating QR codes that users can scan with their authenticator apps.
OIDC / OAuth2
Voor federatieve authenticatie en het aanbieden van een eigen Identity Provider:
- django-oauth-toolkit as a de-facto standard for OAuth2 support in Django, on which django-hidp builds.
- djangorestframework is needed for the REST API endpoints (such as user info), including serialization and permissions.
Current status and first steps
HIDP is currently in a soft-launch phase. The core functionality is ready for production and actively in use in multiple projects, but documentation and extensive examples will be further refined in the near future. Documentation can be found at: https://leukeleu.github.io/django-hidp
Contributions and collaboration
Of je nu code wilt bijdragen, documentatie wilt verbeteren, of het pakket in jouw projecten wilt testen: alle betrokkenheid die veiligheid en privacy centraal stellen wordt zeer gewaardeerd!
Whether you want to contribute code, improve documentation, or test the package in your projects: all involvement that puts security and privacy at the heart of your projects is highly appreciated!