Advice for OAuth2 and SAML Integrations with Django and DRF

Hi All,

Here’s to a safe and happy 2021!

I’ve reached a point where I’m having to start authenticating users against third-party authentication and authorisation services. My project is an education tool and is used in different schools, hence different auth systems.

My first and most pressing requirement is authenticating against google, albeit it only for specific domains. This is pretty straightforward with Django allauth. Permitting only users that come from predefined domains or users that have an account on the system itself is done by using an account adapter. Where I am struggling to find a good solution is that I wish to authenticate the user by way of a returning an access and a refresh token with DRF, and not a session cookie. Admitedly, I’ve only really just started to dive into the allauth source code, but I am getting a bit lost as I attempt to traverse my way through the social auth process.

With that being said, the above is my first problem and I’m wondering if any of you have any good tips around such a use case?

I’ve read this post: How to integrate Social Authentication in a Django Rest back-end project and I am starting to consider python-social-auth as it looks to be a bit simpler to integrate into my own code, or so I think. My hesitation however is that allauth is such a mature and well maintained codebase that it seems like a good idea to stick with it, if possible.

My second objective is to build an auth system that supports almost everything bar the kitchen sink. It will be a longer process, but something which I must start designing now.

My Requirements

  • Provide admin auth to django admin as per the standard django auth for admin users such as myself (done)
  • Let users get their access and refresh tokens from DRF (done) using their local accounts
  • MFA for both of the above
  • Integrate with Google for school X, ADFS for school Y etc
  • Integrate with CAS (OAuth2 protocol)
  • And very likely integrate with SAML

My thinking is that I will have to approach this on an app by app basis, i.e. built or integrate the MFA (probably OTP) django app, then work on the other OAuth2 providers such as ADFS and CAS, and finally, build or integrate a SAML solution.

Right, there’s a tonne of stuff here and by no means am I expecting definitive answers and solutions, but I am hopeful for some general advice, docs to read, traps to avoid etc.

Any help, as always, is much appreciated.