[Discovery] Evaluate pros/cons of switching to django-allauth

[jmbowman]

edx-platform currently uses Python Social Auth to allow users to authenticate via Facebook, Twitter, Apple ID, etc. It works, but we frequently hit bugs and corner cases in this code that trigger support incidents, and there have been many times where upgrades have been difficult or introduced regressions. There's actually a more popular solution for this functionality, django-allauth, which may be worth considering a migration to. Some factors in favor of switching:

• django-allauth is far more popular than Python Social Auth: 4x the GitHub stars, 6x the user count on Django Packages, 8x as many forks of the repository, 5x the number of GitHub repos using it, etc. https://djangopackages.org/grids/g/authentication/ includes these and other relevant stats. And because Python Social Auth supports several different web frameworks, django-allauth is even more dominant when only counting Django projects.
• django-allauth is maintained by a Dutch software company which offers commercial support.
• Python Social Auth has a banner and open issue begging for new maintainers and openly admitting that the project has stagnated.
• Both projects have a bus factor problem (one dominant contributor), but django-allauth still has its original primary contributor; the original Python Social Auth maintainer has moved on and handed the project over to a significantly less active maintainer.

Some factors against switching:

• There's no clear migration path, although we could potentially hire the django-allauth maintainer to prepare one for us.
• It's hard to determine if we'd actually encounter fewer problems with the new choice moving forward. We might even encounter new issues that we don't suffer with our current framework.
• We're not sure we even want to be maintaining our own full-featured authentication stack; we may be better off choosing a separate open source authentication service like the ones mentioned in https://discuss.openedx.org/t/the-future-of-open-edx-authentication/10013 .

There's no pressing need to accelerate a switch right now, but this ticket can serve as a place to capture notes on incidents that make us want to more seriously consider it. If there are no such incidents after a year or so, we may just want to close this and stick with what we have.

[timmc-edx]

The main issue that I can recall with python-social-auth was that 3.4.0 took over 6 months and repeated nudges to be released (python-social-auth/social-core#485), so we had to use a git-dependency and later a vendored copy of a file. In the meantime, there were test failures and an important bugfix on master.

(There may have also been a change to how ports were handled in SAML URLs that caused a problem for us, but I'm not sure this was actually due to a bug or undocumented breaking change in the library.)