Description
Code of Conduct
- I agree to follow Django's Code of Conduct
Feature Description
(This is a split from #10)
Problem
Django has a builtin authentication system, but it doesn't cover features that should be present in any authentication system (e.g. 2FA), as per NIST suggestions. It is fine for local testing and production services categorised at AAL1 level, but anything above that requires 3rd party packages (django-allauth comes to mind as an example of a very robust and feature rich package).
I understand that Django can't just merge django-allauth and call it a day. A framework has a radically different release schedule compared to a 3rd party package, and supporting oauth with XYZ service (which would require hardcoding URLs of external services) feels like a stretch, but maybe there could be a middle ground. Maybe Django can integrate into its core some parts of django-allauth?
Request or proposal
Request changes for Django to implement / provide out of the box:
- at least basic password-related functionality (user registration, password recovery, etc...)
- secure authentication mechanisms (2FA / MFA; maybe hardware authentication, eg. yubikeys)
- stateless authentication (jwt creation, refresh, invalidation, etc...)
I would suggest trying to integrate the core (features) of django-allauth.
Additional Details
No response
Implementation Suggestions
No response
Metadata
Metadata
Assignees
Type
Projects
Status