{"id":2000,"library":"django-oauth-toolkit","title":"Django OAuth Toolkit","description":"Django OAuth Toolkit (DOT) is a Python library that provides OAuth2 capabilities to Django projects, offering out-of-the-box endpoints, data, and logic for robust authorization. It leverages OAuthLib to ensure RFC-compliance and is currently at version 3.2.0. The project is actively maintained with regular releases, supporting recent Django and Python versions.","status":"active","version":"3.2.0","language":"en","source_language":"en","source_url":"https://github.com/django-oauth/django-oauth-toolkit","tags":["django","oauth","oauth2","authentication","authorization","rest","openid-connect"],"install":[{"cmd":"pip install django-oauth-toolkit","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"Core framework requirement, currently supports >=4.2, 5.0, 5.1, 5.2, or 6.0.","package":"Django","optional":false},{"reason":"Underlying OAuth2 protocol implementation, requires 3.2.2+.","package":"oauthlib","optional":false},{"reason":"Commonly used for building APIs and featured in quickstart examples, though not strictly required by DOT itself.","package":"djangorestframework","optional":true},{"reason":"Recommended for cross-origin requests, especially during development/testing, as shown in quickstart.","package":"django-cors-headers","optional":true}],"imports":[{"note":"Used to include Django OAuth Toolkit's URL patterns in your project's urls.py.","symbol":"urls","correct":"from oauth2_provider import urls as oauth2_urls"},{"note":"Required when overriding or directly referencing built-in views like AuthorizationView or TokenView.","symbol":"views","correct":"from oauth2_provider import views as oauth2_views"},{"note":"Use this to extend the default Application model with custom fields.","symbol":"AbstractApplication","correct":"from oauth2_provider.models import AbstractApplication"},{"note":"Essential for token-based authentication in Django's middleware stack.","symbol":"OAuth2TokenMiddleware","correct":"from oauth2_provider.middleware import OAuth2TokenMiddleware"},{"note":"Enables OAuth2 authentication for Django's authentication backends.","symbol":"OAuth2Backend","correct":"from oauth2_provider.backends import OAuth2Backend"}],"quickstart":{"code":"import os\n\n# settings.py\nINSTALLED_APPS = [\n    # ... other apps\n    'django.contrib.admin',\n    'django.contrib.auth',\n    'django.contrib.contenttypes',\n    'django.contrib.sessions',\n    'oauth2_provider',\n    'corsheaders', # If using django-cors-headers\n]\n\nMIDDLEWARE = [\n    'django.middleware.security.SecurityMiddleware',\n    'django.contrib.sessions.middleware.SessionMiddleware',\n    'corsheaders.middleware.CorsMiddleware', # If using django-cors-headers\n    'django.middleware.common.CommonMiddleware',\n    'django.middleware.csrf.CsrfViewMiddleware',\n    'django.contrib.auth.middleware.AuthenticationMiddleware',\n    'oauth2_provider.middleware.OAuth2TokenMiddleware',\n    'django.contrib.messages.middleware.MessageMiddleware',\n    'django.middleware.clickjacking.XFrameOptionsMiddleware',\n]\n\nAUTHENTICATION_BACKENDS = [\n    'oauth2_provider.backends.OAuth2Backend',\n    'django.contrib.auth.backends.ModelBackend', # Required for Django admin login\n]\n\n# urls.py\nfrom django.contrib import admin\nfrom django.urls import include, path\nfrom oauth2_provider import urls as oauth2_urls\n\nurlpatterns = [\n    path('admin/', admin.site.urls),\n    path('o/', include(oauth2_urls)),\n    # Your other app URLs\n]\n\n# Configure CORS if needed (e.g., for local development or specific clients)\nCORS_ORIGIN_ALLOW_ALL = True # WARNING: Set to specific origins in production\n","lang":"python","description":"To quickly set up Django OAuth Toolkit, first install it along with `django-cors-headers` (if needed for cross-origin requests). Add `oauth2_provider` and `corsheaders` to `INSTALLED_APPS`. Configure `MIDDLEWARE` to include `OAuth2TokenMiddleware` and `CorsMiddleware`. Add `OAuth2Backend` to `AUTHENTICATION_BACKENDS`. Finally, include `oauth2_provider` URLs in your project's `urls.py`. Remember to run `python manage.py makemigrations` and `python manage.py migrate` to apply database changes. After migration, you can register OAuth2 applications via the Django admin at `/o/applications/`."},"warnings":[{"fix":"Run `python manage.py migrate` after upgrading. If using custom swappable models, ensure they are compatible with the new base model and create/apply migrations for them (e.g., `python manage.py makemigrations your_app_name`). Also note minimum Django version is 4.2+ for 3.x.","message":"Upgrading to version 3.0.0 or later requires running `manage.py migrate` due to significant changes in the `AbstractAccessToken` model. Custom swappable models based on `AbstractAccessToken` will also need to be updated and re-migrated.","severity":"breaking","affected_versions":">=3.0.0"},{"fix":"When creating/editing an application, copy the client secret before saving if you need its unhashed value. For clients not supporting PKCE, set `OAUTH2_PROVIDER = {'PKCE_REQUIRED': False}` in your Django settings to revert to the pre-2.x behavior. It is recommended to implement PKCE where possible for enhanced security.","message":"Beginning with version 2.0.0, client secrets are hashed upon save. If you need the cleartext secret (e.g., for testing or specific OIDC configurations), you must copy it *before* saving an application in the Django admin. Also, `PKCE_REQUIRED` is now `True` by default, leading to 'invalid_client' errors for clients not using PKCE.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"No direct code change is typically required for existing installations. Be aware of the new organization when seeking support, contributing, or referencing project repositories.","message":"The project transitioned from the `jazzband` GitHub organization to `django-oauth` starting with version 3.1.0. While the PyPI package name (`django-oauth-toolkit`) remains the same, this indicates a change in project governance and potentially development practices.","severity":"gotcha","affected_versions":">=3.1.0"},{"fix":"Ensure your custom application model is defined and its migrations are created and applied (potentially with a `run_before` dependency on `oauth2_provider`'s initial migration) before running `python manage.py migrate` for `oauth2_provider`.","message":"If you plan to use a custom `Application` model (by setting `OAUTH2_PROVIDER_APPLICATION_MODEL` in settings), you *must* define and run the migration for your custom model *before* running the initial `oauth2_provider` migrations. Failing to do so will result in system check errors.","severity":"gotcha","affected_versions":"*"}],"env_vars":null,"last_verified":"2026-04-09T00:00:00.000Z","next_check":"2026-07-08T00:00:00.000Z"}