django-browserid¶

How does it work?¶

At a high level, this is what happens when a user wants to log into a site that uses django-browserid:

1. A user clicks a login button on your web page.
2. The JavaScript shim (hosted by Persona) displays a pop-up asking for the email address the user wants to log in with.
3. If necessary, the pop-up prompts the user for additional info to authenticate them. For example, if the user enters an @mozilla.com email, the Mozilla LDAP Identity Provider will prompt them for their LDAP password.
4. The JavaScript receives an “assertion” from the Identity Provider and submits it to the site’s backend via AJAX.
5. The backend sends the assertion to the Remote verification service, which verifies the assertion and returns the result, including the email address of the user if verification was successful.
6. The backend finds a user account matching that email (creating it if one isn’t found) and logs the user in as that account.
7. The backend returns a URL that the JavaScript redirects the user to.

Note that this is just an example flow. Several of these steps can be customized for your site; for example, you may not want user accounts to be created automatically. This behavior can be changed to suit whatever needs you have.

A detailed explanation of the BrowserID protocol is available on MDN.

Persona¶

By default, django-browserid relies on Persona, which is a set of BrowserID-related services hosted by Mozilla. It’s possible, but annoying, to use django-browserid without these dependencies.

Currently, django-browserid relies on Persona for:

• The Cross-browser API Library, which implements the navigator.id API for browsers that don’t natively support BrowserID.
• The Fallback Identity Provider for emails from servers that don’t support BrowserID.
• The Remote verification service, which handles assertion verification for sites that don’t want to verify assertions themselves.

In the future, django-browserid will remove the need to depend on these Mozilla-centric services. Local verification and a self-hosted cross-browser API will greatly reduce the reliance on Mozilla’s servers for authentication.

Installation¶

You can use pip to install django-browserid and requirements:

$ pip install django-browserid

Configuration¶

After installation, you’ll need to configure your site to use django-browserid. Start by making the following changes to your settings.py file:

# Add 'django_browserid' to INSTALLED_APPS.
INSTALLED_APPS = (
    # ...
    'django.contrib.auth',
    'django_browserid',  # Load after auth
    # ...
)

# Add the django_browserid authentication backend.
AUTHENTICATION_BACKENDS = (
   # ...
   'django.contrib.auth.backends.ModelBackend',
   'django_browserid.auth.BrowserIDBackend',
   # ...
)

Next, edit your urls.py file and add the following:

urlpatterns = patterns('',
    # ...
    (r'', include('django_browserid.urls')),
    # ...
)

Finally, you’ll need to add the login button and info tag to your Django templates, along with the CSS and JS files necessary to make it work:

{% load browserid %}
<html>
  <head>
    <link rel="stylesheet" src="{% static 'browserid/persona-buttons.css' %}">
  </head>
  <body>
    {% browserid_info %}
    {% if user.is_authenticated %}
      <p>Current user: {{ user.email }}</p>
      {% browserid_logout text='Logout' %}
    {% else %}
      {% browserid_login text='Login' color='dark' %}
    {% endif %}

    <script src="https://code.jquery.com/jquery-1.9.1.min.js"></script>
    <script src="https://login.persona.org/include.js"></script>
    <script src="{% static 'browserid/api.js' %}"></script>
    <script src="{% static 'browserid/browserid.js' %}"></script>
  </body>
</html>

And that’s it! You can now log into your site using Persona!

Once you’re ready, you should check out how to customize django-browserid to your liking.

Note for Jinja2 / Jingo Users¶

If you’re using Jinja2 via jingo, here’s a version of the example above written in Jinja2:

<html>
  <head>
    {{ browserid_css() }}
  </head>
  <body>
    {{ browserid_info() }}
    {% if user.is_authenticated() %}
      <p>Current user: {{ user.email }}</p>
      {{ browserid_logout(text='Logout') }}
    {% else %}
      {{ browserid_login(text='Login', color='dark') }}
    {% endif %}

    <script src="https://code.jquery.com/jquery-1.9.1.min.js"></script>
    {{ browserid_js() }}
  </body>
</html>

Customizing the Verify View¶

Many common customizations involve overriding methods on the Verify class. But how do you use a custom Verify subclass?

You can substitute a custom verification view by setting BROWSERID_VERIFY_VIEW to the import path for your view:

BROWSERID_VERIFY_VIEW = 'project.application.views.MyCustomVerifyView'

Customizing the Authentication Backend¶

Another common way to customize django-browserid is to subclass BrowserIDBackend. To use a custom BrowserIDBackend class, simply use the python path to your custom class in the AUTHENTICATION_BACKENDS setting instead of the path to BrowserIDBackend.

Post-login Response¶

After logging the user in, the default view redirects the user to LOGIN_REDIRECT_URL or LOGIN_REDIRECT_URL_FAILURE, depending on if login succeeded or failed. You can modify those settings to change where they are redirected to.

You can also override the success_url <django_browserid.views.Verify.success_url and failure_url <django_browserid.views.Verify.failure_url properties on the Verify view if you need more control over how the redirect URLs are retrieved.

If you need to control the entire response to the Verify view, such as when you’re using custom JavaScript, you’ll want to override login_success <django_browserid.views.Verify.login_success and login_failure <django_browserid.views.Verify.login_failure.

Automatic User Creation¶

If a user signs in with an email that doesn’t match an existing user, django-browserid automatically creates a new User object for them that is tied to their email address. You can disable this behavior by setting BROWSERID_CREATE_USER to False, which will cause authentication to fail if a user signs in with an unrecognized email address.

If you want to customize how new users are created (perhaps you want to generate a display name for them), you can override the create_user method on BrowserIDBackend:

from django_browserid.auth import BrowserIDBackend

class CustomBackend(BrowserIDBackend):
    def create_user(self, email):
        username = my_custom_username_algo()
        return self.User.objects.create_user(username, email)

Limiting Authentication¶

There are two ways to limit who can authenticate with your site: prohibiting certain email addresses, or filtering the queryset that emails are compared to.

from django_browserid.auth import BrowserIDBackend

class CustomBackend(BrowserIDBackend):
    def filter_users_by_email(self, email):
        # Only allow staff users to login.
        return self.User.objects.filter(email=email, is_staff=True)

Custom User Models¶

Django allows you to use a custom User model for authentication <custom_user_model>. If you are using a custom User model, and the model has an email attribute that can store email addresses, django-browserid should work out-of-the-box for you.

If this isn’t the case, then you will probably have to override the is_valid_email <django_browserid.auth.BrowserIDBackend.is_valid_email, filter_users_by_email <django_browserid.auth.BrowserIDBackend.filter_users_by_email, and create_user methods to work with your custom User class.

Using the JavaScript API¶

django-browserid comes with two JavaScript files to include in your webpage:

1. api.js: An API for triggering logins via BrowserID and verifying assertions via the server.
2. browserid.js: A basic example of hooking up links with the JavaScript API.

browserid.js only covers basic use cases. If your site has more complex behavior behind trigger login, you should replace browserid.js in your templates with your own JavaScript file that uses the django-browserid JavaScript API.

Django Admin Support¶

If you want to use BrowserID for login on the built-in Django admin interface, you must use the django-browserid admin site instead of the default Django admin site:

from django.contrib import admin

from django_browserid.admin import site as browserid_admin

from myapp.foo.models import Bar


class BarAdmin(admin.ModelAdmin):
    pass
browserid_admin.register(Bar, BarAdmin)

You must also use the django-browserid admin site in your urls.py file:

from django.conf.urls import patterns, include, url

# Autodiscover admin.py files in your project.
from django.contrib import admin
admin.autodiscover()

# copy_registry copies ModelAdmins registered with the default site, like
# the built-in Django User model.
from django_browserid.admin import site as browserid_admin
browserid_admin.copy_registry(admin.site)

urlpatterns = patterns('',
    # ...
    url(r'^admin/', include(browserid_admin.urls)),
)

Alternative Template Languages¶

By default, django-browserid supports use in Django templates as well as use in Jinja2 templates via the jingo library. Template helpers are registered as helper functions with jingo, so you can use them directly in Jinja2 templates:

<div class="authentication">
  {% if user.is_authenticated() %}
    {{ browserid_logout(text='Logout') }}
  {% else %}
    {{ browserid_login(text='Login', color='dark') }}
  {% endif %}
</div>
{{ browserid_js() }}

For other libraries or template languages, you will have to register the django-browserid helpers manually. The relevant helper functions can be found in the django_browserid.helpers module.

Core Settings¶

django.conf.settings.BROWSERID_AUDIENCES¶

Default:	No default

List of audiences that your site accepts. An audience is the protocol, domain name, and (optionally) port that users access your site from. This list is used to determine the audience a user is part of (how they are accessing your site), which is used during verification to ensure that the assertion given to you by the user was intended for your site.

Without this, other sites that the user has authenticated with via Persona could use their assertions to impersonate the user on your site.

Note that this does not have to be a publicly accessible URL, so local URLs like http://localhost:8000 or http://127.0.0.1 are acceptable as long as they match what you are using to access your site.

Redirect URLs¶

django.conf.settings.LOGIN_REDIRECT_URL¶

Default:	'/accounts/profile'

Path to redirect to on successful login. If you don’t specify this, the default Django value will be used.

django.conf.settings.LOGIN_REDIRECT_URL_FAILURE¶

Default:	'/'

Path to redirect to on an unsuccessful login attempt.

django.conf.settings.LOGOUT_REDIRECT_URL¶

Default:	'/'

Path to redirect to on logout.

Customizing the Login Popup¶

django.conf.settings.BROWSERID_REQUEST_ARGS¶

Default:	{}

Controls the arguments passed to navigator.id.request, which are used to customize the login popup box. To see a list of valid keys and what they do, check out the navigator.id.request documentation.

Customizing the Verify View¶

django.conf.settings.BROWSERID_VERIFY_VIEW¶

Default:	django_browserid.views.Verify

Allows you to substitute a custom class-based view for verifying assertions. For example, the string ‘myapp.users.views.Verify’ would import Verify from myapp.users.views and use it in place of the default view.

When using a custom view, it is generally a good idea to subclass the default Verify and override the methods you want to change.

django.conf.settings.BROWSERID_CREATE_USER¶

Default:	True

If True or False, enables or disables automatic user creation during authentication. If set to a string, it is treated as an import path pointing to a custom user creation function.

django.conf.settings.BROWSERID_DISABLE_SANITY_CHECKS¶

Default:	False

Controls whether the Verify view performs some helpful checks for common mistakes. Useful if you’re getting warnings for things you know aren’t errors.

Using a Different Identity Provider¶

django.conf.settings.BROWSERID_SHIM¶

Default:	‘https://login.persona.org/include.js‘

The URL to use for the BrowserID JavaScript shim.

0.9 to 0.10.1¶

• The minimum supported version of requests is now 1.0.0, and six has been removed from the requirements.

• Replace the SITE_URL setting with BROWSERID_AUDIENCES, which is essentially the same setting, but must be a list of strings (wrapping your old SITE_URL value with square brackets to make it a list is fine):

  BROWSERID_AUDIENCES = ['https://www.example.com']
  

  • On local development installs, you can remove SITE_URL entirely, as BROWSERID_AUDIENCES isn’t required when DEBUG is True.

• In your root urlconf, remove any regex in front of the include for django-browserid urls. Because the new JavaScript relies on views being available at certain URLs, you must not change the path that the django-browserid views are served:

  urlpatterns = patterns('',
      # ...
      (r'', include('django_browserid.urls')),
      # ...
  )
  

• browserid.js has been split into api.js, which contains just the JavaScript API, and browserid.js, which contains the sample code for hooking up login buttons. If you aren’t using the browserid_js helper to include the JavaScript on the page, you probably need to update your project to either include both or just api.js.

0.8 to 0.9¶

• Six v1.3 or higher is now required.

0.7.1 to 0.8¶

• fancy_tag 0.2.0 has been added to the required libraries.

• Rename the browserid_form context processor to browserid in the TEMPLATE_CONTEXT_PROCESSORS setting:

  TEMPLATE_CONTEXT_PROCESSORS = (
      # ...
      'django_browserid.context_processors.browserid',
      # ...
  )
  

• Replace custom login button code with the new template helpers, browserid_info, browserid_login, and browserid_logout.

  • browserid_info should be added just below <body> on any page that includes a login button.
  • browserid_login and browserid_logout output login and logout links respectively.

• It’s now recommended to include the JavaScript for the login buttons using the browserid_js helper, which outputs the appropriate <script> tags.

• The included JavaScript requires jQuery 1.7 or higher instead of jQuery 1.6.

Logging Errors¶

Before you do anything else, check to see if django-browserid is logging issues by setting up a logger for django_browserid in your logging config. Here’s a sample config that will log messages from django-browserid to the console:

LOGGING = {
   'version': 1,
   'handlers': {
       'console':{
           'level': 'DEBUG',
           'class': 'logging.StreamHandler'
       },
   },
   'loggers': {
       'django_browserid': {
           'handlers': ['console'],
           'level': 'DEBUG',
       }
   },
}

Nothing happens when clicking the login button¶

If nothing happens when you click the login button on your website, check that you’ve included api.js and browserid.js on your webpage:

<script src="{% static 'browserid/api.js' %}"></script>
<script src="{% static 'browserid/browserid.js' %}"></script>

CSP_SCRIPT_SRC = ("'self'", 'https://login.persona.org')
CSP_FRAME_SRC = ("'self'", 'https://login.persona.org')

Login fails silently after the Persona popup closes¶

There are a few reasons why login may fail without an error message after the Persona popup closes:

SESSION_COOKIE_SECURE = False

CACHES = {
    'default': {
        'BACKEND': 'django.core.cache.backends.locmem.LocMemCache',
        'LOCATION': 'unique-snowflake'
    }
}

Login fails with an error message on a valid account¶

If you see a login error page after attempting to login, but you know that your Persona account is valid and should be able to login, check for these issues:

# settings.py
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')

# nginx config
location / {
    proxy_pass http://127.0.0.1:8000;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Protocol https; # Tell django we're using https
}

Still having issues? Ask for help!¶

If your issue isn’t listed above and you’re having trouble tracking it down, you can try asking for help from:

• The #webdev channel on irc.mozilla.org,
• The dev-webdev@lists.mozilla.org mailing list,
• or by emailing the maintainers directly.

Template Helpers¶

Template helpers are the functions used in your templates that output HTML for login and logout buttons, as well as the CSS and JS tags for making the buttons function and display correctly.

django_browserid.helpers.browserid_info()¶

Output the HTML for the info tag, which contains the arguments for navigator.id.request from the BROWSERID_REQUEST_ARGS setting. Should be called once at the top of the page just below the <body> tag.

django_browserid.helpers.browserid_login(text='Sign in', color=None, next=None, link_class='browserid-login persona-button', attrs=None, fallback_href='#')¶

Output the HTML for a BrowserID login link.

Parameters:

text – Text to use inside the link. Defaults to ‘Sign in’, which is not localized. color – Color to use for the login button; this will only work if you have included the default CSS provided by django_browserid.helpers.browserid_css(). Supported colors are: ‘dark’, ‘blue’, and ‘orange’. next – URL to redirect users to after they login from this link. If omitted, the LOGIN_REDIRECT_URL setting will be used. link_class – CSS class for the link. Defaults to browserid-login persona-button. attrs – Dictionary of attributes to add to the link. Values here override those set by other arguments. If given a string, it is parsed as JSON and is expected to be an object. fallback_href – Value to use for the href of the link. If the user has disabled JavaScript, the login link will bring them to this page, which can be used as a non-JavaScript login fallback.

django_browserid.helpers.browserid_logout(text='Sign out', next=None, link_class='browserid-logout', attrs=None)¶

Output the HTML for a BrowserID logout link.

Parameters:	text – Text to use inside the link. Defaults to ‘Sign out’, which is not localized. link_class – CSS class for the link. Defaults to browserid-logout. attrs – Dictionary of attributes to add to the link. Values here override those set by other arguments. If given a string, it is parsed as JSON and is expected to be an object.

django_browserid.helpers.browserid_js(include_shim=True)¶

Return <script> tags for the JavaScript required by the BrowserID login button. Requires use of the staticfiles app.

Parameters:	include_shim – A boolean that determines if the persona.org JavaScript shim is included in the output. Useful if you want to minify the button JavaScript using a library like django-compressor that can’t handle external JavaScript.

django_browserid.helpers.browserid_css()¶

Return <link> tag for the optional CSS included with django-browserid. Requires use of the staticfiles app.

Admin Site¶

Admin site integration allows you to support login via django-browserid on the Django built-in admin interface.

class django_browserid.admin.BrowserIDAdminSite(name='admin', app_name='admin')¶

Support logging in to the admin interface via BrowserID.

include_password_form = False¶

If True, include the normal username and password form as well as the BrowserID button.

copy_registry(site)¶

Copy the ModelAdmins that have been registered on another site so that they are available on this site as well.

Useful when used with django.contrib.admin.autocomplete(), allowing you to copy the ModelAdmin entries registered with the default site, such as the User ModelAdmin. For example, in urls.py:

from django.contrib import admin
admin.autodiscover()

from django_browserid.admin import site as browserid_admin
browserid_admin.copy_registry(admin.site)

# To include: url(r'^admin/', include(browserid_admin.urls))

Parameters:	site – Site to copy registry entries from.

django_browserid.admin.site¶

Global object for the common case. You can import this in admin.py and urls.py instead of django.contrib.admin.site.

Views¶

django-browserid works primarily through AJAX requests to the views below in order to log users in and out and to send information required for the login process, such as a CSRF token.

class django_browserid.views.Verify(**kwargs)¶

Bases: django_browserid.views.JSONView

Send an assertion to the remote verification service, and log the user in upon success.

failure_url¶

URL to redirect users to when login fails. This uses the value of settings.LOGIN_REDIRECT_URL_FAILURE, and defaults to '/' if the setting doesn’t exist.

success_url¶

URL to redirect users to when login succeeds. This uses the value of settings.LOGIN_REDIRECT_URL, and defaults to '/' if the setting doesn’t exist.

login_success()¶

Log the user into the site.

login_failure(error=None)¶

Redirect the user to a login-failed page.

Parameters:	error – If login failed due to an error raised during verification, this will be the BrowserIDException instance that was raised.

post(*args, **kwargs)¶

Send the given assertion to the remote verification service and, depending on the result, trigger login success or failure.

dispatch(request, *args, **kwargs)¶

Run some sanity checks on the request prior to dispatching it.

class django_browserid.views.Logout(**kwargs)¶

Bases: django_browserid.views.JSONView

redirect_url¶

URL to redirect users to post-login. Uses settings.LOGOUT_REDIRECT_URL and defaults to / if the setting isn’t found.

post(request)¶

Log the user out.

class django_browserid.views.CsrfToken(**kwargs)¶

Bases: django_browserid.views.JSONView

Fetch a CSRF token for the frontend JavaScript.

Signals¶

django_browserid.signals.user_created¶

Signal triggered when a user is automatically created during authentication.

Parameters:	sender – The function that created the user instance. user – The user instance that was created.

Exceptions¶

exception django_browserid.base.BrowserIDException(exc)¶

Raised when there is an issue verifying an assertion.

exc = None¶

Original exception that caused this to be raised.

Verification¶

The verification classes allow you to verify if a user-provided assertion is valid according to the Identity Provider specified by the user’s email address. Generally you don’t have to use these directly, but they are available for sites with complex authentication needs.

class django_browserid.RemoteVerifier¶

Verifies BrowserID assertions using a remote verification service.

By default, this uses the Mozilla Persona service for remote verification.

verify(assertion, audience, **kwargs)¶

Verify an assertion using a remote verification service.

Parameters:	assertion – BrowserID assertion to verify. audience – The protocol, hostname and port of your website. Used to confirm that the assertion was meant for your site and not for another site. kwargs – Extra keyword arguments are passed on to requests.post to allow customization.
Returns:	VerificationResult
Raises:	BrowserIDException: Error connecting to the remote verification service, or error parsing the response received from the service.

class django_browserid.MockVerifier(email, **kwargs)¶

Mock-verifies BrowserID assertions.

__init__(email, **kwargs)¶

Parameters:	email – Email address to include in successful verification result. If None, verify will return a failure result. kwargs – Extra keyword arguments are used to update successful verification results. This allows for mocking attributes on the result, such as the issuer.

verify(assertion, audience, **kwargs)¶

Mock-verify an assertion. The return value is determined by the parameters given to the constructor.

class django_browserid.VerificationResult(response)¶

Result of an attempt to verify an assertion.

VerificationResult objects can be treated as booleans to test if the verification succeeded or not.

The fields returned by the remote verification service, such as email or issuer, are available as attributes if they were included in the response. For example, a failure result will raise an AttributeError if you try to access the email attribute.

expires¶

The expiration date of the assertion as a naive datetime.datetime in UTC.

django_browserid.get_audience(request)¶

Determine the audience to use for verification from the given request.

Relies on the BROWSERID_AUDIENCES setting, which is an explicit list of acceptable audiences for your site.

Returns:	The first audience in BROWSERID_AUDIENCES that has the same origin as the request’s URL.
Raises:	django.core.exceptions.ImproperlyConfigured: If BROWSERID_AUDIENCES isn’t defined, or if no matching audience could be found.

Get the code¶

You can check out the code from the github repository:

git clone git://github.com/mozilla/django-browserid.git
cd django-browserid

It is a good idea to create a virtualenv (the example here uses virtualenvwrapper) for isolating your development environment. To create a virtualenv and install all development packages:

mkvirtualenv django-browserid
pip install -r requirements.txt

Running tests¶

To check if your changes break any existing functionality, you can run the test suite:

./setup.py test

Before submitting a pull request, you should run the test suite in all the Django/Python combinations that we support. We support running the tests in all these combinations via tox:

pip install tox
tox

Documenation¶

If you make changes to the documentation, you can build it locally with this command:

make -C docs/ html

The generated files can be found in docs/_build/html.

JavaScript Tests¶

To run the JavaScript tests, you must have node.js installed. Then, use the npm command to install the test dependencies:

npm install

After that, you can run the JavaScript tests with the following command from the repo root:

npm test

Reporting Issues¶

We use Github Issues to track issues and bugs for django-browserid.

Development Guidelines¶

• Python code should be covered by unit tests. JavaScript code for the JavaScript API should be covered by unit tests. We don’t yet have tests for non-API JavaScript code, so manual testing is recommended currently.
• Python code should follow Mozilla’s general Webdev guidelines. The same goes for our JavaScript guidelines and CSS guidelines.
  • As allowed by PEP8, we use 99-characters-per-line for Python code and 72-characters-per-line for documentation/comments. Feel free to break these guidelines for readability if necessary.

Submitting a Pull Request¶

When submitting a pull request, make sure to do the following:

• Check that the Python and JavaScript tests pass in all environments. Running the Python tests in all environments is easy using tox:

  $ pip install tox
  $ tox
  

  Running the JavaScript tests requires node.js. To install the test dependencies and run the test suite:

  $ npm install
  $ npm test
  

• Make sure to include new tests or update existing tests to cover your changes.

• If you haven’t, add your name, username, or alias to the AUTHORS.rst file as a contributor.

Additional Resources¶

• IRC: #webdev on irc.mozilla.org.
• Mailing list: dev-webdev@lists.mozilla.org.

History¶

Current Maintainers¶

• Michael Kelly <mkelly@mozilla.com>
• Will Kahn-Greene <willkg@mozilla.com>
• Peter Bengtsson <peterbe@mozilla.com>

Previous Maintainers¶

• Paul Osman
• Austin King
• Ben Adida

Patches and Suggestions¶

• Thomas Grainger
• Owen Coutts
• Francois Marier
• Andy McKay
• Giorgos Logiotatidis
• Alexis Metaireau
• Rob Hudson
• Ross Bruniges
• Les Orchard
• Charlie DeTar
• Luke Crouch
• shaib
• Kumar McMillan
• Carl Meyer
• ptgolden
• Will Kahn-Greene
• Allen Short
• meehow
• Greg Koberger
• Niran Babalola
• callmekatootie
• Paul Mclanahan
• JR Conlin
• Prasoon Shukla
• Peter Bengtsson
• Javed Khan
• Kalail (Kashif Malik)
• Richard Mansfield
• Francesco Pischedda
• Edward Abraham
• Eric Holscher
• mvasilkov