django-allauth — Comprehensive Authentication for Django

Introduction

django-allauth is the most widely adopted authentication solution for Django projects. It handles the full lifecycle of user accounts including email verification, password reset, social login, and multi-factor authentication, eliminating the need to build these security-critical features from scratch.

What django-allauth Does

• Manages local account registration with email verification and password policies
• Integrates 80+ social authentication providers (Google, GitHub, Apple, SAML, OpenID Connect)
• Supports multi-factor authentication via TOTP authenticator apps and recovery codes
• Handles account linking when users sign in with multiple providers
• Provides a headless API mode for single-page applications and mobile clients

Architecture Overview

django-allauth plugs into Django's authentication framework as a custom backend. It uses an adapter pattern to customize behavior (e.g., auto-signup, email verification flow). Social providers are configured via Django admin or settings, and OAuth flows are handled through callback views. The headless mode exposes JSON endpoints for frontend frameworks.

Self-Hosting & Configuration

• Install via pip and add to INSTALLED_APPS with account and socialaccount modules
• Run migrations: python manage.py migrate
• Configure providers in Django admin under Social Applications (client ID, secret, callback URL)
• Set ACCOUNT_EMAIL_VERIFICATION, ACCOUNT_AUTHENTICATION_METHOD, and login redirect URLs
• Enable MFA by adding allauth.mfa to INSTALLED_APPS

Key Features

• 80+ social providers including OAuth2, OpenID Connect, SAML, and enterprise SSO
• Headless mode provides JSON API for React, Vue, mobile apps without server-rendered templates
• Multi-factor authentication with TOTP and WebAuthn passkey support
• Account linking and disconnecting across multiple social identities
• Extensible adapter system for customizing signup, login, and account management logic

Comparison with Similar Tools

• Django built-in auth — only provides password-based login; allauth adds social login, email verification, MFA
• django-social-auth (social-auth-app-django) — social login only; allauth combines local + social + MFA in one package
• Auth.js (NextAuth) — similar multi-provider auth for Node.js; allauth is the Django equivalent
• django-rest-auth / dj-rest-auth — REST API wrappers that often use allauth as backend for actual auth logic

FAQ

Q: Can I use django-allauth with Django REST Framework? A: Yes. Enable headless mode (HEADLESS_ONLY=True) for pure API usage, or pair with dj-rest-auth which wraps allauth endpoints.

Q: How do I add a new social provider? A: Install allauth, add the provider to INSTALLED_APPS, then create a Social Application in Django admin with your OAuth client credentials.

Q: Does it support passwordless login? A: Yes. Configure ACCOUNT_LOGIN_BY_CODE_ENABLED for email-based one-time codes, or use WebAuthn passkeys via the MFA module.

Q: Is django-allauth suitable for multi-tenant applications? A: Yes. Use Django sites framework or custom adapters to scope providers and settings per tenant.

Sources

• https://github.com/pennersr/django-allauth
• https://docs.allauth.org