Educational

Authentication and Authorization in Django

by

Saim Khalid
in

Web applications often require managing users, verifying their identities, and controlling what actions they can perform. Django, being a high-level Python web framework, offers a robust and flexible authentication and authorization system built right into its core. This system takes care of the most critical security features of any modern application — allowing you to handle user registration, login, logout, permissions, and user groups without reinventing the wheel.

In this detailed post, we’ll explore Django’s authentication and authorization system step by step — understanding its architecture, built-in components, and how it simplifies building secure user-based web applications.

1. Understanding Authentication and Authorization

The terms authentication and authorization are often used together, but they represent two distinct concepts:

  • Authentication: The process of verifying a user’s identity. It answers the question — “Who are you?”
  • Authorization: The process of determining what actions an authenticated user can perform. It answers the question — “What are you allowed to do?”

For example, when a user logs into a Django website with their username and password, Django verifies the credentials (authentication). After that, Django checks what permissions this user has (authorization) — for instance, whether they can access the admin panel or modify certain data.

Django’s built-in system handles both of these concerns seamlessly and provides ready-to-use APIs and tools to manage users, sessions, and permissions.

2. Django’s Built-in Authentication Framework

Django’s authentication framework is included by default in new projects. It is modular, flexible, and designed to be extensible. The framework provides:

  1. A User model to represent and manage users.
  2. Authentication backends to handle user verification.
  3. Views and forms for login and logout.
  4. Password hashing and secure password management.
  5. Permission and group management for role-based access control.
  6. Session handling for tracking logged-in users.

To use these features, ensure that the authentication system is enabled in your project’s settings.

3. Setting Up the Authentication System

Most of Django’s authentication features come pre-configured. However, it’s important to confirm the necessary applications and middleware are active.

In your project’s settings.py file, make sure the following apps are included under INSTALLED_APPS:

'django.contrib.auth',
'django.contrib.contenttypes',
'django.contrib.sessions',
'django.contrib.messages',
'django.contrib.staticfiles',

Additionally, Django requires certain middleware for managing authentication, sessions, and messages:

'django.contrib.sessions.middleware.SessionMiddleware',
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.messages.middleware.MessageMiddleware',

These components work together to track logged-in users, manage their sessions, and handle messages or notifications.

4. The User Model

At the heart of Django’s authentication system lies the User model. This model, provided by django.contrib.auth.models, defines essential fields and methods to represent a user.

By default, it includes attributes such as:

  • username: A unique identifier for the user.
  • password: A hashed representation of the user’s password.
  • email: The user’s email address.
  • first_name and last_name: Optional personal details.
  • is_active: Indicates whether the user account is active.
  • is_staff: Determines if the user can access the admin site.
  • is_superuser: Grants all permissions automatically.

These fields cover most use cases, but Django also allows you to extend or replace the default user model when you need custom user attributes.

You can access the user model in your code using:

from django.contrib.auth.models import User

Or, if you’re using a custom user model, use:

from django.contrib.auth import get_user_model

5. User Authentication — Login Process

Authentication in Django typically starts with a user attempting to log in. Django provides an authenticate() function that verifies the username and password combination against the database. If the credentials are correct, it returns a User object; otherwise, it returns None.

Example of manual authentication:

from django.contrib.auth import authenticate, login

user = authenticate(request, username='john', password='secret')
if user is not None:

login(request, user)

Here’s what happens step-by-step:

  1. The authenticate() function checks the given credentials.
  2. If successful, Django confirms the user’s identity.
  3. The login() function then stores the user’s ID in the session, marking the user as logged in for subsequent requests.

Once logged in, the user can be identified in any view using request.user.

6. Logging Out Users

To log a user out, Django provides a simple function called logout(). This removes the user’s ID from the session and clears the session data:

from django.contrib.auth import logout

def logout_view(request):

logout(request)

After logout, the user becomes anonymous and loses access to any restricted views that require authentication.

7. Using Built-in Login and Logout Views

Django provides ready-made class-based views for handling login and logout functionality, eliminating the need to write these from scratch.

You can add them to your URL configuration as follows:

from django.contrib.auth import views as auth_views

urlpatterns = [

path('login/', auth_views.LoginView.as_view(), name='login'),
path('logout/', auth_views.LogoutView.as_view(), name='logout'),
]

These views use Django’s authentication forms automatically and handle all the logic required for user authentication. You can customize the templates (registration/login.html by default) to fit your design.

8. Managing Passwords Securely

Django never stores plain text passwords. When a user sets or changes their password, it is automatically hashed using a secure algorithm (such as PBKDF2, bcrypt, or Argon2).

You can manually set a password for a user with the set_password() method:

user.set_password('new_password')
user.save()

For verifying passwords, Django uses the check_password() method internally.

This strong password hashing mechanism ensures that even if the database is compromised, passwords remain unreadable. Django also provides password reset functionality via email, which can be configured using built-in views.

9. Accessing the Logged-in User

Once a user is authenticated, Django automatically makes their information available through the request object. You can access the logged-in user in any view with:

request.user

Django provides a few helpful attributes for checking user states:

  • request.user.is_authenticated — True if the user is logged in.
  • request.user.is_staff — True if the user has staff status.
  • request.user.is_superuser — True if the user has all permissions.

This allows you to personalize user experiences, restrict access, and manage functionality based on user roles.

10. Protecting Views — Login Required Decorator

To ensure that only logged-in users can access certain views, Django offers the @login_required decorator.

For example:

from django.contrib.auth.decorators import login_required

@login_required
def dashboard(request):

return render(request, 'dashboard.html')

If an unauthenticated user tries to access this view, they will automatically be redirected to the login page.

You can set a custom login URL by adding this in settings.py:

LOGIN_URL = '/login/'
LOGIN_REDIRECT_URL = '/dashboard/'

This makes it simple to secure sections of your site that should only be visible to authenticated users.

11. Authorization — Controlling Access

After a user is authenticated, Django provides a robust authorization system to control what actions they can perform.

Built-in Permissions

By default, Django creates permissions for each model — typically “add”, “change”, and “delete”. For example, for a model named Article, Django automatically creates the following permissions:

  • add_article
  • change_article
  • delete_article

You can check a user’s permissions using:

user.has_perm('app_name.add_article')

If you need to check multiple permissions at once, Django also provides:

user.has_perms(['app_name.add_article', 'app_name.change_article'])

12. Groups and Role Management

Django’s Group model provides a way to organize users into roles. Each group can have a set of permissions, and users assigned to a group automatically inherit those permissions.

Example:
You might create a group called “Editors” with permissions to add and change articles, while another group called “Viewers” might only have permission to read them.

To create groups programmatically:

from django.contrib.auth.models import Group, Permission

editors_group = Group.objects.create(name='Editors')
permission = Permission.objects.get(codename='change_article')
editors_group.permissions.add(permission)

You can then assign a user to a group:

user.groups.add(editors_group)

This setup allows you to manage permissions efficiently without having to assign them individually to every user.

13. Custom User Models

While Django’s default user model is sufficient for many projects, some applications require storing additional user data such as phone numbers, profile pictures, or date of birth.

To handle this, Django allows you to create a custom user model by extending AbstractUser or AbstractBaseUser.

Example of a custom user model:

from django.contrib.auth.models import AbstractUser
from django.db import models

class CustomUser(AbstractUser):

phone_number = models.CharField(max_length=15, blank=True)

Then, in settings.py, specify your custom user model:

AUTH_USER_MODEL = 'yourapp.CustomUser'

This must be defined before the first migration, as changing the user model later can be complex.

14. Authentication Backends

Django uses authentication backends to determine how users are authenticated. The default backend checks usernames and passwords against the database, but you can create custom backends for more complex authentication logic — for instance, authenticating via email, an external API, or LDAP.

Custom backends must implement two methods:

  • authenticate(request, **credentials)
  • get_user(user_id)

You can specify custom backends in your settings.py:

AUTHENTICATION_BACKENDS = [

'django.contrib.auth.backends.ModelBackend',
'yourapp.backends.EmailBackend',
]

This flexibility makes Django’s authentication system adaptable to nearly any environment.

15. Anonymous Users

Django automatically handles unauthenticated users by representing them as an instance of the AnonymousUser class. This prevents null reference errors when accessing request.user.

AnonymousUser objects always return:

  • is_authenticated = False
  • is_staff = False
  • is_superuser = False

This behavior ensures that your code can safely reference request.user even when no user is logged in.

16. Session Management

Django uses sessions to keep track of logged-in users. A session is a way to store user-specific data between HTTP requests. When a user logs in, Django creates a session ID stored in a browser cookie.

Each request includes this session ID, allowing Django to identify which user is making the request. This enables features like maintaining a shopping cart, tracking preferences, or keeping a user logged in across multiple pages.

You can access session data using:

request.session['key'] = 'value'

And retrieve it later using:

value = request.session.get('key')

17. Security Features

Django’s authentication system is built with security as a top priority. It includes:

  1. Password Hashing — All passwords are hashed using strong algorithms.
  2. CSRF Protection — Prevents cross-site request forgery attacks.
  3. Session Security — Uses signed cookies to prevent tampering.
  4. Automatic Logout — Optional session expiration after inactivity.
  5. Brute Force Protection — Easily integrated using external packages.

Following Django’s security guidelines ensures your application remains protected from common web vulnerabilities.

18. Extending the Authentication System

Django’s modular design allows developers to easily extend the authentication system. You can:

  • Add custom fields to users.
  • Implement token-based authentication (useful for APIs).
  • Integrate third-party login (like Google or GitHub).
  • Customize login and signup workflows.

For REST APIs, Django REST Framework (DRF) provides token-based and JWT authentication systems that integrate seamlessly with Django’s existing user model.

19. Common Authentication Workflows

Typical authentication workflows include:

  1. User Registration — User fills out a form and creates an account.
  2. User Login — Credentials are verified, and a session starts.
  3. Access Control — Logged-in users can access restricted views.
  4. Password Reset — Django handles sending reset emails securely.
  5. Logout — Ends the session and redirects the user.

These workflows can all be implemented using Django’s built-in authentication tools with minimal custom code.

Comments

Leave a Reply

Your email address will not be published. Required fields are marked *