Skip to main content

What is django-allauth?

django-allauth is a comprehensive, integrated authentication solution for Django applications. It provides a complete authentication framework that handles regular accounts (username/email + password) as well as social authentication from providers like Google, GitHub, and dozens of others.
django-allauth is designed to be secure by default, with built-in protections against enumeration attacks, rate limiting, and comprehensive email verification flows.

Core Features

Account Management

Complete user registration, login, password reset, and email management

Email Verification

Flexible email verification with both link-based and code-based flows

Social Authentication

Pre-built integrations with 50+ OAuth providers

Rate Limiting

Built-in rate limiting to protect against brute force and abuse

Architecture

django-allauth follows a modular architecture with clear separation of concerns:

Key Components

Handle HTTP request/response cycle for authentication actions. Each view corresponds to a user-facing action like login, signup, or email verification.
# Example: Login view
from allauth.account.views import LoginView

urlpatterns = [
    path('accounts/login/', LoginView.as_view(), name='account_login'),
]
Validate and clean user input. Forms are customizable through the ACCOUNT_FORMS setting.
# settings.py
ACCOUNT_FORMS = {
    'login': 'myapp.forms.CustomLoginForm',
    'signup': 'myapp.forms.CustomSignupForm',
}
The adapter pattern allows you to customize core behaviors without modifying allauth code. Override adapter methods to tailor functionality to your needs.
from allauth.account.adapter import DefaultAccountAdapter

class MyAccountAdapter(DefaultAccountAdapter):
    def is_open_for_signup(self, request):
        # Close signups during maintenance
        return not request.site.is_in_maintenance_mode()
Core data models including EmailAddress for managing multiple email addresses per user, and EmailConfirmation for verification tokens.
from allauth.account.models import EmailAddress

# Check if user's email is verified
email = EmailAddress.objects.get_primary(user)
if email and email.verified:
    print("Email is verified!")
Internal orchestration logic that coordinates between different components. Flows handle complex multi-step processes like signup with email verification.
Login stages allow for multi-step login processes. Examples include email verification stage, MFA stage, and password reset stage.
Django signals are dispatched at key points allowing you to hook into authentication events.
from allauth.account.signals import user_signed_up
from django.dispatch import receiver

@receiver(user_signed_up)
def on_user_signup(request, user, **kwargs):
    # Send welcome email, create profile, etc.
    send_welcome_email(user)

Authentication Methods

django-allauth supports multiple authentication methods that can be configured independently:
Traditional authentication using a username and password.
# settings.py
ACCOUNT_LOGIN_METHODS = {"username"}
ACCOUNT_SIGNUP_FIELDS = ['username*', 'password1*', 'password2*']

Configuration Philosophy

django-allauth is designed to be secure and usable by default. Key configuration principles:
1

Security First

Rate limiting, enumeration prevention, and email verification are enabled by default to protect your application and users.
2

Progressive Disclosure

Start with sensible defaults and customize only what you need. Most apps can get started with minimal configuration.
3

Adapter Customization

Use the adapter pattern instead of forking code. Override specific methods to change behavior while maintaining compatibility with updates.

Common Configuration Patterns

Basic Email-Based Authentication

# settings.py
INSTALLED_APPS = [
    # ...
    'django.contrib.sites',
    'allauth',
    'allauth.account',
]

SITE_ID = 1

# Authentication methods
ACCOUNT_LOGIN_METHODS = {"email"}
ACCOUNT_EMAIL_REQUIRED = True
ACCOUNT_USERNAME_REQUIRED = False

# Email verification
ACCOUNT_EMAIL_VERIFICATION = "mandatory"
ACCOUNT_EMAIL_CONFIRMATION_EXPIRE_DAYS = 3

# Security
ACCOUNT_PREVENT_ENUMERATION = True
ACCOUNT_RATE_LIMITS = {
    "login_failed": "5/5m/key",
    "signup": "20/m/ip",
}

Username-Based with Optional Email

# settings.py
ACCOUNT_LOGIN_METHODS = {"username"}
ACCOUNT_SIGNUP_FIELDS = ['username*', 'email', 'password1*', 'password2*']
ACCOUNT_EMAIL_VERIFICATION = "optional"
ACCOUNT_USERNAME_MIN_LENGTH = 3
ACCOUNT_USERNAME_BLACKLIST = ['admin', 'root', 'system']

Email Verification Methods

Mandatory

Users cannot log in until email is verified. Most secure option.
ACCOUNT_EMAIL_VERIFICATION = "mandatory"

Optional

Verification email sent but login allowed. Balances security and UX.
ACCOUNT_EMAIL_VERIFICATION = "optional"

None

No verification emails sent. Use only for testing or closed systems.
ACCOUNT_EMAIL_VERIFICATION = "none"

Request Lifecycle

Understanding how an authentication request flows through allauth:
Each step in this flow can be customized through settings, adapter methods, or by connecting to signals.

Model Relationships

Security Features

Enumeration Prevention

Prevents attackers from discovering which email addresses are registered by giving identical responses for existing and non-existing accounts.

Rate Limiting

Protects against brute force attacks with configurable rate limits per IP, user, and custom keys.

HMAC-Based Tokens

Email verification uses stateless HMAC tokens instead of database records, improving security and scalability.

Session Security

Configurable session duration and “Remember Me” functionality with secure cookie settings.

Next Steps

Account Management

Learn about user registration, profile management, and email handling

Authentication Flows

Understand login, signup, and password reset processes

Email Verification

Deep dive into email verification strategies and configuration

Rate Limiting

Configure rate limits to protect your application

Key Takeaways

django-allauth provides a complete, secure authentication solution out of the box
The adapter pattern allows deep customization without forking code
Multiple authentication methods can coexist in the same application
Security features like rate limiting and enumeration prevention are enabled by default
Flows and stages orchestrate complex multi-step authentication processes

Build docs developers (and LLMs) love

Get started for freeTalk to us