You are currently viewing Authentication And Authorization In Django

Authentication And Authorization In Django

In a typical application, there have to be certain levels a user cannot access, otherwise, it poses a great threat to the developers of that application. You wouldn’t want to give your users admin privileges on your application. When building an application that users will relate with, it is important to set up authentications and authorizations, before launching the Application.

Depending on the programming language or framework you hope to use, the concept is generally the same, however, implementing the logic may differ depending on the programming language in use.

This post will focus mainly on authentication in the Django restframework. In order to fully understand the concept of implementing authentication, it is important to first understand what authentication and authorization mean.

What is Authentication?

Authentication is simply a check confirming if the user requesting a view is who they claim they are. Authorization specifies what the authenticated user is allowed to view in the application.

Authentication in Django

Django is a popular web framework that is built based on Python Language. Django offers a lot of features out of the box that will help in building web apps faster and takes a lot of work from the developers’ side, one of which is the authentication system.

Django provides support for common user authentication out of the box. By default, Django takes care of user accounts, groups, permissions, and cookie-based user sessions. The authentication systems are part of the installed apps that come with running the ‘Django-admin startproject’ and running the migrations into the database.

black laptop computer on white desk

Types of Authentication

There are different ways to implement an authentication system into a Django project. Some of which are;
Basic Authentication: This type is implemented using the default request.user module preinstalled in Django apps.
Token Authentication: This involves generating a unique Access Token that is associated with the users’ request.
Session-Based Authentication: Authentication on a per session basis. The user is granted access for a specified time frame. The usage interval is specified by the admin of the application.


The authentication system is incorporated as a Django contrib module in django.contrib.auth. The authentication consist of two items listed in the INSTALLED_APPS setting:
‘django.contrib.auth’ contains the core of the authentication framework and its default models.
‘django.contrib.contenttypes’ is the Django content type system, which allows permissions to be associated with the models you create.

Using Authentication in Django

The Django authentication system is used to specify a lot of auth settings for your application ranging from; Working with User objects, Permissions, and authorization, Authentication in web requests, Managing users in the admin, API reference for the default implementation, Customizing Users, and authentication, Password management in Django. In this section we will focus on the Web request authentication and permissions in Django, then a brief introduction to the Django-admin site.

Authentication in Web requests

Django uses sessions and middleware to hook the authentication system into request objects. They provide a (request.user) attribute assigned to any request which represents the current user. If the user accessing the page has not logged in, this attribute will be populated with an instance of AnonymousUser, otherwise, it will be an instance of User.

Permissions and Authorization

Django out of the box features a built-in permissions system. The system provides a means to assign permissions to specific users and groups of users.

Django Admin

Django authentication system comes with an admin module that helps in managing admin-related tasks. It also features a User Interface for the admin dashboard, from which you can perform admin activities as opposed to using the command line or from the hosting plan. The command Django-admin createsuperuser is used to create the web application’s admin/superuser from the Command Line Interface (CLI). The admin can add new users, add users to groups, allocate roles, and manage the application’s models from the admin dashboard.


Securing your web application and specifying user roles and permissions should be one of the first features to implement in your applications. The importance cannot be overemphasized. The Django documentation provides an elaborate and easy way to implement authentication into your Django Project.

Leave a Reply