Dakshesh JainDakshesh Jain
Dakshesh Jain
HomeBlogsProjectsAboutContact

Django OIDC Provider

Django OIDC Provider
Image provided by Pexels

Description

A production-ready, Dockerized OpenID Connect (OIDC) identity provider built with Django. Designed for internal organizational use, it supports secure authentication, and token issuance, with full SSL support, CI-based VPS deployment, and environment-specific configuration.

Plan of Action

OAuth2 & OpenID Connect Implementation

The core of the application is based on the OAuth2 and OIDC specifications. These protocols provide a secure and standardized way to share user access and identity information. This approach is widely used by major companies like Google, GitHub, Microsoft, and others.

User Management & Verification

The system includes user registration, email verification, and secure password reset functionality. Django’s built-in user model is extended to support custom fields and verification states. Transactional emails are sent via Mailgun, and background jobs are handled using Celery to offload tasks like email delivery and token cleanup.

Deployment & CI

My goal was to make deployment as easy as possible, while still allowing flexibility and extensibility when needed. The production setup is fully Dockerized and includes Django, Celery, PostgreSQL, Redis, SSL support using Certbot, and Nginx as a reverse proxy. The entire project can be started using just four commands - it could’ve been a single command, but I preferred to keep things clean and modular.

Even though the setup is simple, I’ve ensured it remains customizable for self-hosters (though it follows a few opinionated defaults). Here's the strategy I followed:

  1. make init – This command sets up all the required files such as .env files, Nginx config, and other templates. It prompts the user for required environment variables and generates files accordingly. Using templates ensures consistent formatting and reduces manual error, making setup more robust and user-friendly.
  2. make init-ssl – This prompts the user for basic SSL-related inputs like domain and email, and automatically configures SSL using Let's Encrypt.
  3. make deploy – This brings up the entire stack using Docker.
  4. make migrate – This ensures all database migrations are applied properly.

This separation keeps things fast, clear, and maintainable. For example, combining deploy and migrate in one command might work, but it risks unexpected failures and reduces control.

Technologies Used

Django, Python, PostgreSQL, Redis, Celery, Nginx, Docker, Docker Compose, GitHub Actions, OAuth2, OpenID Connect, Certbot, AWS S3-compatible storage, Mailgun and more.

Future Scope

  • Increase test coverage to ensure stability and prevent regressions.
  • Add support for RS256 signing algorithm for enhanced token security.
  • Change refresh token flow to use long-lived method instead of redis.
  • Enable audit logging for key security and compliance events.
  • Implement user consent screens for better transparency.