Using as an OAuth2 provider for the API



django-allauth has support for GitLab and is tested to work with the demo. It does not work out of the box but does not require code modification. The manual steps for the first time setup are described below. When this is done, users can create an account on the demo server. A token could then be displayed for them and they could use it to authenticate via the API using the django-rest-framework TokenAuthentication.

One pending question is how to restrict authentication to users that are members of a given group. Probably with a django permission class?

Creating users via

The server could be set to only allow authentication via, granting access to the API to anyone with an account on

modified   config/
@@ -48,6 +48,7 @@ INSTALLED_APPS = (
 {% if google %}
     '',  # enabled by configure
 {% endif %}
+    'allauth.socialaccount.providers.gitlab',  # enabled by configure

The installation instructions are followed like so:

  • mkvirtualenv -p /usr/bin/python3 demo-allauth-bootstrap
  • python # say no to Google & Facebook :stuck_out_tongue:
  • python makemigrations allauthdemo_auth
  • python migrate
  • python createsuperuser # user pass foobar
  • python runserver
  • firefox and add an allauth application:

  • use the Application ID and secret to add the provider to the django-allauth tables with python set_auth_provider gitlab 0477e5be1e7f986ff0c81107cb3c6ffcff37b31d9f327146a7e325831cd8cd2f f7a13305816321f1f935dd76d0b00769d9cee7011bc02e348ec8bf9dde2c5168
  • firefox and update the site to

  • manually add the following to config/
    'gitlab': {
        'GITLAB_URL': '',
        'SCOPE': ['read_user'],
  • stop the server and restart it (python runserver)
  • firefox and click Join and follow the steps until:

Obtain a token

A token can be obtained for each user known to django.

  • in config/ add
Generated token 52f7b9cdb45161d557c7e23e6029406c64a2088e for user
  • use the token with each API request in the header Authorization: Token 52f7b9cdb45161d557c7e23e6029406c64a2088e


The permission we need could lookup the token (field token in the socialaccount_socialtoken table) for the user and use it to check if they are a member of the main/infrastructure project.

In the file of the allauth demo:

from rest_framework.decorators import api_view, authentication_classes, permission_classes
from rest_framework.authentication import TokenAuthentication
from rest_framework.permissions import IsAuthenticated
from rest_framework.response import Response

from allauth.socialaccount.models import SocialToken

def example_view(request, format=None):

    queryset = SocialToken.objects.all()
    content = {
        'n': queryset[0].token,
        'user': str(request.user),  # `django.contrib.auth.User` instance.
        'auth': str(request.auth),  # None
    return Response(content)

And then we can:

$ curl --header "Authorization: Token 52f7b9cdb4516d557c7e23e6029406c64a2088e"
$ curl --header "Authorization: Bearer afe36d485b1d933f972ccc6a2ce809028a2db7ff779bdcb2fccc4b24e573b"

  • rm ~/.enough/default/db.sqlite3
  • enough manage migrate
  • enough manage set_auth_provider gitlab 0e6c39cc330a6b21ae3008a91965680ee1f38973d2194cf05fa33214b75a0 44e82718ac2510b84f445aa5aaef83edd2d55b69482799b1bfc16e5484eb