https://github.com/mkalioby/django-passkeys
Django Authentication Backend For Passkeys
https://github.com/mkalioby/django-passkeys
biometrics django passkeys python security security-key webauthn
Last synced: 3 days ago
JSON representation
Django Authentication Backend For Passkeys
- Host: GitHub
- URL: https://github.com/mkalioby/django-passkeys
- Owner: mkalioby
- License: mit
- Created: 2022-10-28T09:46:58.000Z (over 3 years ago)
- Default Branch: main
- Last Pushed: 2025-04-02T15:12:32.000Z (about 1 year ago)
- Last Synced: 2025-05-13T04:40:32.555Z (11 months ago)
- Topics: biometrics, django, passkeys, python, security, security-key, webauthn
- Language: Python
- Homepage:
- Size: 4.84 MB
- Stars: 217
- Watchers: 10
- Forks: 24
- Open Issues: 21
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
- stars - mkalioby/django-passkeys - Django Authentication Backend For Passkeys (Python)
README
# django-passkeys
[](https://badge.fury.io/py/django-passkeys)
[](https://pepy.tech/project/django-passkeys)
[](https://pepy.tech/project/django-passkeys)
[](https://github.com/mkalioby/django-passkeys/actions/workflows/basic_checks.yml)
[](https://django-passkeys.readthedocs.io/en/latest/)
An extension to Django *ModelBackend* backend to support passkeys. Supports both django templates and REST API (Django REST Framework) with pluggable token backends (JWT, DRF Token, or Session).
Passkeys is an extension to Web Authentication API that will allow the user to login to a service using another device.
This app is a slimmed-down version of [django-mfa2](https://github.com/mkalioby/django-mfa2)
Passkeys are now supported on
* Apple Ecosystem (iPhone 16.0+, iPadOS 16.1, Mac OS X Ventura)
* Chromium based browsers (on PC and Laptop) allows picking up credentials from Android and iPhone/iPadOS.
* Android Credentials creation for ResidentKeys is currently live.
On May 3, 2023, Google allowed the use of Passkeys for the users to login, killing the password for enrolled users.
## Special Features
django-passkeys supports the following features:
### 1. Conditional UI
**Conditional UI** is a way for the browser to prompt the user to use the passkey to login as shown.
### 2. WebAuthn immediate mediation for frictionless sign-in
**Immediate Mediation** is an extension to WebAuthn API that allows the browser to immediately prompt the
user to use password/passkeys without the need of a login form. This is currently supported by Google Chrome 144+ and soon on Android devices.
You can watch demo presented by Google
[](https://developer.chrome.com//static/blog/webauthn-immediate-mediation-ot/video/immediate-mediation-explicit-flow.mp4)
# Quick Start - Common Settings
`pip install django-passkeys`
Supports Django 2.2+, Python 3.7+
# Usage
1. In your settings.py add the application to your installed apps
```python
INSTALLED_APPS=(
'......',
'passkeys',
'......')
```
2. Collect Static Files
```shell
python manage.py collectstatic
```
3. Run migrate
```shell
python manage.py migrate
```
4. Add the following settings to your file
```python
AUTHENTICATION_BACKENDS = ['passkeys.backend.PasskeyModelBackend'] # Change your authentication backend
FIDO_SERVER_ID="localhost" # Server rp id for FIDO2, must match your domain
FIDO_SERVER_NAME="TestApp"
import passkeys
KEY_ATTACHMENT = None # or passkeys.Attachment.CROSS_PLATFORM or passkeys.Attachment.PLATFORM
```
**Notes**
* Starting v1.1, `FIDO_SERVER_ID` and/or `FIDO_SERVER_NAME` can be a callable to support multi-tenant web applications, the `request` is passed to the called function.
* `FIDO_SERVER_ID` must match the domain you access the site from. For local development, use `localhost` and access via `http://localhost:8000/` (not `127.0.0.1`).
# Detect if user is using passkeys
Once the backend is used, there will be a `passkey` key in request.session.
If the user used a passkey then `request.session['passkey']['passkey']` will be `True` and the key information will be there like this
```python
{'passkey': True, 'name': 'Chrome', 'id': 2, 'platform': 'Chrome on Apple', 'cross_platform': False}
```
`cross_platform`: means that the user used a key from another platform so there is no key local to the device used to login e.g used an Android phone on Mac OS X or iPad.
If the user didn't use a passkey then it will be set to False
```python
{'passkey':False}
```
By this the basic installation of django-passkeys, your next step depends on whether you want to use the Django Template integration or the REST API (Django REST Framework) integration.
## Choose Your Integration
django-passkeys supports two integration modes. Pick the one that fits your project:
| | Template-Based | REST API (DRF) |
|---|---|---|
| **Best for** | Server-rendered Django apps | SPAs, mobile apps, headless APIs |
| **Auth flow** | Session-based with Django forms | Token-based (JWT, DRF Token, or Session) |
| **Frontend** | Django templates with jQuery | Any frontend (React, Vue, mobile, etc.) |
| **Setup guide** | [Template Setup](docs/template-setup.md) | [DRF Setup](docs/drf-setup.md) |
Both can coexist in the same project — you can use templates for your web app and the API for your mobile app.
## Example Project
See the `example` app and [Example.md](docs/Example.md) for a working demo for templates, drf and immediate mediation.
## Security contact information
To report a security vulnerability, please use the
[Tidelift security contact](https://tidelift.com/security).
Tidelift will coordinate the fix and disclosure.
## Contributors
* [mahmoodnasr](https://github.com/mahmoodnasr)
* [jacopsd](https://github.com/jacopsd)
* [gasparbrogueira](https://github.com/gasparbrogueira)
* [pulse-mind](https://github.com/pulse-mind)
* [ashokdelphia](https://github.com/ashokdelphia)
* [offbyone](https://github.com/offbyone)
* [resba](https://github.com/resba)
* [ganiyevuz](https://github.com/ganiyevuz)
* [smark-1](https://github.com/smark-1)
* [ThomasWaldmann-1](https://github.com/ThomasWaldmann)
* [rafaelurben](https://github.com/rafaelurben)