A django application providing infrastructure for consuming OAuth services. It is not for providing OAuth services.

The code is hosted here at github. The latest code can be downloaded as a zip file or a tarball.

Requires Python 2.6 or newer and:

Can be installed using pip:

pip install -r


Multiple OAuth services are supported by creating an application for each service provider you need to access. This application is an instance of OAuthConsumerApp. It is bound to some configuration and has a name which must be unique across all OAuthConsumerApp instances.

This application instance gives you the ability to:

  • Make signed requests (2 & 3 legged)
  • Validate incoming (2 legged) signed requests
  • Handle the access token flow

In order to use this application, you must:

  • Create an instance of OAuthConsumerApp
  • Include the urls from that instance in your urlconf
  • Optional. Provide some templates. Which one depends on your needs.
class django_oauth_consumer.OAuthConsumerApp(name, consumer_key=None, consumer_secret=None, request_token_url=None, authorization_url=None, access_token_url=None, realm=None, signature_method=None)

Provides OAuth Consumer functionality for Django. Depending on your use of the library, some of these arguments can be ignored. But most likely you’ll need to supply all of them.


Required. This is used in making this application instance unique. Make sure you dont use the same name for different instances of OAuthConsumerApp.

The consumer key issued to you by the service provider.


The consumer secret issued to you by the service provider.


The URL to fetch request tokens from.


The URL to redirect the user to for obtaining Authorization.


The URL to exchange the authorized request token for an access token.


Optional realm for the Authorization header.


A Signature Method for use with the OAuth flow. Defaults to

store_access_token(request, token)

This must store an access token (a dict).

This can be overridden to allow alternate storage mechanisms.

Default is session based storage.


This must return an access token (a dict) or raise NoAccessToken.

This can be overridden to allow alternate storage mechanisms. Make sure to raise NoAccessToken() if an access token is not found.

Default is session based storage.

This triggers the access token flow without checking if an access token already exists. That’s your job. It returns a HttpResponse.
A decorator for views that require an Access Token. This will ensure that you have an access token by automatically triggering the access token flow if needed before the view gets processed.
make_signed_req(url, method='GET', content={}, headers={}, token=None, request=None)

Identical to the make_request API, and accepts an additional (optional) token parameter and request object (required if dealing with Scalable OAuth service providers). It adds the OAuth Authorization header based on the consumer set on this instance. If content not a Mapping object, it will be ignored with respect to signing. This means you need to either pass the query parameters as a dict/Mapping object, or pass a encoded query string as part of the URL which will be extracted and included in the signature.


The URL - query parameters will be parsed out.
The HTTP method to use.
A dict of key/values or string/unicode value.
A dict of headers.
An optional access token. If this is provided, you will be making a 3-legged request. If it is missing, you will be making a 2-legged request.

Optional. Needed if using Scalable OAuth in order to transparently handle access token renewal.


Validates the incoming 2 legged signed request. This is useful for signed requests from OpenSocial Containers such as YAP.

It calls OAuthRequest.validate_signature which throws an OAuthError if the signature validation fails.

FIXME Missing nonce validation.


A decorator for Django views to validate incoming signed requests. This is for 2 legged signed requests. This is useful for requests from OpenSocial Containers such as YAP.

It will render this template when it recieves an invalid signature:


FIXME Missing nonce validation.


The view that triggers the access token flow by sending the user to the authorization url. If you wish to show the user a message, you may provide a template named:


The template will be provided an authorization_url in the context.

If you do not provide a template, the user will be redirected there immediately.

success_auth(request, oauth_token=None)

The view that handles a successful OAuth Authorization flow from the user’s side. The Service Provider redirect returns the user here. If you wish to show the user a message here before continuing to the original URL that triggered the access token flow, you may provide a template named:


The template will be provided the access_token and the next_url (the original URL the user visited that triggered the access token flow).

If you do not provide a template, the view will simply redirect the user back to the original URL.

Provides the urls for this application instance. These must be included for the access token flow to work.