News
Showcasing allauth IdP: build an MCP server
Posted by Raymond Penners on 2026-05-29
Introduction The allauth.idp (Identity Provider) package was introduced last year, yet it remains relatively unknown. What better way to put it on people's radar than building a demo? Given all the buzz around LLMs, let's showcase its capabilities by building an MCP server that authenticates via OIDC, using nothing but plain Django and django-allauth.
Read moredjango-allauth 65.18.0 released
Posted by Raymond Penners on 2026-05-29
Note worthy changes The password2 (password confirmation) field on the set/change/reset password forms now carries autocomplete="new-password", matching password1. This allows browser and password manager "suggest strong password" features to fill both fields as a pair. IdP: Added support for Dynamic Client Registration.
Read moredjango-allauth 65.17.0 released
Posted by Raymond Penners on 2026-05-20
Note worthy changes Added new socialaccount provider: Klaviyo. Rate limiting now truncates IPv6 addresses to their network prefix (default /64) to prevent bypass via address rotation. Configurable via ALLAUTH_RATE_LIMIT_IPV6_PREFIX. Added authenticate_by_email hook to DefaultSocialAccountAdapter, allowing customization of user lookup and email matching during social login.
Read moredjango-allauth 65.16.1 released
Posted by Raymond Penners on 2026-04-17
Security notice The state parameter is a critical part of the OAuth2 handshake, used to prevent CSRF attacks. The Edx, AngelList and Questrade providers were originally added without state support, as these providers did not support it at the time.
Read moredjango-allauth 65.16.0 released
Posted by Raymond Penners on 2026-04-13
Note worthy changes MFA: You can now configure recovery codes to be only shown once (MFA_RECOVERY_CODES_SHOW_ONCE = True). New signals for audit trail purposes: login_code_rejected, password_reset_code_rejected, email_verification_code_rejected (in allauth.account.signals) and authentication_failed (in allauth.mfa.signals).