django-allauth icon indicating copy to clipboard operation
django-allauth copied to clipboard

Published 20 hours ago verified publisher icon pennersr

Allauth pulls in more dependencies than necessary

Open julen opened this issue 10 years ago • 11 comments

As a default, Allauth is pulling dependencies which are specific to social authentication providers. While this enables people to have quickly working any of the shipped social authentication providers by adding the specific modules to INSTALLED_APPS, it's assuming users will already use social authentication, and makes a broad guess and includes dependencies to cover all of the shipped providers.

I understand the reasoning behind this, although it looks unnecessary, so I was wondering if you'd be willing to reconsider the situation.

julen avatar May 07 '15 07:05 julen

Also, if running tests require these deps, they can perfectly go in test_requirements.

julen avatar May 07 '15 07:05 julen

Any thoughts on this @pennersr?

julen avatar Jul 22 '15 21:07 julen

If you are only using the account app without any social provider, you indeed do not need requests or python-openid. I am not sure how this could be cleanly handled. Splitting allauth up into two separate python packages would solve that, but that's not something high on my priority list right now. Any concrete proposals?

pennersr avatar Jul 22 '15 21:07 pennersr

An option would be to require optional dependencies in setuptool's extras_require field. Then you should be able to install these optional packages via pip install django-allauth[extras] or similar.

Also note that socialaccount providers don't necessarily depend on requests or python-openid, even if the vast majority of them do.

julen avatar Jul 22 '15 22:07 julen

That's true, but then you need to choose between:

  1. Just one big django-allauth[social]

  2. By protocol: django-allauth[oauth] and django-allauth[openid]

  3. Micro managing by provider: django-allauth[twitter]

pennersr avatar Jul 23 '15 19:07 pennersr

Omniauth in Ruby-land uses option 3 - separate gems for separate providers. Makes sense, if fiddly to implement at the dev setup end.

doctorlard avatar Aug 10 '15 22:08 doctorlard

Also related to #459 and is an extra thing to do for option (a). There is a valid case for some meditation on how to handle vanilla allauth vs allauth[social].

My official vote for #459 is now option (a). I was on the fence but the idea of users being able to install "vanilla" allauth, which would work entirely without installing allauth.socialaccount scratches my OCD code organizing itch. I don't know the code base well enough to know how big of a refactor this would but it seems like the ROI on making some decisions and executing is pretty big. This would definitely be a QoL improvement i'd like to see.

derek-adair avatar Aug 17 '23 12:08 derek-adair

@derek-adair I think we can keep this issue separate from #459. The issue reported here is about pulling in dependencies, so, suppose you would install like this:

# Vanilla -- no additional dependencies, but Google et al would not work
pip install django-allauth 
# OAuth2 enabled, enabling Google -- pulls in requests, requests-oauthlib
pip install django-allauth[oauth2]
# SAML, OIDC and OAuth2 enabled -- pulls in requests, requests-oauthlib, python3-saml, ...
pip install django-allauth[saml,oauth2,openid_connect]
# Apple -- also pulls in pyjwt
pip install django-allauth[apple]

... then, the issue of pulling in unneeded dependencies is solved, without being dependent on #459.

pennersr avatar Aug 17 '23 19:08 pennersr

#459 is a blocker for this. Any references in templates to allauth.socialaccount will break for people who install vanilla allauth. We will need to clean up the inheritance references in templates before this can be done.

derek-adair avatar Aug 18 '23 12:08 derek-adair

@derek-adair Why is #459 a blocker? If you install vanilla, without any dependencies, but still make sure to add both the "account" and "socialaccount" app, then you won't run into #459, and, you don't pull in external dependencies.

pennersr avatar Aug 19 '23 09:08 pennersr

Oh i see. I misread your comment. I thought you were suggesting to split allauth and allauth[social] in addition to the individual providers -- i missed the comment where u outlined the three options. Option 3 seems good.

derek-adair avatar Aug 19 '23 10:08 derek-adair

The django-allauth required dependencies are now more fine grained. If you do not use any of the social account functionality, a pip install django-allauth will, e.g., no longer pull in dependencies for handling JWT. If you are using social account functionality, install using pip install django-allauth[socialaccount]. That will install the dependencies covering most common providers. If you are using the Steam provider, install using pip install django-allauth[socialaccount,steam].

pennersr avatar Apr 07 '24 20:04 pennersr

(see 8172ea9f)

pennersr avatar Apr 07 '24 20:04 pennersr