Middleware

django-entra-auth provides two middleware components that offer different functionality:

  1. LoginRequiredMiddleware - Forces login for all views

  2. TokenLifecycleMiddleware - Manages access token lifecycle (refreshing, encryption, etc.)

Login Required Middleware

django-entra-auth ships with a middleware class named LoginRequiredMiddleware. You can use it to force an unauthenticated user to login and be redirected to the URL specified in in Django’s LOGIN_URL setting without having to add code to every view.

By default it’s disabled for the page defined in the LOGIN_URL setting and the redirect page for Entra ID. But by setting the LOGIN_EXEMPT_URLS setting, you can exclude other pages from authentication. Have a look at the Settings Reference for more information.

To enable the middleware, add it to MIDDLEWARE in settings.py (or MIDDLEWARE_CLASSES if using Django <1.10). Make sure to add it after any other session or authentication middleware to be sure all other methods of identifying the user are tried first.

In your settings.py file, add the following:

MIDDLEWARE = (
    ...
    'django_entra_auth.middleware.LoginRequiredMiddleware',
)

ENTRA_AUTH = {
    ...
    "LOGIN_EXEMPT_URLS": ["api/", "public/"],
    ...
}

Token Lifecycle Middleware

The TokenLifecycleMiddleware extends django-entra-auth beyond authentication to also manage the complete lifecycle of access tokens. It enables:

  • Storing and encrypting tokens in the user’s session

  • Automatically refreshing tokens before they expire

  • Accessing Microsoft Graph API with OBO tokens

  • Optionally logging out users when token refresh fails

Basic configuration:

MIDDLEWARE = [
    # ... other middleware
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django_entra_auth.middleware.TokenLifecycleMiddleware',  # Add this line
    # ... other middleware
]

ENTRA_AUTH = {
    # other settings
    "TOKEN_REFRESH_THRESHOLD": 300,  # refresh 5 minutes before expiry
    "STORE_OBO_TOKEN": True,         # enable OBO token storage
    "LOGOUT_ON_TOKEN_REFRESH_FAILURE": False,  # don't log out on refresh failure
}

Note

For complete documentation on the Token Lifecycle system, including detailed configuration options, security considerations, and usage examples, see the Token Lifecycle Middleware section.