Streamlit with Django or Flask authentication?

I’m trying to setup a tool to help a user to update a product catalog on an ecommerce platform and I’m hoping to use streamlit to do so. I’ve figured out the data-processing part of this but I can’t seem to get a definitive yes or no about wether I can use streamlet for the interactive portion of what I’m trying to do.

This is the basic workflow I’m trying to achieve:

  • User logs into website and creates an account- initial connection involves authenticating with their ecommerce platform account and adding their getting their product catalog into my database - This would all happen in django/flask
  • The user could then launch an interactive page (streamlit) where they would be able to interact with the data in the database I’ve setup (limited in scope to what their account allows)
  • They would then be able to export, edit, or add new product data that would get pushed up to the ecommerce platform.

Streamlit seems to be able do what I’d want, but I’m unclear on how to limit access to authenticated users, is that possible?

Bringing the Auth context from an outside application into streamlit is tricky or maybe i missed something. The problem is that something would have to read the user information / cookies, and i couldn’t figure out how to do this with the available featureset.

What i ended up was i created a token in the outer application that ties to the users information. I then pass this token via queryparams into streamlit and bind it to his session id. This works until the user refreshes the page. When he does that, the session id renews and we would have to bind the token with the session id again.

In theory it should be possible to have the underlying Tornado read the cookies from your other server instance if you configure it correctly, but i suspect its probably a product decision to include this functionality as a proper and secure auth flow within streamlit for teams.

1 Like

Hi @samLozier, welcome to the Streamlit community!

I don’t know the answer, as this has never come up before. In general, we haven’t spent much (if any) time thinking about integration with Flask or django, not because they aren’t quality projects, but they have somewhat different goals to where we started.

Like @jay mentions, it’s probably possible depending on how you call that authentication service, but it’s not something that currently exists.

One thing to keep in mind is that we wouldn’t be artificially limiting what Streamlit the open-source project would be doing in order to promote Streamlit for Teams (the commercial side of the company). I’d love to see someone in the community figure this out, incorporating with Flask/django just isn’t one of our higher priorities at this time.

I’d love to see someone in the community figure this out, incorporating with Flask/django just isn’t one of our higher priorities at this time.

In that case i will give this a try on the weekend to see how complicated this will be and if this looks reasonable i would open up an official request according to the guidelines and try an implementation?

1 Like

Thanks for the feedback everyone. Jay, if you get something going this weekend and don’t mind sharing your progress, I’m definitely interested.

1 Like

Hi @jay, just wondering have you figured out a way to incorporate Streamlit within Django apps?

Hey, so our current application is actually a Django app that is connected with a OAuth service for authentication. This writes a cookie for us and we managed to expose this cookie to the underlying Tornado server, so this should enable us to tie the session id of streamlit to the cookie and thus allow us to uniquely identify users permanently. And from there we should be able to write additional data into the headers so that it can be grabbed from the application that imports streamlit.

There are a few caveats in this though, which is ongoing research on our end.

  1. This requires a custom streamlit compile or a proper contribution to work, as i dont see any other way
  2. Your streamlit server might have to run on the same domain than your django app thats setting the cookie (not 100% sure about that though)

I wanted to discuss this in more detail once i file a contribution request to see if the streamlit product owners think if this makes sense and also to get their feedback about our approach as they have a much more detailed understanding of the underlying technology… Unfortunately to do this properly it´ll probably take a bit from what ive seen with previous contribution timelines.

I also would argue that this approach isnt specific to any technology but should work universal with any service that can write cookies for auth (so pretty much all of them) - the trick is just to make them reusable within Tornado.