[scrollaway]

Yes, auth between Django and a PWA is not a solved problem. It seems people just give up and go the hosted auth route or something.

But it's also really not that difficult. Auth just takes a lot of practice for people to grok so most people don't want to touch it.

I'll open source something once we're done solving the problem cleanly at my company.

[tga]

There is no canned way to do it in one shot, but using regular Django session authentication together with a PWA frontend hosted separately is not that difficult.

The actual authentication remains on the Django app, using the standard way of POSTing to a login form and receiving a session cookie -- only instead of a server-generated page serving a HTML form, you have the PWA lipstick sending data directly. This approach is so much simpler than dealing with id/access/refresh tokens, encryption keys, black lists, and all of the OIDC dance.