I am trying to understand how things work when one writes the following in settings.py:

AUTHENTICATION_BACKENDS = (
    "django.contrib.auth.backends.ModelBackend",
    "allauth.account.auth_backends.AuthenticationBackend",
    "master_password.auth.ModelBackend"
)

In particular, the documentation states:

If a backend raises a PermissionDenied exception, authentication will immediately fail. Django won’t check the backends that follow.

Given this, how can the second and the third backend in the above example get a chance when a user has entered an incorrect password and the first backend has denied him access? More specifically, the third backend pertains to django-master-password, which should let the user in if he used a master password even if it does not match the user's password. So, how will that backend ever get a chance?

CodePudding user response：

From the docs:

Django tries authenticating across all of its authentication backends. If the first authentication method fails, Django tries the second one, and so on, until all backends have been attempted.

django.contrib.auth.backends.ModelBackend (if I recall correctly) does not raise PermissionDenied, so if authentication fails on it, the succeeding authentication backends will be used until a match is found.

The order of AUTHENTICATION_BACKENDS matters, so if the same username and password is valid in multiple backends, Django will stop processing at the first positive match.

If you find that it does raise PermissionDenied, then that model backend would probably be better placed at the end of your AUTHENTICATION_BACKENDS list.