Identity & Accounts
Overview
Identity & Accounts covers learner registration, login, authentication (including SSO), account settings, and learner profiles. This is the gateway to the platform — every learner must create and maintain an account to access courses.
The authentication surface has seen significant evolution: from Django session-based login to OAuth2-based JWT authentication, and from Django-rendered forms to dedicated MFEs (frontend-app-authn, frontend-app-account, frontend-app-profile).
Current State (2026)
- Registration/Login:
frontend-app-authnMFE handles all registration, login, and password reset flows - Account settings:
frontend-app-accountMFE for profile, privacy, notifications, connected accounts - Public profile:
frontend-app-profileMFE for learner profile pages - SSO: SAML 2.0 and OAuth2-based SSO via
auth-backendsandedx-platformthird-party auth - JWT: All API authentication uses JWT tokens issued by the LMS (
/oauth2/endpoint) - Enterprise SSO: B2B deployments often use enterprise SSO via
edx-enterpriseintegration
Architecture
- Auth backend: Django +
python-social-authinedx-platformhandles OAuth2 and SAML providers - Session management: JWTs issued by LMS; stored in browser cookies; refreshed via
/login_refreshendpoint - User model: Custom
Usermodel inedx-platformwithUserProfilefor additional attributes - Third-party auth: Pluggable social auth backends; supports Google, Microsoft, Apple, enterprise SAML
- Account API: REST API in
edx-platform(/api/user/v*) consumed by account MFEs
Relevant Repositories
| Repository | Role in This Feature | Activity Level | Notes |
|---|---|---|---|
| openedx/frontend-app-authn | Registration and login MFE | High | Main auth flows |
| openedx/frontend-app-account | Account settings MFE | Medium | Profile, privacy |
| openedx/frontend-app-profile | Public learner profile MFE | Medium | Learner profile page |
| openedx/auth-backends | SSO backend implementations | Medium | SAML, OAuth2 |
| openedx/openedx-platform | User models, auth API, JWT issuance | High | Core auth layer |
Recent Changes
frontend-app-authnMFE now the standard for registration/login- Progressive JWT improvements (refresh flow, cookie security)
History
Origin
- Year introduced: 2012 (accounts launched with original edX)
- Initial implementation: Django session-based authentication; registration via Django form at
/register - Context: Standard Django auth extended with custom
UserProfile; designed for large-scale self-registration
Key Milestones
| Year | Milestone | Teams / People Involved |
|---|---|---|
| 2012 | Basic Django registration and login | Unknown |
| ~2015 | Third-party auth (social login) added | Unknown |
| ~2017–2018 | OAuth2/JWT migration begins | Unknown |
| ~2020–2021 | frontend-app-authn MFE begins replacing Django views | Unknown |
| ~2022 | SAML SSO improvements for enterprise | Unknown |
People Who Shaped This Area
- Engineering: Unknown — open question for interview
- Product: Unknown — open question for interview
- Design: Unknown — open question for interview
Open Questions
- [ ] When was the transition from session-based auth to JWT-based auth? What drove it?
- [ ] Who designed the third-party auth (social login) integration?
- [ ] What are the most common SSO configurations in enterprise deployments?
- [ ] How was the user model designed originally, and what limitations has it created over time?
- [ ] When was
frontend-app-authnMFE initiated and who led it? - [ ] How does registration differ between open-registration deployments and invitation-only enterprise deployments?