Start with a design review and review of OAuth code. May want a full security review if we're storing private data, even though this will run in labs.
Demo site: https://secret-lowlands-75266.herokuapp.com/oauth/login (There's nothing at / right now, but /oauth/login will show you the logging in part, and create an account for you with the lowest level of privileges.)
These codebases are probably somewhat out of sync at this point, but the authorization parts are the same. Lots of parts are obviously not done, but again, the auth part is stable. The key file there is https://github.com/thatandromeda/TWLight/blob/master/TWLight/users/authorization.py .