Developer Interface¶
This part of the documentation covers the interface of Flask-OAuthlib.
Client Reference¶
-
class
flask_oauthlib.client.
OAuth
(app=None)¶ Registry for remote applications.
Parameters: app – the app instance of Flask Create an instance with Flask:
oauth = OAuth(app)
-
init_app
(app)¶ Init app with Flask instance.
You can also pass the instance of Flask later:
oauth = OAuth() oauth.init_app(app)
-
remote_app
(name, register=True, **kwargs)¶ Registers a new remote application.
Parameters: - name – the name of the remote application
- register – whether the remote app will be registered
Find more parameters from
OAuthRemoteApp
.
-
-
class
flask_oauthlib.client.
OAuthRemoteApp
(oauth, name, base_url=None, request_token_url=None, access_token_url=None, authorize_url=None, consumer_key=None, consumer_secret=None, rsa_key=None, signature_method=None, request_token_params=None, request_token_method=None, access_token_params=None, access_token_method=None, access_token_headers=None, content_type=None, app_key=None, encoding='utf-8')¶ Represents a remote application.
Parameters: - oauth – the associated
OAuth
object - name – the name of the remote application
- base_url – the base url for every request
- request_token_url – the url for requesting new tokens
- access_token_url – the url for token exchange
- authorize_url – the url for authorization
- consumer_key – the application specific consumer key
- consumer_secret – the application specific consumer secret
- request_token_params – an optional dictionary of parameters to forward to the request token url or authorize url depending on oauth version
- request_token_method – the HTTP method that should be used for
the access_token_url. Default is
GET
- access_token_params – an optional dictionary of parameters to forward to the access token url
- access_token_method – the HTTP method that should be used for
the access_token_url. Default is
GET
- access_token_headers – additonal headers that should be used for the access_token_url.
- content_type – force to parse the content with this content_type, usually used when the server didn’t return the right content type.
New in version 0.3.0.
Parameters: app_key – lazy load configuration from Flask app config with this app key Returns a redirect response to the remote authorization URL with the signed callback given.
Parameters: - callback – a redirect url for the callback
- state – an optional value to embed in the OAuth request. Use this if you want to pass around application state (e.g. CSRF tokens).
- kwargs – add optional key/value pairs to the query string
Handles an OAuth callback.
Changed in version 0.7: @authorized_handler is deprecated in favor of authorized_response.
Handles authorization response smartly.
-
handle_oauth1_response
(args)¶ Handles an oauth1 authorization response.
-
handle_oauth2_response
(args)¶ Handles an oauth2 authorization response.
-
handle_unknown_response
()¶ Handles a unknown authorization response.
-
request
(url, data=None, headers=None, format='urlencoded', method='GET', content_type=None, token=None)¶ Sends a request to the remote server with OAuth tokens attached.
Parameters: - data – the data to be sent to the server.
- headers – an optional dictionary of headers.
- format – the format for the data. Can be urlencoded for URL encoded data or json for JSON.
- method – the HTTP request method to use.
- content_type – an optional content type. If a content type is provided, the data is passed as it, and the format is ignored.
- token – an optional token to pass, if it is None, token will be generated by tokengetter.
-
tokengetter
(f)¶ Register a function as token getter.
- oauth – the associated
-
class
flask_oauthlib.client.
OAuthResponse
(resp, content, content_type=None)¶ -
status
¶ The status code of the response.
-
-
class
flask_oauthlib.client.
OAuthException
(message, type=None, data=None)¶
OAuth1 Provider¶
-
class
flask_oauthlib.provider.
OAuth1Provider
(app=None)¶ Provide secure services using OAuth1.
Like many other Flask extensions, there are two usage modes. One is binding the Flask app instance:
app = Flask(__name__) oauth = OAuth1Provider(app)
The second possibility is to bind the Flask app later:
oauth = OAuth1Provider() def create_app(): app = Flask(__name__) oauth.init_app(app) return app
And now you can protect the resource with realms:
@app.route('/api/user') @oauth.require_oauth('email', 'username') def user(): return jsonify(request.oauth.user)
-
access_token_handler
(f)¶ Access token handler decorator.
The decorated function should return an dictionary or None as the extra credentials for creating the token response.
If you don’t need to add any extra credentials, it could be as simple as:
@app.route('/oauth/access_token') @oauth.access_token_handler def access_token(): return {}
-
after_request
(f)¶ Register functions to be invoked after accessing the resource.
The function accepts
valid
andrequest
as parameters, and it should return a tuple of them:@oauth.after_request def valid_after_request(valid, oauth): if oauth.user in black_list: return False, oauth return valid, oauth
Authorization handler decorator.
This decorator will sort the parameters and headers out, and pre validate everything:
@app.route('/oauth/authorize', methods=['GET', 'POST']) @oauth.authorize_handler def authorize(*args, **kwargs): if request.method == 'GET': # render a page for user to confirm the authorization return render_template('oauthorize.html') confirm = request.form.get('confirm', 'no') return confirm == 'yes'
-
before_request
(f)¶ Register functions to be invoked before accessing the resource.
The function accepts nothing as parameters, but you can get information from Flask.request object. It is usually useful for setting limitation on the client request:
@oauth.before_request def limit_client_request(): client_key = request.values.get('client_key') if not client_key: return client = Client.get(client_key) if over_limit(client): return abort(403) track_request(client)
-
clientgetter
(f)¶ Register a function as the client getter.
The function accepts one parameter client_key, and it returns a client object with at least these information:
- client_key: A random string
- client_secret: A random string
- redirect_uris: A list of redirect uris
- default_realms: Default scopes of the client
The client may contain more information, which is suggested:
- default_redirect_uri: One of the redirect uris
Implement the client getter:
@oauth.clientgetter def get_client(client_key): client = get_client_model(client_key) # Client is an object return client
When consumer confirm the authrozation.
-
error_uri
¶ The error page URI.
When something turns error, it will redirect to this error page. You can configure the error page URI with Flask config:
OAUTH1_PROVIDER_ERROR_URI = '/error'
You can also define the error page by a named endpoint:
OAUTH1_PROVIDER_ERROR_ENDPOINT = 'oauth.error'
-
grantgetter
(f)¶ Register a function as the request token getter.
The function accepts a token parameter, and it returns an request token object contains:
- client: Client associated with this token
- token: Access token
- secret: Access token secret
- realms: Realms with this access token
- redirect_uri: A URI for redirecting
Implement the token getter:
@oauth.tokengetter def get_request_token(token): return RequestToken.get(token=token)
-
grantsetter
(f)¶ Register a function as the request token setter.
The setter accepts a token and request parameters:
@oauth.grantsetter def save_request_token(token, request): data = RequestToken( token=token['oauth_token'], secret=token['oauth_token_secret'], client=request.client, redirect_uri=oauth.redirect_uri, realms=request.realms, ) return data.save()
-
init_app
(app)¶ This callback can be used to initialize an application for the oauth provider instance.
-
noncegetter
(f)¶ Register a function as the nonce and timestamp getter.
The function accepts parameters:
- client_key: The client/consure key
- timestamp: The
oauth_timestamp
parameter - nonce: The
oauth_nonce
parameter - request_token: Request token string, if any
- access_token: Access token string, if any
A nonce and timestamp make each request unique. The implementation:
@oauth.noncegetter def get_nonce(client_key, timestamp, nonce, request_token, access_token): return Nonce.get("...")
-
noncesetter
(f)¶ Register a function as the nonce and timestamp setter.
The parameters are the same with
noncegetter()
:@oauth.noncegetter def save_nonce(client_key, timestamp, nonce, request_token, access_token): data = Nonce("...") return data.save()
The timestamp will be expired in 60s, it would be a better design if you put timestamp and nonce object in a cache.
-
request_token_handler
(f)¶ Request token handler decorator.
The decorated function should return an dictionary or None as the extra credentials for creating the token response.
If you don’t need to add any extra credentials, it could be as simple as:
@app.route('/oauth/request_token') @oauth.request_token_handler def request_token(): return {}
-
require_oauth
(*realms, **kwargs)¶ Protect resource with specified scopes.
-
server
¶ All in one endpoints. This property is created automaticly if you have implemented all the getters and setters.
-
tokengetter
(f)¶ Register a function as the access token getter.
The function accepts client_key and token parameters, and it returns an access token object contains:
- client: Client associated with this token
- user: User associated with this token
- token: Access token
- secret: Access token secret
- realms: Realms with this access token
Implement the token getter:
@oauth.tokengetter def get_access_token(client_key, token): return AccessToken.get(client_key=client_key, token=token)
-
tokensetter
(f)¶ Register a function as the access token setter.
The setter accepts two parameters at least, one is token, the other is request:
@oauth.tokensetter def save_access_token(token, request): access_token = AccessToken( client=request.client, user=request.user, token=token['oauth_token'], secret=token['oauth_token_secret'], realms=token['oauth_authorized_realms'].split(' '), ) return access_token.save()
The parameter token is a dict, that looks like:
{ u'oauth_token': u'arandomstringoftoken', u'oauth_token_secret': u'arandomstringofsecret', u'oauth_authorized_realms': u'email address' }
The request object would provide these information (at least):
- client: Client object associated with this token - user: User object associated with this token - request_token: Requst token for exchanging this access token
-
verifiergetter
(f)¶ Register a function as the verifier getter.
The return verifier object should at least contain a user object which is the current user.
The implemented code looks like:
@oauth.verifiergetter def load_verifier(verifier, token): data = Verifier.get(verifier) if data.request_token == token: # check verifier for safety return data return data
-
verifiersetter
(f)¶ Register a function as the verifier setter.
A verifier is better together with request token, but it is not required. A verifier is used together with request token for exchanging access token, it has an expire time, in this case, it would be a better design if you put them in a cache.
The implemented code looks like:
@oauth.verifiersetter def save_verifier(verifier, token, *args, **kwargs): data = Verifier( verifier=verifier['oauth_verifier'], request_token=token, user=get_current_user() ) return data.save()
-
-
class
flask_oauthlib.provider.
OAuth1RequestValidator
(clientgetter, tokengetter, tokensetter, grantgetter, grantsetter, noncegetter, noncesetter, verifiergetter, verifiersetter, config=None)¶ Subclass of Request Validator.
Parameters: - clientgetter – a function to get client object
- tokengetter – a function to get access token
- tokensetter – a function to save access token
- grantgetter – a function to get request token
- grantsetter – a function to save request token
- noncegetter – a function to get nonce and timestamp
- noncesetter – a function to save nonce and timestamp
-
allowed_signature_methods
¶ Allowed signature methods.
Default value: SIGNATURE_HMAC and SIGNATURE_RSA.
You can customize with Flask Config:
- OAUTH1_PROVIDER_SIGNATURE_METHODS
-
enforce_ssl
¶ Enforce SSL request.
Default is True. You can customize with:
- OAUTH1_PROVIDER_ENFORCE_SSL
-
get_access_token_secret
(client_key, token, request)¶ Get access token secret.
The access token object should a
secret
attribute.
-
get_client_secret
(client_key, request)¶ Get client secret.
The client object must has
client_secret
attribute.
-
get_default_realms
(client_key, request)¶ Default realms of the client.
-
get_realms
(token, request)¶ Realms for this request token.
-
get_redirect_uri
(token, request)¶ Redirect uri for this request token.
-
get_request_token_secret
(client_key, token, request)¶ Get request token secret.
The request token object should a
secret
attribute.
-
get_rsa_key
(client_key, request)¶ Retrieves a previously stored client provided RSA key.
-
invalidate_request_token
(client_key, request_token, request)¶ Invalidates a used request token.
-
save_access_token
(token, request)¶ Save access token to database.
A tokensetter is required, which accepts a token and request parameters:
def tokensetter(token, request): access_token = Token( client=request.client, user=request.user, token=token['oauth_token'], secret=token['oauth_token_secret'], realms=token['oauth_authorized_realms'], ) return access_token.save()
-
save_request_token
(token, request)¶ Save request token to database.
A grantsetter is required, which accepts a token and request parameters:
def grantsetter(token, request): grant = Grant( token=token['oauth_token'], secret=token['oauth_token_secret'], client=request.client, redirect_uri=oauth.redirect_uri, realms=request.realms, ) return grant.save()
-
save_verifier
(token, verifier, request)¶ Save verifier to database.
A verifiersetter is required. It would be better to combine request token and verifier together:
def verifiersetter(token, verifier, request): tok = Grant.query.filter_by(token=token).first() tok.verifier = verifier['oauth_verifier'] tok.user = get_current_user() return tok.save()
Note:
A user is required on verifier, remember to attach current user to verifier.
-
validate_access_token
(client_key, token, request)¶ Validates access token is available for client.
-
validate_client_key
(client_key, request)¶ Validates that supplied client key.
-
validate_realms
(client_key, token, request, uri=None, realms=None)¶ Check if the token has permission on those realms.
-
validate_redirect_uri
(client_key, redirect_uri, request)¶ Validate if the redirect_uri is allowed by the client.
-
validate_request_token
(client_key, token, request)¶ Validates request token is available for client.
-
validate_timestamp_and_nonce
(client_key, timestamp, nonce, request, request_token=None, access_token=None)¶ Validate the timestamp and nonce is used or not.
-
validate_verifier
(client_key, token, verifier, request)¶ Validate verifier exists.
-
verify_realms
(token, realms, request)¶ Verify if the realms match the requested realms.
-
verify_request_token
(token, request)¶ Verify if the request token is existed.
OAuth2 Provider¶
-
class
flask_oauthlib.provider.
OAuth2Provider
(app=None, validator_class=None)¶ Provide secure services using OAuth2.
The server should provide an authorize handler and a token hander, But before the handlers are implemented, the server should provide some getters for the validation.
Like many other Flask extensions, there are two usage modes. One is binding the Flask app instance:
app = Flask(__name__) oauth = OAuth2Provider(app)
The second possibility is to bind the Flask app later:
oauth = OAuth2Provider() def create_app(): app = Flask(__name__) oauth.init_app(app) return app
Configure
tokengetter()
andtokensetter()
to get and set tokens. Configuregrantgetter()
andgrantsetter()
to get and set grant tokens. Configureclientgetter()
to get the client.Configure
usergetter()
if you need password credential authorization.With everything ready, implement the authorization workflow:
authorize_handler()
for consumer to confirm the granttoken_handler()
for client to exchange access token
And now you can protect the resource with scopes:
@app.route('/api/user') @oauth.require_oauth('email', 'username') def user(): return jsonify(request.oauth.user)
-
after_request
(f)¶ Register functions to be invoked after accessing the resource.
The function accepts
valid
andrequest
as parameters, and it should return a tuple of them:@oauth.after_request def valid_after_request(valid, oauth): if oauth.user in black_list: return False, oauth return valid, oauth
Authorization handler decorator.
This decorator will sort the parameters and headers out, and pre validate everything:
@app.route('/oauth/authorize', methods=['GET', 'POST']) @oauth.authorize_handler def authorize(*args, **kwargs): if request.method == 'GET': # render a page for user to confirm the authorization return render_template('oauthorize.html') confirm = request.form.get('confirm', 'no') return confirm == 'yes'
-
before_request
(f)¶ Register functions to be invoked before accessing the resource.
The function accepts nothing as parameters, but you can get information from Flask.request object. It is usually useful for setting limitation on the client request:
@oauth.before_request def limit_client_request(): client_id = request.values.get('client_id') if not client_id: return client = Client.get(client_id) if over_limit(client): return abort(403) track_request(client)
-
clientgetter
(f)¶ Register a function as the client getter.
The function accepts one parameter client_id, and it returns a client object with at least these information:
- client_id: A random string
- client_secret: A random string
- is_confidential: A bool represents if it is confidential
- redirect_uris: A list of redirect uris
- default_redirect_uri: One of the redirect uris
- default_scopes: Default scopes of the client
The client may contain more information, which is suggested:
- allowed_grant_types: A list of grant types
- allowed_response_types: A list of response types
- validate_scopes: A function to validate scopes
Implement the client getter:
@oauth.clientgetter def get_client(client_id): client = get_client_model(client_id) # Client is an object return client
When consumer confirm the authorization.
-
error_uri
¶ The error page URI.
When something turns error, it will redirect to this error page. You can configure the error page URI with Flask config:
OAUTH2_PROVIDER_ERROR_URI = '/error'
You can also define the error page by a named endpoint:
OAUTH2_PROVIDER_ERROR_ENDPOINT = 'oauth.error'
-
exception_handler
(f)¶ Register a function as custom exception handler.
As the default error handling is leaking error to the client, it is STRONGLY RECOMMENDED to implement your own handler to mask the server side errors in production environment.
When an error occur during execution, we can handle the error with with the registered function. The function accepts two parameters:
- error: the error raised
- redirect_content: the content used in the redirect by default
- usage with the flask error handler ::
@oauth.exception_handler def custom_exception_handler(error, *args):
raise error@app.errorhandler(Exception) def all_exception_handler(*args):
# any treatment you need for the error return “Server error”, 500
If no function is registered, it will do a redirect with
redirect_content
as content.
-
grantgetter
(f)¶ Register a function as the grant getter.
The function accepts client_id, code and more:
@oauth.grantgetter def grant(client_id, code): return get_grant(client_id, code)
It returns a grant object with at least these information:
- delete: A function to delete itself
-
grantsetter
(f)¶ Register a function to save the grant code.
The function accepts client_id, code, request and more:
@oauth.grantsetter def set_grant(client_id, code, request, *args, **kwargs): save_grant(client_id, code, request.user, request.scopes)
-
init_app
(app)¶ This callback can be used to initialize an application for the oauth provider instance.
-
invalid_response
(f)¶ Register a function for responsing with invalid request.
When an invalid request proceeds to
require_oauth()
, we can handle the request with the registered function. The function accepts one parameter, which is an oauthlib Request object:@oauth.invalid_response def invalid_require_oauth(req): return jsonify(message=req.error_message), 401
If no function is registered, it will return with
abort(401)
.
-
require_oauth
(*scopes)¶ Protect resource with specified scopes.
-
revoke_handler
(f)¶ Access/refresh token revoke decorator.
Any return value by the decorated function will get discarded as defined in [RFC7009].
You can control the access method with the standard flask routing mechanism, as per [RFC7009] it is recommended to only allow the POST method:
@app.route('/oauth/revoke', methods=['POST']) @oauth.revoke_handler def revoke_token(): pass
-
server
¶ All in one endpoints. This property is created automaticly if you have implemented all the getters and setters.
However, if you are not satisfied with the getter and setter, you can create a validator with
OAuth2RequestValidator
:class MyValidator(OAuth2RequestValidator): def validate_client_id(self, client_id): # do something return True
And assign the validator for the provider:
oauth._validator = MyValidator()
-
token_handler
(f)¶ Access/refresh token handler decorator.
The decorated function should return an dictionary or None as the extra credentials for creating the token response.
You can control the access method with standard flask route mechanism. If you only allow the POST method:
@app.route('/oauth/token', methods=['POST']) @oauth.token_handler def access_token(): return None
-
tokengetter
(f)¶ Register a function as the token getter.
The function accepts an access_token or refresh_token parameters, and it returns a token object with at least these information:
- access_token: A string token
- refresh_token: A string token
- client_id: ID of the client
- scopes: A list of scopes
- expires: A datetime.datetime object
- user: The user object
The implementation of tokengetter should accepts two parameters, one is access_token the other is refresh_token:
@oauth.tokengetter def bearer_token(access_token=None, refresh_token=None): if access_token: return get_token(access_token=access_token) if refresh_token: return get_token(refresh_token=refresh_token) return None
-
tokensetter
(f)¶ Register a function to save the bearer token.
The setter accepts two parameters at least, one is token, the other is request:
@oauth.tokensetter def set_token(token, request, *args, **kwargs): save_token(token, request.client, request.user)
The parameter token is a dict, that looks like:
{ u'access_token': u'6JwgO77PApxsFCU8Quz0pnL9s23016', u'token_type': u'Bearer', u'expires_in': 3600, u'scope': u'email address' }
The request is an object, that contains an user object and a client object.
-
usergetter
(f)¶ Register a function as the user getter.
This decorator is only required for password credential authorization:
@oauth.usergetter def get_user(username, password, client, request, *args, **kwargs): # client: current request client if not client.has_password_credential_permission: return None user = User.get_user_by_username(username) if not user.validate_password(password): return None # parameter `request` is an OAuthlib Request object. # maybe you will need it somewhere return user
-
verify_request
(scopes)¶ Verify current request, get the oauth data.
If you can’t use the
require_oauth
decorator, you can fetch the data in your request body:def your_handler(): valid, req = oauth.verify_request(['email']) if valid: return jsonify(user=req.user) return jsonify(status='error')
-
class
flask_oauthlib.provider.
OAuth2RequestValidator
(clientgetter, tokengetter, grantgetter, usergetter=None, tokensetter=None, grantsetter=None)¶ Subclass of Request Validator.
Parameters: - clientgetter – a function to get client object
- tokengetter – a function to get bearer token
- tokensetter – a function to save bearer token
- grantgetter – a function to get grant token
- grantsetter – a function to save grant token
-
authenticate_client
(request, *args, **kwargs)¶ Authenticate itself in other means.
Other means means is described in Section 3.2.1.
-
authenticate_client_id
(client_id, request, *args, **kwargs)¶ Authenticate a non-confidential client.
Parameters: - client_id – Client ID of the non-confidential client
- request – The Request object passed by oauthlib
-
client_authentication_required
(request, *args, **kwargs)¶ Determine if client authentication is required for current request.
According to the rfc6749, client authentication is required in the following cases:
Resource Owner Password Credentials Grant: see Section 4.3.2. Authorization Code Grant: see Section 4.1.3. Refresh Token Grant: see Section 6.
-
confirm_redirect_uri
(client_id, code, redirect_uri, client, *args, **kwargs)¶ Ensure client is authorized to redirect to the redirect_uri.
This method is used in the authorization code grant flow. It will compare redirect_uri and the one in grant token strictly, you can add a validate_redirect_uri function on grant for a customized validation.
-
confirm_scopes
(refresh_token, scopes, request, *args, **kwargs)¶ Ensures the requested scope matches the scope originally granted by the resource owner. If the scope is omitted it is treated as equal to the scope originally granted by the resource owner.
DEPRECATION NOTE: This method will cease to be used in oauthlib>0.4.2, future versions of
oauthlib
use the validator methodget_original_scopes
to determine the scope of the refreshed token.
-
get_default_redirect_uri
(client_id, request, *args, **kwargs)¶ Default redirect_uri for the given client.
-
get_default_scopes
(client_id, request, *args, **kwargs)¶ Default scopes for the given client.
-
get_original_scopes
(refresh_token, request, *args, **kwargs)¶ Get the list of scopes associated with the refresh token.
This method is used in the refresh token grant flow. We return the scope of the token to be refreshed so it can be applied to the new access token.
Invalidate an authorization code after use.
We keep the temporary code in a grant, which has a delete function to destroy itself.
-
revoke_token
(token, token_type_hint, request, *args, **kwargs)¶ Revoke an access or refresh token.
Persist the authorization code.
-
save_bearer_token
(token, request, *args, **kwargs)¶ Persist the Bearer token.
-
validate_bearer_token
(token, scopes, request)¶ Validate access token.
Parameters: - token – A string of random characters
- scopes – A list of scopes
- request – The Request object passed by oauthlib
The validation validates:
- if the token is available
- if the token has expired
- if the scopes are available
-
validate_client_id
(client_id, request, *args, **kwargs)¶ Ensure client_id belong to a valid and active client.
-
validate_code
(client_id, code, client, request, *args, **kwargs)¶ Ensure the grant code is valid.
-
validate_grant_type
(client_id, grant_type, client, request, *args, **kwargs)¶ Ensure the client is authorized to use the grant type requested.
It will allow any of the four grant types (authorization_code, password, client_credentials, refresh_token) by default. Implemented allowed_grant_types for client object to authorize the request.
It is suggested that allowed_grant_types should contain at least authorization_code and refresh_token.
-
validate_redirect_uri
(client_id, redirect_uri, request, *args, **kwargs)¶ Ensure client is authorized to redirect to the redirect_uri.
This method is used in the authorization code grant flow and also in implicit grant flow. It will detect if redirect_uri in client’s redirect_uris strictly, you can add a validate_redirect_uri function on grant for a customized validation.
-
validate_refresh_token
(refresh_token, client, request, *args, **kwargs)¶ Ensure the token is valid and belongs to the client
This method is used by the authorization code grant indirectly by issuing refresh tokens, resource owner password credentials grant (also indirectly) and the refresh token grant.
-
validate_response_type
(client_id, response_type, client, request, *args, **kwargs)¶ Ensure client is authorized to use the response type requested.
It will allow any of the two (code, token) response types by default. Implemented allowed_response_types for client object to authorize the request.
-
validate_scopes
(client_id, scopes, client, request, *args, **kwargs)¶ Ensure the client is authorized access to requested scopes.
-
validate_user
(username, password, client, request, *args, **kwargs)¶ Ensure the username and password is valid.
Attach user object on request for later using.
Contrib Reference¶
Here are APIs provided by contributors.
-
flask_oauthlib.contrib.oauth2.
bind_sqlalchemy
(provider, session, user=None, client=None, token=None, grant=None, current_user=None)¶ Configures the given
OAuth2Provider
instance with the required getters and setters for persistence with SQLAlchemy.An example of using all models:
oauth = OAuth2Provider(app) bind_sqlalchemy(oauth, session, user=User, client=Client, token=Token, grant=Grant, current_user=current_user)
You can omit any model if you wish to register the functions yourself. It is also possible to override the functions by registering them afterwards:
oauth = OAuth2Provider(app) bind_sqlalchemy(oauth, session, user=User, client=Client, token=Token) @oauth.grantgetter def get_grant(client_id, code): pass @oauth.grantsetter def set_grant(client_id, code, request, *args, **kwargs): pass # register tokensetter with oauth but keeping the tokengetter # registered by `SQLAlchemyBinding` # You would only do this for the token and grant since user and client # only have getters @oauth.tokensetter def set_token(token, request, *args, **kwargs): pass
Note that current_user is only required if you’re using SQLAlchemy for grant caching. If you’re using another caching system with GrantCacheBinding instead, omit current_user.
Parameters: - provider –
OAuth2Provider
instance - session – A
Session
object - user –
User
model - client –
Client
model - token –
Token
model - grant –
Grant
model - current_user – function that returns a
User
object
- provider –
-
flask_oauthlib.contrib.oauth2.
bind_cache_grant
(app, provider, current_user, config_prefix='OAUTH2')¶ Configures an
OAuth2Provider
instance to use various caching systems to get and set the grant token. This removes the need to registergrantgetter()
andgrantsetter()
yourself.Parameters: - app – Flask application instance
- provider –
OAuth2Provider
instance - current_user – function that returns an
User
object - config_prefix – prefix for config
A usage example:
oauth = OAuth2Provider(app) app.config.update({'OAUTH2_CACHE_TYPE': 'redis'}) bind_cache_grant(app, oauth, current_user)
You can define which cache system you would like to use by setting the following configuration option:
OAUTH2_CACHE_TYPE = 'null' // memcache, simple, redis, filesystem
For more information on the supported cache systems please visit: Cache
flask_oauthlib.contrib.apps¶
The bundle of remote app factories for famous third platforms.
Usage:
from flask import Flask
from flask_oauthlib.client import OAuth
from flask_oauthlib.contrib.apps import github
app = Flask(__name__)
oauth = OAuth(app)
github.register_to(oauth, scope=['user:email'])
github.register_to(oauth, name='github2')
Of course, it requires consumer keys in your config:
GITHUB_CONSUMER_KEY = ''
GITHUB_CONSUMER_SECRET = ''
GITHUB2_CONSUMER_KEY = ''
GITHUB2_CONSUMER_SECRET = ''
Some apps with OAuth 1.0a such as Twitter could not accept the scope
argument.
Contributed by: tonyseek
-
flask_oauthlib.contrib.apps.
douban
()¶ The OAuth app for douban.com API.
Parameters: scope – optional. default: ['douban_basic_common']
. see also: http://developers.douban.com/wiki/?title=oauth2
-
flask_oauthlib.contrib.apps.
dropbox
()¶ The OAuth app for Dropbox API.
-
flask_oauthlib.contrib.apps.
facebook
()¶ The OAuth app for Facebook API.
Parameters: scope – optional. default: ['email']
.
-
flask_oauthlib.contrib.apps.
github
()¶ The OAuth app for GitHub API.
Parameters: scope – optional. default: ['user:email']
.
-
flask_oauthlib.contrib.apps.
google
()¶ The OAuth app for Google API.
Parameters: scope – optional. default: ['email']
.
-
flask_oauthlib.contrib.apps.
linkedin
()¶ The OAuth app for LinkedIn API.
Parameters: scope – optional. default: ['r_basicprofile']
-
flask_oauthlib.contrib.apps.
twitter
()¶ The OAuth app for Twitter API.
-
flask_oauthlib.contrib.apps.
weibo
()¶ The OAuth app for weibo.com API.
Parameters: scope – optional. default: ['email']