OAuth2/OIDC authentication and authorization for Flask APIs. Supports authentication and claim-based fine-grained authorization (scopes, roles, permissions) using JWT tokens.
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
axioms-flask-py 
OAuth2/OIDC authentication and authorization for Flask APIs. Supports authentication and claim-based fine-grained authorization (scopes, roles, permissions) using JWT tokens.
Works with access tokens issued by various authorization servers including AWS Cognito, Auth0, Okta, Microsoft Entra, etc.
Using FastAPI or Django REST Framework? This package is specifically for Flask. For FastAPI applications, use axioms-fastapi. For DRF applications, use axioms-drf-py.
Features
- JWT token validation with automatic JWKS retrieval and refresh
- Algorithm validation (only secure asymmetric algorithms allowed)
- Issuer validation to prevent token substitution attacks
- Middleware for automatic token extraction and validation
- Authorization decorators: scopes, roles, permissions
- Object-level permissions for row-level security
- Custom claim name support for different auth servers
- Safe methods support (e.g., OPTIONS for CORS)
Installation
pip install axioms-flask-py
Quick Start
1. Configure Flask app:
from flask import Flask
from flask_dotenv import DotEnv
from axioms_flask import init_axioms, setup_token_middleware, register_axioms_error_handler
app = Flask(__name__)
env = DotEnv(app)
init_axioms(app)
setup_token_middleware(app) # Optional: automatic token validation
register_axioms_error_handler(app)
2. Configure environment (.env):
AXIOMS_AUDIENCE=your-api-audience
AXIOMS_ISS_URL=https://your-auth.domain.com
3. Protect routes:
from axioms_flask.decorators import has_valid_access_token, has_required_permissions
@app.route('/api/protected')
@has_valid_access_token
def protected():
return {'message': 'Authenticated'}
@app.route('/api/admin')
@has_valid_access_token
@has_required_permissions(['admin:write'])
def admin():
return {'message': 'Authorized'}
Available Decorators
| Decorator | Purpose |
|---|---|
has_valid_access_token |
Validates JWT token (signature, expiry, audience, issuer) |
has_required_scopes |
Requires specific scopes in token |
has_required_roles |
Requires specific roles in token |
has_required_permissions |
Requires specific permissions in token |
check_object_ownership |
Validates user owns the resource (row-level security) |
require_ownership |
Simpler ownership check for pre-fetched objects |
Authorization Logic
OR Logic (default) - Requires ANY of the specified claims:
@app.route('/api/resource')
@has_valid_access_token
@has_required_scopes(['read', 'write']) # Needs read OR write
def resource():
return {'data': 'success'}
AND Logic - Chain decorators to require ALL claims:
@app.route('/api/admin')
@has_valid_access_token
@has_required_scopes(['read']) # Needs read
@has_required_scopes(['write']) # AND write
@has_required_roles(['admin']) # AND admin role
def admin():
return {'data': 'authorized'}
Examples
Scopes:
@app.route('/api/data')
@has_valid_access_token
@has_required_scopes(['openid', 'profile'])
def get_data():
return {'data': 'User data'}
Roles:
@app.route('/api/admin/users')
@has_valid_access_token
@has_required_roles(['admin', 'superuser'])
def manage_users():
return {'users': []}
Permissions:
@app.route('/api/posts', methods=['POST'])
@has_valid_access_token
@has_required_permissions(['posts:create'])
def create_post():
return {'id': 1, 'message': 'Post created'}
Object Ownership (Row-level security):
from axioms_flask.decorators import check_object_ownership
def get_article(article_id):
return Article.query.get_or_404(article_id)
@app.route('/articles/<int:article_id>', methods=['PATCH'])
@has_valid_access_token
@check_object_ownership(get_article, inject_as='article')
def update_article(article_id, article):
# Only owner can update (article.user must match token.sub)
article.title = request.json.get('title')
db.session.commit()
return {'id': article.id}
CORS Support:
@app.route('/api/resource', methods=['GET', 'OPTIONS'])
@has_valid_access_token # OPTIONS bypassed by default
@has_required_scopes(['read'])
def resource():
return {'data': 'success'}
Documentation
Full documentation: https://axioms-flask-py.abhishek-tiwari.com
License
MIT License - see LICENSE file for details.
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file axioms_flask_py-0.0.20rc101763936053.tar.gz.
File metadata
- Download URL: axioms_flask_py-0.0.20rc101763936053.tar.gz
- Upload date:
- Size: 57.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9b49549e3f98d9519163957bc09fb43284284d4222786a8b579ab79527569149
|
|
| MD5 |
88f195dc927b64c6bed292966b654418
|
|
| BLAKE2b-256 |
9bcbb9f5d14011dbffa9f7fff55e3fb2c120511a74c671166fd5c00bce6e40d4
|
Provenance
The following attestation bundles were made for axioms_flask_py-0.0.20rc101763936053.tar.gz:
Publisher:
release.yml on abhishektiwari/axioms-flask-py
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
axioms_flask_py-0.0.20rc101763936053.tar.gz -
Subject digest:
9b49549e3f98d9519163957bc09fb43284284d4222786a8b579ab79527569149 - Sigstore transparency entry: 718985687
- Sigstore integration time:
-
Permalink:
abhishektiwari/axioms-flask-py@cb986191c5ebe910e92af204ec1038556e92100c -
Branch / Tag:
refs/pull/10/merge - Owner: https://github.com/abhishektiwari
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@cb986191c5ebe910e92af204ec1038556e92100c -
Trigger Event:
pull_request
-
Statement type:
File details
Details for the file axioms_flask_py-0.0.20rc101763936053-py3-none-any.whl.
File metadata
- Download URL: axioms_flask_py-0.0.20rc101763936053-py3-none-any.whl
- Upload date:
- Size: 16.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6b88591450f01276ed0612127769e6680432d9a96cb3e3c6b1a7ae77681f8a99
|
|
| MD5 |
bd6efdc156d902daefdbb245afe9d0bf
|
|
| BLAKE2b-256 |
313c86b57c6d374428c845116e2ed64611ee2ee0cb9e466aee65aa6be4aec25f
|
Provenance
The following attestation bundles were made for axioms_flask_py-0.0.20rc101763936053-py3-none-any.whl:
Publisher:
release.yml on abhishektiwari/axioms-flask-py
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
axioms_flask_py-0.0.20rc101763936053-py3-none-any.whl -
Subject digest:
6b88591450f01276ed0612127769e6680432d9a96cb3e3c6b1a7ae77681f8a99 - Sigstore transparency entry: 718985693
- Sigstore integration time:
-
Permalink:
abhishektiwari/axioms-flask-py@cb986191c5ebe910e92af204ec1038556e92100c -
Branch / Tag:
refs/pull/10/merge - Owner: https://github.com/abhishektiwari
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@cb986191c5ebe910e92af204ec1038556e92100c -
Trigger Event:
pull_request
-
Statement type:
