Skip to main content


Project description

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
See the License for the specific language governing permissions and
limitations under the License.

Description: # Flask JWT OIDC

### Simple OIDC JWT extension to protect APIs
This is a fairly simple extension that should require minimal setup for OIDC standard services.

Currently it's testing against Keycloak, but will be adding in example configs and testing for:
- Keycloak
- dex
- Google
- Amazon IAM
- Auth0

### Alternatives
There are some great alternatives that are not so opinionated and provide more support for general JWTs
Check out: [**Flask-JWT-Simple**](

### Example(s)
There is one example under
It uses pytest and sets up a dummy JWT to be used in the tests.
### Configuration
Create a .env file, or OS configmap, shell exports, etc.
export JWT_OIDC_WELL_KNOWN_CONFIG="https://KEYCLOAK-SERVICE/auth/realms/REALM-NAME/.well-known/openid-configuration"
export JWT_OIDC_AUDIENCE="keycloak-client"
export JWT_OIDC_CLIENT_SECRET="keycloak-client-secret"

Create a config file, that reads in the environment variables:

from os import environ as env
from dotenv import load_dotenv, find_dotenv

ENV_FILE = find_dotenv()

class Config(object):


Create a flask script that to use the JWT services

Note: that roles can be checked as either *decorators* managing access to the function, or as a *function* call that returns True/False for finer grained access control in the body of the function.

from flask import Flask, jsonify
from flask_cors import cross_origin
from config import Config
from flask_jwt_oidc import AuthError, JwtManager

app = Flask(__name__)


def get_roles(dict):
return dict['realm_access']['roles']
app.config['JWT_ROLE_CALLBACK'] = get_roles

jwt = JwtManager(app)

@cross_origin(headers=["Content-Type", "Authorization"])
@cross_origin(headers=["Access-Control-Allow-Origin", "*"]) # IRL you'd scope this to set domains
def secure():
"""A Bearer JWT is required to get a response from this endpoint
return jsonify(message="The is a secured endpoint. You provided a valid Bearer JWT to access it.")

@cross_origin(headers=["Content-Type", "Authorization"])
@cross_origin(headers=["Access-Control-Allow-Origin", "*"]) # IRL you'd scope this to a real domain
def secure_with_roles():
"""valid access token and assigned roles are required
if jwt.validate_roles("names_editor"):
return jsonify(message="This is a secured endpoint, where roles were examined in the body of the procedure! "
"You provided a valid JWT token")

raise AuthError({
"code": "Unauthorized",
"description": "You don't have access to this resource"
}, 403)

@cross_origin(headers=["Content-Type", "Authorization"])
@cross_origin(headers=["Access-Control-Allow-Origin", "*"]) # IRL you'd scope this to a real domain
def secure_deco_roles():
"""valid access token and assigned roles are required
return jsonify(message="This is a secured endpoint. "
"The roles were checked before entering the body of the procedure! "
"You provided a valid JWT token")

if __name__ == "__main__":

## Thanks
The following folks have provided help, feedback, PRs, etc:
- Jamie Lennox
- James Hollinger

- add tests
- add more examples
- add tests for the OIDC service providers listed above

Keywords: flask extension development
Platform: any
Classifier: Development Status :: 0.1.3 - Beta
Classifier: Environment :: Web API
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache 2.0 License
Classifier: Operating System :: MacOS :: MacOS X
Classifier: Operating System :: Microsoft :: Windows
Classifier: Operating System :: POSIX
Classifier: Programming Language :: Python
Classifier: Topic :: Communications :: Email
Classifier: Topic :: Software Development :: GitHub Issue Tracking
Classifier: Topic :: Software Development :: Libraries :: Python Modules

Project details

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for flask-jwt-oidc, version 0.1.5
Filename, size File type Python version Upload date Hashes
Filename, size flask_jwt_oidc-0.1.5-py3-none-any.whl (11.8 kB) File type Wheel Python version py3 Upload date Hashes View
Filename, size flask_jwt_oidc-0.1.5.tar.gz (9.7 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page