Python SDK for the Authlib
Project description
AuthLib
A Python authentication library that provides JWT, OAuth2, and API token authentication with PostgreSQL backend. This library is designed for seamless integration with Flask applications and provides a robust set of endpoints and utilities for user management, authentication, and API token handling.
Table of Contents
Installation
pip install -e .
Quick Start
from flask import Flask
from authlib import AuthManager
app = Flask(__name__)
auth = AuthManager(
app=app,
db_dsn="postgresql://user:pass@localhost/dbname",
jwt_secret="your-secret-key",
oauth_config={
"google": {
"client_id": "your-client-id",
"client_secret": "your-client-secret"
}
}
)
@app.route("/protected")
@auth.require_auth(roles=["admin"])
def protected_route():
return "Protected content"
AuthManager's blueprint now registers a global error handler for
AuthError and authenticates requests for all of its routes by default.
Authenticated users are made available as flask.g.requesting_user.
Only the login, OAuth, token refresh, registration and role listing
endpoints are exempt from this check.
Configuration
Required Parameters
app: Flask application instancedb_dsn: PostgreSQL connection stringjwt_secret: Secret key for JWT signing
Optional Parameters
oauth_config: Dictionary of OAuth provider configurations (see below)token_expiry: JWT token expiry time in seconds (default: 3600)refresh_token_expiry: Refresh token expiry time in seconds (default: 2592000)
Example oauth_config:
{
"google": {
"client_id": "...",
"client_secret": "..."
},
"github": {
"client_id": "...",
"client_secret": "..."
}
}
API Endpoints
Authentication
POST /api/v1/users/login- Login with username/password- Request:
{ "username": "string", "password": "string" } - Response:
{ "token": "jwt", "refresh_token": "jwt", "user": { ... } }
- Request:
POST /api/v1/users/login/oauth- Get OAuth redirect URL- Request:
{ "provider": "google|github|..." } - Response:
{ "redirect_url": "string" }
- Request:
GET /api/v1/users/login/oauth2callback- OAuth callback- Query Params:
code,state,provider - Response:
{ "token": "jwt", "refresh_token": "jwt", "user": { ... } }
- Query Params:
POST /api/v1/users/token-refresh- Refresh JWT token- Request:
{ "refresh_token": "jwt" } - Response:
{ "token": "jwt", "refresh_token": "jwt" }
- Request:
User Management
POST /api/v1/users/register- Register new user- Request:
{ "username": "string", "password": "string", "email": "string", ... } - Response:
{ "user": { ... }, "token": "jwt", "refresh_token": "jwt" }
- Request:
GET /api/v1/users/login/profile- Get user profile- Auth: Bearer JWT
- Response:
{ "user": { ... } }
GET /api/v1/users/roles- Get available roles- Response:
[ "admin", "user", ... ]
- Response:
API Tokens
POST /api/v1/users/{user}/api-tokens- Create API token- Request:
{ "name": "string", "scopes": [ ... ] } - Response:
{ "token": "string", "id": "uuid", ... }
- Request:
GET /api/v1/users/{user}/api-tokens- List API tokens- Response:
[ { "id": "uuid", "name": "string", ... } ]
- Response:
DELETE /api/v1/users/{user}/api-tokens/{token_id}- Delete API token- Response:
{ "success": true }
- Response:
Authentication Flow
- Login:
- User submits credentials to
/api/v1/users/login. - Receives JWT and refresh token.
- User submits credentials to
- Token Refresh:
- Use
/api/v1/users/token-refreshwith refresh token to get new JWT.
- Use
- OAuth:
- Get redirect URL from
/api/v1/users/login/oauth. - Complete OAuth flow via
/api/v1/users/login/oauth2callback.
- Get redirect URL from
- Protected Routes:
- All routes inside the provided blueprint are authenticated by default.
The authenticated user can be accessed via
g.requesting_user. Use@auth.require_auth()to protect custom routes in your application.
- All routes inside the provided blueprint are authenticated by default.
The authenticated user can be accessed via
User Object
The user object returned by the API typically includes:
{
"id": "uuid",
"username": "string",
"email": "string",
"roles": ["user", "admin"],
"created_at": "timestamp",
"last_login": "timestamp"
}
Token Management
- JWT: Used for authenticating API requests. Include in
Authorization: Bearer <token>header. - Refresh Token: Used to obtain new JWTs without re-authenticating.
- API Tokens: Long-lived tokens for programmatic access, managed per user.
Development
Setup
- Clone the repository
- Create virtual environment:
python -m venv venv
venv\Scripts\activate
- Install dependencies:
pip install -e ".[dev]"
Database Setup
createdb authlib
python -m authlib.cli db init
Running Tests
pytest
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file the37lab_authlib-0.1.1750836881.tar.gz.
File metadata
- Download URL: the37lab_authlib-0.1.1750836881.tar.gz
- Upload date:
- Size: 11.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
bf7238e2eaea70f4da5f0416dbe87223f42ffd2c9d7d127a7aac1d9c3800c29d
|
|
| MD5 |
7750c7a2f9c5184dbfef1b26d0b84a4c
|
|
| BLAKE2b-256 |
04e3c9aacca78db74538013b9007368cb18dc9dabf9194b87c1a78a69a23321e
|
File details
Details for the file the37lab_authlib-0.1.1750836881-py3-none-any.whl.
File metadata
- Download URL: the37lab_authlib-0.1.1750836881-py3-none-any.whl
- Upload date:
- Size: 11.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.12.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
52e7415498de8fcec5ca61603d7c64084bf6332ef267c215f592ff9b73e02418
|
|
| MD5 |
4c1502bd6086ddce22ec5a1b0a5717e9
|
|
| BLAKE2b-256 |
162b3eafe5129a2bf82bcc2ce4a55ce003a5a9345d0aa6ee20fbf28a2f3dbe54
|
