close

Articles Home » Programming Languages » Implementing OAuth Authentication in Python Web Apps

Implementing OAuth Authentication in Python Web Apps

OAuth (Open Authorization) is an open standard for access delegation, commonly used for token-based authentication and authorization. It enables third-party applications to access a user’s resources without exposing their credentials. OAuth is widely used to enable user logins via Google, Facebook, GitHub, and other service providers. This tutorial will guide you through implementing OAuth authentication in Python web applications using Flask and a popular OAuth library, Authlib.

1. Introduction to OAuth

OAuth is a framework that allows applications to secure designated access. The core functionality of OAuth is to provide client applications a ‘secure delegated access’ to server resources on behalf of a resource owner. It is important to understand the different roles in OAuth:

  • Resource Owner: The user who authorizes an application to access their account.
  • Client: The application requesting access to the resource owner’s account.
  • Resource Server: The server hosting the protected resources.
  • Authorization Server: The server issuing access tokens to the client after successfully authenticating the resource owner and obtaining authorization.

OAuth typically involves the following steps:

  1. The client requests authorization from the resource owner.
  2. The resource owner grants authorization via an authorization grant.
  3. The client uses the authorization grant to obtain an access token from the authorization server.
  4. The client uses the access token to access protected resources on the resource server.

2. Setting Up the Environment

Before diving into coding, you need to set up your development environment. Ensure you have Python 3.7+ installed. You’ll also need pip to manage your packages.

Create a virtual environment for your project to manage dependencies:

python3 -m venv venv
source venv/bin/activate  # On Windows, use `venv\Scripts\activate`Code language: Bash (bash)

Install the necessary packages:

pip install Flask Authlib requestsCode language: Bash (bash)

3. Building a Simple Flask App

Create a simple Flask application to serve as the base for your OAuth implementation. First, create a directory for your project and navigate into it:

mkdir flask_oauth_app
cd flask_oauth_appCode language: Bash (bash)

Create a file named app.py and add the following code:

from flask import Flask, redirect, url_for, session

app = Flask(__name__)
app.secret_key = 'supersecretkey'  # Replace with your own secret key

@app.route('/')
def home():
    return 'Welcome to the OAuth Demo!'

if __name__ == '__main__':
    app.run(debug=True)Code language: Python (python)

Run the Flask application:

python app.pyCode language: Bash (bash)

Open your web browser and navigate to http://127.0.0.1:5000/. You should see “Welcome to the OAuth Demo!”.

4. Integrating Authlib

Authlib is a comprehensive OAuth library for Python that simplifies the implementation of OAuth authentication. Install Authlib if you haven’t already:

pip install AuthlibCode language: Bash (bash)

In your app.py, import the necessary components from Authlib and configure the OAuth client:

from authlib.integrations.flask_client import OAuth

# Initialize OAuth
oauth = OAuth(app)

# Configure the OAuth client
oauth.register(
    name='github',
    client_id='YOUR_GITHUB_CLIENT_ID',
    client_secret='YOUR_GITHUB_CLIENT_SECRET',
    authorize_url='https://github.com/login/oauth/authorize',
    authorize_params=None,
    access_token_url='https://github.com/login/oauth/access_token',
    access_token_params=None,
    refresh_token_url=None,
    client_kwargs={'scope': 'user:email'},
)Code language: Python (python)

Replace YOUR_GITHUB_CLIENT_ID and YOUR_GITHUB_CLIENT_SECRET with your actual GitHub OAuth credentials.

5. Configuring OAuth Providers

You need to register your application with the OAuth provider to get the client_id and client_secret. For this tutorial, we’ll use GitHub as the OAuth provider.

  1. Go to GitHub Developer Settings.
  2. Click on “New OAuth App”.
  3. Fill in the application details:
  • Application name: Flask OAuth App
  • Homepage URL: http://127.0.0.1:5000/
  • Authorization callback URL: http://127.0.0.1:5000/callback

After registering, GitHub will provide a Client ID and Client Secret. Use these credentials in your OAuth configuration.

6. Implementing OAuth Authentication Flow

Next, implement the OAuth authentication flow. Add a route for logging in with GitHub:

@app.route('/login')
def login():
    redirect_uri = url_for('authorize', _external=True)
    return oauth.github.authorize_redirect(redirect_uri)Code language: Python (python)

Add a route to handle the callback after the user authorizes your app:

@app.route('/callback')
def authorize():
    token = oauth.github.authorize_access_token()
    user = oauth.github.parse_id_token(token)
    session['user'] = user
    return redirect('/')Code language: Python (python)

In this code, authorize_redirect redirects the user to GitHub’s authorization page, and authorize_access_token exchanges the authorization code for an access token. The user’s information is then stored in the session.

7. Handling Callbacks and Token Exchange

When GitHub redirects back to your application with an authorization code, you need to exchange it for an access token. This is handled in the /callback route. Update your authorize function to fetch and store user information:

@app.route('/callback')
def authorize():
    token = oauth.github.authorize_access_token()
    resp = oauth.github.get('user', token=token)
    user_info = resp.json()
    session['user'] = user_info
    return redirect('/')Code language: Python (python)

This code fetches the authenticated user’s information from GitHub and stores it in the session.

Update the home route to display user information if they are logged in:

@app.route('/')
def home():
    user = session.get('user')
    if user:
        return f'Hello, {user["login"]}!'
    return 'Welcome to the OAuth Demo!'Code language: Python (python)

8. Securing Resources and Routes

To secure routes in your application, create a decorator that checks if the user is authenticated. If not, redirect them to the login page:

from functools import wraps
from flask import request

def login_required(f):
    @wraps(f)
    def decorated_function(*args, **kwargs):
        if 'user' not in session:
            return redirect(url_for('login', next=request.url))
        return f(*args, **kwargs)
    return decorated_functionCode language: Python (python)

Use this decorator on routes that require authentication:

@app.route('/profile')
@login_required
def profile():
    user = session['user']
    return f'Profile: {user["login"]}'Code language: Python (python)

9. Testing and Debugging

Test your application to ensure that the OAuth flow works correctly. Try logging in with GitHub, and verify that your application can fetch and display user information.

If you encounter issues, use Flask’s debugging tools to trace the problem. Common issues include incorrect callback URLs, misconfigured OAuth credentials, and network problems.

10. Enhancing the Application

Here are some ways to enhance your application:

  • Support Multiple OAuth Providers: Add configurations for other providers like Google, Facebook, or Twitter.
  • Token Management: Store access tokens securely and handle token expiration and refresh.
  • User Management: Implement a user database to store user information and preferences.
  • Error Handling: Add comprehensive error handling for various OAuth errors.
  • Logout Functionality: Implement a logout route to clear user sessions.

Example of supporting multiple providers:

oauth.register(
    name='google',
    client_id='YOUR_GOOGLE_CLIENT_ID',
    client_secret='YOUR_GOOGLE_CLIENT_SECRET',
    authorize_url='https://accounts.google.com/o/oauth2/auth',
    authorize_params=None,
    access_token_url='https://accounts.google.com/o/oauth2/token',
    access_token_params=None,
    refresh_token_url=None,
    client_kwargs={'scope': 'openid email profile'},
)Code language: Python (python)

11. Conclusion

In this tutorial, you learned how to implement OAuth authentication in a Python web application using Flask and Authlib. You now have a basic understanding of the OAuth flow and how to integrate it into your web app. With this foundation, you can expand your application to support multiple OAuth providers and add advanced features like token management and user databases.

Related posts: