Flask-OAuthlib is deprecated in favor of Authlib. Here is a guide on how to migrate OAuth client from Flask-OAuthlib to Authlib. If you are new to Flask-OAuthlib, you don't have to read this post, instead, just head over to Authlib Documentation on Flask Client.
The OAuth client implementation in Flask-OAuthlib is very bad. I didn't mean the API design, oh, the API methods are quite good, and Authlib shares a similar API. However, Flask-OAuthlib is using the built-in
urllib, which makes things terrible.
There was once a plan to replace them with
requests, but it didn't happen until I made the new Authlib, which is another story. The client part is powered by
requests in Authlib, which handles http well and correct.
We will focus on the differences between Flask-OAuthlib and the Flask integration in Authlib. Although Authlib has Django integration as well.
oauth registries are similar, but with different parameters:
from flask_oauthlib.client import OAuthoauth = OAuth(app)twitter = oauth.remote_app('twitter',base_url='https://api.twitter.com/1.1/',request_token_url='https://api.twitter.com/oauth/request_token',access_token_url='https://api.twitter.com/oauth/access_token',authorize_url='https://api.twitter.com/oauth/authenticate',consumer_key='<your key here>',consumer_secret='<your secret here>')
from authlib.integrations.flask_client import OAuthoauth = OAuth(app)twitter = oauth.register('twitter',client_id='Twitter Consumer Key',client_secret='Twitter Consumer Secret',request_token_url='https://api.twitter.com/oauth/request_token',access_token_url='https://api.twitter.com/oauth/access_token',authorize_url='https://api.twitter.com/oauth/authenticate',api_base_url='https://api.twitter.com/1.1/',)
Those parameters in
.remote_app (Flask-OAuthlib) and
.register (Authlib) can be loaded with configurations too. Get the differences in the official documentations:
- Flask-OAuthlib Lazy Configuration
- Authlib Flask Configuration
The workflow of an OAuth authorization has two steps both in Flask-OAuthlib and Authlib:
- redirect to the service's login page
- back to our authenticated page
In Flask-OAuthlib, it looks like:
@app.route('/login')def login():redirect_uri = url_for('authorize', _external=True)return oauth.twitter.authorize(callback=redirect_uri)@app.route('/authorize')def authorize():resp_data = oauth.twitter.authorized_response()# do something with response data
In Authlib, it looks like:
@app.route('/login')def login():redirect_uri = url_for('authorize', _external=True)return oauth.twitter.authorize_redirect(redirect_uri)@app.route('/authorize')def authorize():token = oauth.twitter.authorize_access_token()# do something with the token
The client parts are very simple, what you need to change is the initialization part and the authorization routes, there is nothing difficult.
If you want to access resource with methods like
oauth.twitter.get(...), you will need to make sure there is a ready to use access token. This part is very different between Flask-OAuthlib and Authlib.
In Flask-OAuthlib, it is handled by a decorator:
@twitter.tokengetterdef get_twitter_oauth_token():token = fetch_from_somewhere()return token
token returned by
tokengetter can be a tuple or a dict. But in Authlib, it can only be a dict, and Authlib doesn't use a decorator to fetch token, instead, you should pass this function to the registry:
# register the two methodsoauth.register('twitter',client_id='Twitter Consumer Key',client_secret='Twitter Consumer Secret',request_token_url='https://api.twitter.com/oauth/request_token',request_token_params=None,access_token_url='https://api.twitter.com/oauth/access_token',access_token_params=None,refresh_token_url=None,authorize_url='https://api.twitter.com/oauth/authenticate',api_base_url='https://api.twitter.com/1.1/',client_kwargs=None,# NOTICE HEREfetch_token=fetch_twitter_token,save_request_token=save_request_token,fetch_request_token=fetch_request_token,)
Please note, that Flask-OAuthlib is saving request token in
Flask.session which will expose the request token in HTTP transport. In Authlib, you need to save it in other place, like a cache or database. Find more in Authlib Documentation
There is a
authorized_handler decorator in Flask-OAuthlib which is not recommended anymore. This decorator is not in Authlib. You need to call
oauth.twitter.authorize_access_token in the route yourself.
And we have a demo repo: https://github.com/authlib/demo-oauth-client
- Visit Authlib Homepage
- Get more information in Authlib Documentation
- Browser Authlib Source Code