{"id":7238,"library":"flask-oauthlib","title":"Flask-OAuthlib","description":"Flask-OAuthlib is an extension for Flask that provides both OAuth client and provider functionalities, built upon the `oauthlib` core. It supports OAuth 1.0a and OAuth 2.0. The library's last release was 0.9.6 in September 2020. It is officially deprecated and not actively maintained; users are strongly encouraged to migrate to `Authlib` for current and future projects.","status":"deprecated","version":"0.9.6","language":"en","source_language":"en","source_url":"https://github.com/lepture/flask-oauthlib","tags":["Flask","OAuth","authentication","authorization","deprecated"],"install":[{"cmd":"pip install Flask-OAuthlib","lang":"bash","label":"Install latest version"}],"dependencies":[{"reason":"Core OAuth protocol implementation. Known to have version conflicts with Flask-OAuthlib.","package":"oauthlib","optional":false},{"reason":"The web framework it extends.","package":"Flask","optional":false}],"imports":[{"note":"OAuth class for client-side functionality is in the `client` submodule.","wrong":"from flask_oauthlib import OAuth","symbol":"OAuth","correct":"from flask_oauthlib.client import OAuth"},{"note":"For creating an OAuth 1.0a provider.","symbol":"OAuth1Provider","correct":"from flask_oauthlib.provider import OAuth1Provider"},{"note":"For creating an OAuth 2.0 provider.","symbol":"OAuth2Provider","correct":"from flask_oauthlib.provider import OAuth2Provider"}],"quickstart":{"code":"import os\nfrom flask import Flask, redirect, url_for, session, request\nfrom flask_oauthlib.client import OAuth\n\napp = Flask(__name__)\napp.debug = True\napp.secret_key = 'development'\n\n# NOTE: For local development over HTTP, you might need:\n# os.environ['OAUTHLIB_INSECURE_TRANSPORT'] = '1'\n\n# Configure your remote application details\n# Replace with your actual consumer_key and consumer_secret\n# These values should ideally come from environment variables for production\nREMOTE_APP_CLIENT_ID = os.environ.get('REMOTE_APP_CLIENT_ID', 'your_client_id')\nREMOTE_APP_CLIENT_SECRET = os.environ.get('REMOTE_APP_CLIENT_SECRET', 'your_client_secret')\n\n# Initialize OAuth\noauth = OAuth(app)\n\nremote_service = oauth.remote_app(\n    'remote_service',\n    consumer_key=REMOTE_APP_CLIENT_ID,\n    consumer_secret=REMOTE_APP_CLIENT_SECRET,\n    base_url='https://api.example.com/',\n    request_token_url=None, # Not needed for OAuth2 client credentials or implicit grant\n    request_token_params={'scope': 'email profile'},\n    access_token_url='https://example.com/oauth/token',\n    authorize_url='https://example.com/oauth/authorize',\n    # Example using a tokengetter/tokensetter for persistent storage\n    # In a real app, this would store tokens in a database associated with a user\n    access_token_method='POST'\n)\n\n@remote_service.tokengetter\ndef get_remote_service_token():\n    return session.get('remote_service_oauth_token')\n\n@app.route('/')\ndef index():\n    if 'remote_service_oauth_token' in session:\n        resp = remote_service.get('userinfo') # Example API call\n        return f'Logged in as {resp.data.get(\"email\")}<br><a href=\"/logout\">Logout</a>'\n    return '<p>Hello! <a href=\"/login\">Login with Remote Service</a></p>'\n\n@app.route('/login')\ndef login():\n    return remote_service.authorize(callback=url_for('authorized', _external=True))\n\n@app.route('/logout')\ndef logout():\n    session.pop('remote_service_oauth_token', None)\n    return redirect(url_for('index'))\n\n@app.route('/authorized')\ndef authorized():\n    resp = remote_service.authorized_response()\n    if resp is None or resp.get('access_token') is None:\n        return f'Access denied: reason={request.args[\"error\"]}, error={request.args[\"error_description\"]}'\n    session['remote_service_oauth_token'] = (resp['access_token'], '') # OAuth2 bearer token, secret is empty\n    return redirect(url_for('index'))\n\nif __name__ == '__main__':\n    app.run(port=5000)\n","lang":"python","description":"This quickstart demonstrates a basic OAuth 2.0 client setup using `flask-oauthlib` to connect to a generic remote service. It configures a remote application, handles the authorization flow, stores the access token in the Flask session, and makes an example API call. Replace placeholder URLs and credentials with your actual OAuth provider details. Remember that `flask-oauthlib` is deprecated and this code serves mainly as a reference for existing implementations."},"warnings":[{"fix":"Migrate your application to use `Authlib` (https://authlib.org/). This often involves significant code changes due to different API designs.","message":"Flask-OAuthlib is officially deprecated and no longer maintained. Active development and support have shifted to the `Authlib` library. Continuing to use Flask-OAuthlib may expose your application to unpatched security vulnerabilities or compatibility issues with newer Python/Flask versions.","severity":"breaking","affected_versions":"All versions"},{"fix":"If you must use `flask-oauthlib`, pin `oauthlib` to a compatible version (e.g., `oauthlib==2.1.0`) and `requests-oauthlib` to an older version (e.g., `requests-oauthlib==1.1.0`). The recommended fix is to migrate to `Authlib`, which handles OAuthlib versions gracefully.","message":"There are known version conflicts between `flask-oauthlib` (which requires `oauthlib < 3.0.0`) and `requests-oauthlib` (which requires `oauthlib >= 3.0.0`). Installing both in the same environment often leads to dependency resolution errors.","severity":"breaking","affected_versions":"0.9.x"},{"fix":"Replace `@remote_service.authorized_handler` with the pattern shown in the quickstart using `remote_service.authorized_response()` within your callback route.","message":"The `@authorized_handler` decorator for handling OAuth callbacks was deprecated in version 0.7 in favor of the `authorized_response()` method. While still functional in 0.9.x, it's best to update.","severity":"deprecated","affected_versions":">=0.7.0"},{"fix":"Always include `request_token_params={'scope': 'your_required_scopes'}` when defining your `remote_app` or explicitly pass the `scope` parameter to `authorize()`.","message":"For OAuth2 client flows, ensure you specify a `scope` in `request_token_params` during `remote_app` configuration or in the `authorize` call. Omitting it can lead to 'Missing access credentials' or similar errors from the OAuth provider.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-16T00:00:00.000Z","next_check":"2026-07-15T00:00:00.000Z","problems":[{"fix":"The recommended solution is to migrate to `Authlib`. If migration is not immediately possible, explicitly pin `oauthlib` and `requests-oauthlib` to compatible older versions: `pip install -I oauthlib==2.1.0 requests-oauthlib==1.1.0`.","cause":"Conflicting `oauthlib` version requirements when `flask-oauthlib` is installed alongside `requests-oauthlib` or other libraries that demand a newer `oauthlib` version. `flask-oauthlib` is incompatible with `oauthlib >= 3.0.0`.","error":"ERROR: flask-oauthlib 0.9.5 has requirement oauthlib!=2.0.3,!=2.0.4,!=2.0.5,<3.0.0,>=1.1.2, but you'll have oauthlib 3.1.0 which is incompatible."},{"fix":"Ensure that the `request_token_params={'scope': '...'}` is correctly defined when setting up `remote_app` or passed to the `authorize()` call, including all necessary scopes for the OAuth provider. Verify your client application's configuration on the OAuth provider's side.","cause":"This error typically indicates that the OAuth provider did not receive or accept the requested scopes, or that the client application lacks necessary permissions. A common reason is an omitted or incorrect `scope` parameter during the authorization request.","error":"Access denied: reason=..., error=Missing access credentials."}]}