{"id":4012,"library":"flask-oidc","title":"Flask-OIDC","description":"Flask-OIDC is an extension to Flask that allows you to add OpenID Connect based authentication to your website. It is currently at version 2.4.0 and sees regular releases, with several updates in the past year, indicating active maintenance and development.","status":"active","version":"2.4.0","language":"en","source_language":"en","source_url":"https://github.com/fedora-infra/flask-oidc","tags":["flask","oidc","openid","authentication","auth","security","web"],"install":[{"cmd":"pip install flask-oidc","lang":"bash","label":"Install stable version"}],"dependencies":[{"reason":"Core web framework dependency.","package":"Flask"},{"reason":"Underlying OAuth 2.0 and OpenID Connect implementation, Flask-OIDC was rebased on Authlib in version 2.0.0.","package":"Authlib"},{"reason":"HTTP client library used internally.","package":"requests"},{"reason":"Fast, simple object-to-object and broadcast signaling.","package":"blinker"}],"imports":[{"note":"The primary class for OIDC integration.","symbol":"OpenIDConnect","correct":"from flask_oidc import OpenIDConnect"},{"note":"Flask's global object, used to access OIDC user information after login (e.g., `g.oidc_user`).","symbol":"g","correct":"from flask import g"},{"note":"Flask's session object, stores 'oidc_auth_profile' for user information.","symbol":"session","correct":"from flask import session"}],"quickstart":{"code":"import os\nfrom flask import Flask, redirect, url_for, render_template_string, g, session\nfrom flask_oidc import OpenIDConnect\n\napp = Flask(__name__)\napp.config.update({\n    'SECRET_KEY': os.environ.get('FLASK_SECRET_KEY', 'a_very_secret_key_that_should_be_random'),\n    'OIDC_CLIENT_SECRETS': os.environ.get('OIDC_CLIENT_SECRETS_FILE', './client_secrets.json'),\n    'OIDC_REDIRECT_URI': os.environ.get('OIDC_REDIRECT_URI', 'http://localhost:5000/oidc_callback'),\n    'OIDC_SCOPES': ['openid', 'email', 'profile'],\n    'OIDC_COOKIE_SECURE': False, # Use True in production with HTTPS\n    'OIDC_CALLBACK_ROUTE': '/oidc_callback', # The default callback route.\n    'OIDC_REQUIRE_VERIFIED_EMAIL': False # Set to True for stricter validation\n})\n\noidc = OpenIDConnect(app)\n\nHTML_TEMPLATE = '''\n<!doctype html>\n<html lang=\"en\">\n<head><meta charset=\"utf-8\"></head>\n<body>\n    {% if g.oidc_user.is_authenticated() %}\n        Hello, {{ g.oidc_user.userinfo.get('preferred_username', 'User') }}!\n        <a href=\"{{ url_for('private') }}\">Access Protected Area</a>\n        <a href=\"{{ url_for('oidc_logout') }}\">Log Out</a>\n    {% else %}\n        Welcome, anonymous user!\n        <a href=\"{{ url_for('private') }}\">Log In</a>\n    {% endif %}\n</body>\n</html>\n'''\n\n@app.route('/')\ndef index():\n    return render_template_string(HTML_TEMPLATE)\n\n@app.route('/private')\n@oidc.require_login # Protect this route.\ndef private():\n    return f\"Hello, {g.oidc_user.userinfo.get('email')}! This is a protected area.\"\n\n@app.route('/logout')\ndef oidc_logout():\n    oidc.logout()\n    return redirect(url_for('index'))\n\n# Example client_secrets.json content (create this file next to your app.py):\n# {\n#   \"web\": {\n#     \"client_id\": \"YOUR_CLIENT_ID\",\n#     \"client_secret\": \"YOUR_CLIENT_SECRET\",\n#     \"auth_uri\": \"YOUR_PROVIDER_AUTH_URI\",\n#     \"token_uri\": \"YOUR_PROVIDER_TOKEN_URI\",\n#     \"userinfo_uri\": \"YOUR_PROVIDER_USERINFO_URI\",\n#     \"issuer\": \"YOUR_PROVIDER_ISSUER\",\n#     \"redirect_uris\": [\"http://localhost:5000/oidc_callback\"],\n#     \"token_introspection_uri\": \"YOUR_PROVIDER_TOKEN_INTROSPECTION_URI\" (optional)\n#   }\n# }\n\nif __name__ == '__main__':\n    # For local development, ensure OIDC_CLIENT_SECRETS_FILE points to a valid file.\n    # Replace with your actual OIDC provider details in client_secrets.json\n    # And set FLASK_SECRET_KEY in your environment.\n    # export FLASK_SECRET_KEY=\"a_strong_random_secret_key\"\n    # If using HTTP (not recommended for production), set OIDC_COOKIE_SECURE to False.\n    # Otherwise, ensure your application runs over HTTPS.\n    app.run(debug=True, port=5000)\n","lang":"python","description":"This quickstart demonstrates a basic Flask application integrated with Flask-OIDC. It configures the OIDC extension, protects a route using `oidc.require_login`, and provides simple login/logout functionality. Configuration details for your OIDC provider are expected in a `client_secrets.json` file. Ensure `FLASK_SECRET_KEY` and the `client_secrets.json` path are set, ideally via environment variables, and configure `OIDC_REDIRECT_URI` to match your registered callback URL."},"warnings":[{"fix":"Review the official documentation and migration guides for Authlib and Flask-OIDC v2.x. Many configuration options and API calls have changed or been removed. For example, `oidc.credentials_store` and other constructor parameters were removed.","message":"Version 2.0.0 represents a major rebase of Flask-OIDC's API on the Authlib library. This introduced significant breaking changes in how the library is configured and used compared to 1.x versions.","severity":"breaking","affected_versions":">=2.0.0"},{"fix":"Replace calls to `oidc.user_getinfo()` or `oidc.user_getfield()` with direct access to `session[\"oidc_auth_profile\"]` or the properties of `g.oidc_user` (available since 2.2.0).","message":"The `OpenIDConnect.user_getinfo()` and `OpenIDConnect.user_getfield()` methods are deprecated. User information should now be accessed via `session[\"oidc_auth_profile\"]` or `g.oidc_user.userinfo`.","severity":"deprecated","affected_versions":">=2.0.0"},{"fix":"For applications needing specific `redirect_uri` behavior, especially forcing HTTPS, explicitly set the `OIDC_OVERWRITE_REDIRECT_URI` configuration option. Review the behavior in versions 2.0.3 and 2.1.0 in the changelog.","message":"The `redirect_uri` sent to the ID provider in earlier 2.x versions (e.g., 2.0.3) was forced to HTTPS. In 2.1.0, this was changed to no longer force HTTPS based on OIDC spec recommendations. If you explicitly need to force HTTPS (or any specific URL), use `OIDC_OVERWRITE_REDIRECT_URI`.","severity":"breaking","affected_versions":"2.0.0 - 2.0.x"},{"fix":"If migrating from 1.x and encountering issues with `redirect_to_auth_server()`, ensure you are on version 2.2.2 or later if you need to use this specific method. Otherwise, adapt your code to newer 2.x patterns for redirection.","message":"The `oidc.redirect_to_auth_server()` method was initially removed in 2.x and then re-added in version 2.2.2 for compatibility with v1.x usage patterns.","severity":"gotcha","affected_versions":"2.0.0 - 2.2.1"},{"fix":"Always set `app.config['SECRET_KEY']` to a long, random string. It is highly recommended to manage this key via environment variables in production. For example, `os.environ.get('FLASK_SECRET_KEY', 'default_for_dev')`.","message":"A `SECRET_KEY` for the Flask application is absolutely critical for session management and overall security. Failing to set a strong, unique secret key will lead to security vulnerabilities.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure a valid `client_secrets.json` file is present or that `OIDC_ENABLED` is set to `False` (requires version 2.3.1 or higher for `client_secrets.json` to be entirely optional in this disabled state). The structure requires a top-level `web` key.","message":"The `client_secrets.json` file is mandatory for OIDC configuration unless the `OIDC_ENABLED` setting is explicitly set to `False`. Before version 2.3.1, not having this file would cause issues even if `OIDC_ENABLED` was set to `False`.","severity":"gotcha","affected_versions":"<2.3.1"},{"fix":"Upgrade to version 2.4.0 or later to apply the security fix. Review any custom login/logout redirect logic to ensure it is not negatively impacted by the fix and adheres to secure redirect practices.","message":"Version 2.4.0 includes a fix for an open redirect vulnerability in login and logout URLs. While this is a fix, applications relying on or inadvertently enabling such redirects could experience changes in behavior or breakages.","severity":"breaking","affected_versions":"<2.4.0"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}