Authlib python

Authlib python DEFAULT


Build StatusCoverage StatusPyPI VersionMaintainabilityFollow Twitter

The ultimate Python library in building OAuth and OpenID Connect servers. JWS, JWK, JWA, JWT are included.

Authlib is compatible with Python2.7+ and Python3.6+.

Authlib v1.0 will only support Python 3.6+.


If you want to quickly add secure token-based authentication to Python projects, feel free to check Auth0's Python SDK and free plan at
A blogging and podcast hosting platform with minimal design but powerful features. Host your blog and Podcast with

Fund Authlib to access additional features


Generic, spec-compliant implementation to build clients and providers:

Connect third party OAuth providers with Authlib built-in client integrations:

Build your own OAuth 1.0, OAuth 2.0, and OpenID Connect providers:

Useful Links

  1. Homepage:
  2. Documentation:
  3. Purchase Commercial License:
  4. Blog:
  5. Twitter:
  6. StackOverflow:
  7. Other Repositories:
  8. Subscribe Tidelift:

Security Reporting

If you found security bugs, please do not send a public issue or patch. You can send me email at [email protected] Attachment with patch is welcome. My PGP Key fingerprint is:

Or, you can use the Tidelift security contact. Tidelift will coordinate the fix and disclosure.


Authlib offers two licenses:


Companies can purchase a commercial license at Authlib Plans.

If your company is creating a closed source OAuth provider, it is strongly suggested that your company purchasing a commercial license.


If you need any help, you can always ask questions on StackOverflow with a tag of "Authlib". DO NOT ASK HELP IN GITHUB ISSUES.

We also provide commercial consulting and supports. You can find more information at


Python Authlib : How To Resolve Auth Code Challenge And Verify Tokens Stored In HTTP Only Session Cookie Of Protected Endpoint?

After reading the documentation I am struggling to understand how to use Authlib to implement Authorize Code Flow for an OpenID Connect provider. After reading the documentation I have had a go at implementing the following code listed below.

The endpoint uses authlib to redirect to authorization of Identity Provider, in this case Cognito. This redirects to which I have currently implemented myself to resolve the code challenge to retrieve tokens.

My questions are:

  • How to use to also resolve the code challenge instead of implementing this part myself?
  • Does Authlib provide functionality to return token(s) in HTTP Only cookie and verify tokens in subsequent requests containing the cookie? For example, does Authlib allow an endpoint to be decorated/marked to as protected, in which case it will verify the tokens in HTTP Only cookie?


After inspecting the source code I eventually figured out how to resolve the code challenge using Authlib with FastAPI. The source code is included at the end of this question.

I am leaving the question open since the second part remains unanswered. Currently, this question suggests that it is possible to use class that would do what I need. However, that has a method that inspects the Authorisation header of a request for a bearer token. So...I am assuming the approach is to subclass class and override this method to inspect request for HTTP only cookie and extract the JWT contained within for verification?? Is this feature implemented and provided by Authlib?

Alternatively, also investigating to see if I can integrate fastapi-login to achieve this functionality.

Appendix: Source Code

Initial Source Code With Custom Implementation For Resolving Code Challenge

Updated Source Code To Demonstrate How To Resolve Code Challenge Using Authlib

  1. Poudre fire department
  2. Challenger preschool hours
  3. Sap profit
  4. Gamesir android controller

The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.

Describe the bug

An application was upgraded to httpx 0.18.2 and we discovered that the "Authorization" header was no longer being included in the request.

Error Stacks

403 Errors from downstream services.

Trace Logging revealed that the Authorization header was missing.

Using httpx 0.18.2

Using httpx 0.17.1

To Reproduce We use auth0 for our auth provider so have a custom JWT that sets the 'audience' parameter.

So prior to our httpx 0.18. the code above would produce functional oauth2 client.

As a workaround, we are able to fix it with:

Expected behavior

The OAuth2Client should handle adding this header as it did previously.


  • OS: Linux/Mac
  • Python Version: 3.8.9
  • Authlib Version: 0.5.4

Additional context

Change from Flask-OAuthlib to Authlib for the Advanced RestAPI course in Python/Flask



Project Slug


Last Built

10 minutes ago passed


Home Page


  • reStructuredText

    .. image:: :target: :alt: Documentation Status
  • Markdown

    [![Documentation Status](](
  • HTML

    <a href=''> <img src='' alt='Documentation Status' /> </a>


oauth, jwt, oidc, jws, jwe, jwa

Short URLs

Default Version


'latest' Version



Python authlib

The ultimate Python library in building OAuth and OpenID Connect servers. JWS, JWK, JWA, JWT are included.


  • RFC5849: The OAuth 1.0 Protocol
  • RFC6749: The OAuth 2.0 Authorization Framework
  • RFC6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage
  • RFC7009: OAuth 2.0 Token Revocation
  • RFC7515: JSON Web Signature
  • RFC7516: JSON Web Encryption
  • RFC7517: JSON Web Key
  • RFC7518: JSON Web Algorithms
  • RFC7519: JSON Web Token
  • RFC7521: Assertion Framework for OAuth 2.0 Client Authentication and Authorization Grants
  • RFC7523: JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants
  • RFC7591: OAuth 2.0 Dynamic Client Registration Protocol
  • RFC7636: Proof Key for Code Exchange by OAuth Public Clients
  • RFC7638: JSON Web Key (JWK) Thumbprint
  • RFC7662: OAuth 2.0 Token Introspection
  • RFC8037: CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures in JSON Object Signing and Encryption (JOSE)
  • RFC8414: OAuth 2.0 Authorization Server Metadata
  • RFC8628: OAuth 2.0 Device Authorization Grant
  • OpenID Connect 1.0
  • OpenID Connect Discovery 1.0


  • Requests OAuth 1 Session
  • Requests OAuth 2 Session
  • Requests Assertion Session
  • HTTPX OAuth 1 Session
  • HTTPX OAuth 2 Session
  • HTTPX Assertion Session
  • Flask OAuth 1/2 Client
  • Django OAuth 1/2 Client
  • Starlette OAuth 1/2 Client
  • Flask OAuth 1.0 Server
  • Flask OAuth 2.0 Server
  • Flask OpenID Connect 1.0
  • Django OAuth 1.0 Server
  • Django OAuth 2.0 Server
  • Django OpenID Connect 1.0


Authlib is licensed under BSD. Please see LICENSE for licensing details.

If this license does not fit your company, consider to purchase a commercial license. Find more information on Authlib Plans.

Autenticación con Python Flask y Facebook -- Authlib



The ultimate Python library in building OAuth and OpenID Connect servers.



Generic RFCs

Authlib offers generic implementations of RFCs, including:

Framework Integrations

Various built-in high-level framework integrations for both clients and servers, aiming to create a seamless experience.

  • Flask OAuth 1.0/2.0 clients and providers
  • Django OAuth 1.0/2.0 clients and providers
  • Requests OAuth 1.0/2.0 sessions
  • HTTPX OAuth 1.0/2.0 clients
  • Starlette OAuth 1.0/2.0 clients
  • FastAPI OAuth 1.0/2.0 clients
  • Find more in documentation.


Supporting a wide range of social network service connections, powered by Loginpass:

  • Google with OpenID Connect and Service Account.
  • Twitter OAuth 1 Connect
  • Dropbox, Reddit, GitHub, Facebook etc..
  • Gitlab and its enterprise OAuth.
  • StackOverflow and its related services.
  • Find more on GitHub.



Authlib is built from low level of specifications to high level of framework integrations.

Read Why


Security matters in Authlib. We have a section on security process at the very first begin.

Read How


Authlib is created with sustainable maintainence in mind. Consider to buy a commercial plan.

Get Help

No spam, ever. We will only send you emails about Authlib.


You will also like:

Is it clear to you. Yes. Her voice sounded a plaintive squeak in the tiled walls of the room.

859 860 861 862 863