Building a robust OAuth Provider using Flask, AuthLib and MongoDB





What is OAuth 2.0? OAuth 2.0 is an authorization framework. The OAuth handshake is the process by which a user grants permission to a third-party application to access their data on another service without sharing their credentials (like username and password).

Why python? Authlib's combination of Pythonic design, rich ecosystem integration, flexibility, security features, and active community support makes it a compelling choice for implementing OAuth and OIDC in Python-based projects compared to similar libraries in other languages.

Why create your own OAuth service provider? • Custom Authentication Requirements: You may have specific authentication requirements that are not fully addressed by third-party OAuth providers. For example, you may need to integrate with legacy authentication systems or have complex authentication workflows. • Fine-Grained Control: You require fine-grained control over the authentication and authorization process. Building your OAuth microservice allows you to customize the authentication logic, define scopes, and enforce security policies according to your specific needs.

Problem Statement: Allow third party applications to communicate with organization’s protected resources in a trusted and secure manner.

Solution: Implementing your own OAuth provider involves several steps: • Choose Grant Type: You must select the grant types based on your requirements. We use Authorization Code grant type and refresh token grant type. • Implement OAuth Endpoints: The OAuth microservice should expose an endpoint. For example: • Authorization Endpoint: This endpoint will authenticate the client credentials, scope and permissions. • Token Endpoint: This endpoint will receive incoming requests from other microservices to validate access tokens. • Generate Access Tokens: • Upon successful authentication and authorization, generate access tokens according to the OAuth specification. • We use the Authlib library with custom logic to generate tokens to control the authentication process. • It considers various factors like token expiration, token scopes, and token format. • We also set custom expiration time and other parameters to encode the token. • Protect Endpoints and Tokens: You must ensure that OAuth endpoints are secure by implementing appropriate security measures. For example, HTTPS, input validation, and securely store and transmit access tokens. • Integrate with Client Applications: Provide client applications with the necessary information (client ID, client secret, endpoints) to integrate with your OAuth provider. • Compliance and Security: Ensure compliance with relevant standards (e.g., OAuth 2.0 RFC, OIDC) and security best practices.

Challenges: • Complexity: Building and maintaining an OAuth microservice adds complexity to your architecture. • Development Time and Effort: Developing a secure and reliable OAuth microservice requires time and effort, including implementing token validation, secure storage of user credentials, and handling various OAuth flows. • Security Risks: Building your OAuth microservice introduces potential security risks if not implemented correctly. You must carefully design and implement security measures to protect against common threats such as token leakage, injection attacks, and unauthorized access. • Operational Overhead: Operating and maintaining an OAuth microservice adds operational overhead, including monitoring, scaling, and ensuring high availability.


Basic knowledge of Python programming. Familiarity with Rest APIs. Comfortable using Python libraries. Some understanding of OAuth 2.0.

Video URL:

Speaker Info:

Snehal Patil, who holds a BTech in Computer Science and a PG Diploma in Big Data Analytics, is a dedicated developer with four years of industry experience. Currently employed at BNI India Pvt Ltd, she has attended previous PyConfs. However, this will be her first time presenting at PyConf.

Dheeraj Saklani, holds BTech in Computer Science ,is a dedicated developer with seven years of industry experience. Currently employed at BNI India Pvt Ltd as Lead Software Engineer. This will be his first time presenting at PyConf.

Speaker Links:

Section: Python in Web and Applications
Type: Talk
Target Audience: Intermediate
Last Updated: