Flask-OAuth is an extension to Flask that allows you to interact with remote OAuth enabled applications. Currently it only implements the consumer interface so you cannot expose your own API with OAuth.

Flak-OAuth depends on the python-oauth2 module.


  • Support for OAuth 1.0a
  • Friendly API
  • Direct integration with Flask
  • Basic support for remote method invocation of RESTful APIs


Install the extension with one of the following commands:

$ pip install Flask-OAuth

Alternatively, use easy_install:

$ easy_install Flask-OAuth

Defining Remote Applications

To connect to a remote application create a OAuth object and register a remote application on it using the remote_app() method:

from flask_oauth import OAuth

oauth = OAuth()
the_remote_app = oauth.remote_app('the remote app',

A remote application must define several URLs required by the OAuth machinery:

  • request_token_url
  • access_token_url
  • authorize_url

Additionally the application should define an issued consumer_key and consumer_secret.

You can find these values by registering your application with the remote application you want to connect with.

Additionally you can provide a base_url that is prefixed to all relative URLs used in the remote app.

For Twitter the setup would look like this:

twitter = oauth.remote_app('twitter',
    consumer_key='<your key here>',
    consumer_secret='<your secret here>'

Now that the application is created one can start using the OAuth system. One thing is missing: the tokengetter. OAuth uses a token and a secret to figure out who is connecting to the remote application. After authentication/authorization this information is passed to a function on your side and it is your responsibility to remember it.

The following rules apply:

  • It’s your responsibility to store that information somewhere
  • That information lives for as long as the user did not revoke the access for your application on the remote application. If it was revoked and the user re-enabled the application you will get different keys, so if you store them in the database don’t forget to check if they changed in the authorization callback.
  • During the authorization handshake a temporary token and secret are issued. Your tokengetter is not used during that period.

For a simple test application, storing that information in the session is probably sufficient:

from flask import session

def get_twitter_token(token=None):
    return session.get('twitter_token')

If the token does not exist, the function must return None, and otherwise return a tuple in the form (token, secret). The function might also be passed a token parameter. This is user defined and can be used to indicate another token. Imagine for instance you want to support user and application tokens or different tokens for the same user.

The name of the token can be passed to to the request() function.

Signing in / Authorizing

To sign in with Twitter or link a user account with a remote Twitter user, simply call into authorize() and pass it the URL that the user should be redirected back to. For example:

def login():
    return twitter.authorize(callback=url_for('oauth_authorized',
        next=request.args.get('next') or request.referrer or None))

If the application redirects back, the remote application will have passed all relevant information to the oauth_authorized function: a special response object with all the data, or None if the user denied the request. This function must be decorated as authorized_handler():

from flask import redirect

def oauth_authorized(resp):
    next_url = request.args.get('next') or url_for('index')
    if resp is None:
        flash(u'You denied the request to sign in.')
        return redirect(next_url)

    session['twitter_token'] = (
    session['twitter_user'] = resp['screen_name']

    flash('You were signed in as %s' % resp['screen_name'])
    return redirect(next_url)

We store the token and the associated secret in the session so that the tokengetter can return it. Additionally we also store the Twitter username that was sent back to us so that we can later display it to the user. In larger applications it is recommended to store satellite information in a database instead to ease debugging and more easily handle additional information associated with the user.

Facebook OAuth

For Facebook the flow is very similar to Twitter or other OAuth systems but there is a small difference. You’re not using the request_token_url at all and you need to provide a scope in the request_token_params:

facebook = oauth.remote_app('facebook',
    request_token_params={'scope': 'email'}

Furthermore the callback is mandatory for the call to authorize() and has to match the base URL that was specified in the Facebook application control panel. For development you can set it to localhost:5000.

The APP_ID and APP_SECRET can be retrieved from the Facebook app control panel. If you don’t have an application registered yet you can do this at facebook.com/developers.

Invoking Remote Methods

Now the user is signed in, but you probably want to use OAuth to call protected remote API methods and not just sign in. For that, the remote application object provides a request() method that can request information from an OAuth protected resource. Additionally there are shortcuts like get() or post() to request data with a certain HTTP method.

For example to create a new tweet you would call into the Twitter application as follows:

resp = twitter.post('statuses/update.json', data={
    'status':   'The text we want to tweet'
if resp.status == 403:
    flash('Your tweet was too long.')
    flash('Successfully tweeted your tweet (ID: #%s)' % resp.data['id'])

Or to display the users’ feed we can do something like this:

resp = twitter.get('statuses/home_timeline.json')
if resp.status == 200:
    tweets = resp.data
    tweets = None
    flash('Unable to load tweets from Twitter. Maybe out of '
          'API calls or Twitter is overloaded.')

Flask-OAuth will do its best to send data encoded in the right format to the server and to decode it when it comes back. Incoming data is encoded based on the mimetype the server sent and is stored in the data attribute. For outgoing data a default of 'urlencode' is assumed. When a different format is needed, one can specify it with the format parameter. The following formats are supported:

  • 'urlencode' - form encoded data (GET as URL and POST/PUT as request body)
  • 'json' - JSON encoded data (POST/PUT as request body)
  • 'urlencode' - stored as flat unicode dictionary
  • 'json' - decoded with JSON rules, most likely a dictionary
  • 'xml' - stored as elementtree element

Unknown incoming data is stored as a string. If outgoing data of a different format is needed, content_type should be specified instead and the data provided should be an encoded string.

API Reference

class flask_oauth.OAuth

Registry for remote applications. In the future this will also be the central class for OAuth provider functionality.

remote_app(name, register=True, **kwargs)

Registers a new remote applicaton. If param register is set to False the application is not registered in the remote_apps dictionary. The keyword arguments are forwarded to the OAuthRemoteApp consturctor.

class flask_oauth.OAuthRemoteApp(oauth, name, base_url, request_token_url, access_token_url, authorize_url, consumer_key, consumer_secret, request_token_params=None, access_token_params=None, access_token_method='GET')

Represents a remote application.

  • oauth – the associated OAuth object.
  • name – then name of the remote application
  • request_token_url – the URL for requesting new tokens
  • access_token_url – the URL for token exchange
  • authorize_url – the URL for authorization
  • consumer_key – the application specific consumer key
  • consumer_secret – the application specific consumer secret
  • request_token_params – an optional dictionary of parameters to forward to the request token URL or authorize URL depending on oauth version.
  • access_token_params – an option diction of parameters to forward to the access token URL
  • access_token_method – the HTTP method that should be used for the access_token_url. Defaults to 'GET'.

Returns a redirect response to the remote authorization URL with the signed callback given. The callback must be None in which case the application will most likely switch to PIN based authentication or use a remotely stored callback URL. Alternatively it’s an URL on the system that has to be decorated as authorized_handler().


Injects additional authorization functionality into the function. The function will be passed the response object as first argument if the request was allowed, or None if access was denied. When the authorized handler is called, the temporary issued tokens are already destroyed.

base_url = None

the base_url all URLs are joined with.

delete(*args, **kwargs)

Sends a DELETE request. Accepts the same parameters as request().

get(*args, **kwargs)

Sends a GET request. Accepts the same parameters as request().


Handles an oauth1 authorization response. The return value of this method is forwarded as first argument to the handling view function.


Handles an oauth2 authorization response. The return value of this method is forwarded as first argument to the handling view function.


Called if an unknown response came back from the server. This usually indicates a denied response. The default implementation just returns None.


Creates a new oauth2 Client object with the token attached. Usually you don’t have to do that but use the request() method instead.

post(*args, **kwargs)

Sends a POST request. Accepts the same parameters as request().

put(*args, **kwargs)

Sends a PUT request. Accepts the same parameters as request().

request(url, data='', headers=None, format='urlencoded', method='GET', content_type=None, token=None)

Sends a request to the remote server with OAuth tokens attached. The url is joined with base_url if the URL is relative.

New in version 0.12: added the token parameter.

  • url – where to send the request to
  • data – the data to be sent to the server. If the request method is GET the data is appended to the URL as query parameters, otherwise encoded to format if the format is given. If a content_type is provided instead, the data must be a string encoded for the given content type and used as request body.
  • headers – an optional dictionary of headers.
  • format – the format for the data. Can be urlencoded for URL encoded data or json for JSON.
  • method – the HTTP request method to use.
  • content_type – an optional content type. If a content type is provided, the data is passed as it and the format parameter is ignored.
  • token – an optional token to pass to tokengetter. Use this if you want to support sending requests using multiple tokens. If you set this to anything not None, tokengetter_func will receive the given token as an argument, in which case the tokengetter should return the (token, secret) tuple for the given token.

an OAuthResponse object.


Given request data, checks if the status is okay.


Registers a function as tokengetter. The tokengetter has to return a tuple of (token, secret) with the user’s token and token secret. If the data is unavailable, the function must return None.

If the token parameter is passed to the request function it’s forwarded to the tokengetter function:

def get_token(token='user'):
    if token == 'user':
        return find_the_user_token()
    elif token == 'app':
        return find_the_app_token()
    raise RuntimeError('invalid token')
class flask_oauth.OAuthResponse(resp, content)

Contains the response sent back from an OAuth protected remote application.

data = None

the parsed content from the server

headers = None

a Headers object with the response headers the application sent.

raw_data = None

the raw, unencoded content from the server


The status code of the response.

exception flask_oauth.OAuthException(message, type=None, data=None)

Raised if authorization fails for some reason.

data = None

If available, the parsed data from the remote API that can be used to pointpoint the error.

message = None

A helpful error message for debugging

type = None

A unique type for this exception if available.

Fork me on GitHub