All new applications should use OpenID Connect for user authentication.
Many existing applications use OpenID 2.0 and should eventually migrate to OpenID Connect.
OpenID Connect is an authentication layer built on top of OAuth 2.0 so to understand OpenID Connect you should first be familiar with OAuth 2.0 and its various flows prior to learning about OpenID Connect.
When requesting an access token in OAuth 2.0, clients are allowed to specify the scope of the access token. This scope indicates what the token is allowed to be used for. In most cases, your application should require a scope or scopes of its own so users can issue access tokens that can only be used with a particular application. To do so, consult the Authentication Wiki page.
OpenID Connect requires that the "openid" scope is requested. Failing to do so will result in undefined behavior.
OAuthLib is a low-level implementation of OAuth 2.0 with OpenID Connect support. It does not tie itself to a HTTP request framework. Typically, you will only use this library indirectly. If you are investigating this library, note that it is a library for both OAuth clients and OAuth providers. You will be most interested in the OAuth client sub-package.
Flask-OAuthlib is a Flask extension that builds on top of Requests-OAuthlib. It comes with plenty of examples in the examples directory of the repository. Flask applications within Fedora Infrastructure should use this extension unless there is a good reason not to (and that reason is documented here).
Pyramid-OAuthLib is a Pyramid extension that uses OAuthlib. It does not appear to be actively maintained, but it is a reasonable starting point for our few Pyramid applications.
Flask-OIDC is a Flask extension.
Mozilla-Django-OIDC is a Django extension for OpenID Connect.
Want to help? Learn how to contribute to Fedora Docs ›