Authentication

Fedora applications that require authentication should support Fedora Account System backed by FreeIPA as an identity provider.

Fedora Account System supports fasjson as read-only API, OpenID Connect, OAuth 2.0, and more.

Authentication

All new applications should use OpenID Connect for user authentication.

Many existing applications use OpenID 2.0 and should eventually migrate to OpenID Connect.

OpenID Connect is an authentication layer built on top of OAuth 2.0 so to understand OpenID Connect you should first be familiar with OAuth 2.0 and its various flows prior to learning about OpenID Connect.

When requesting an access token in OAuth 2.0, clients are allowed to specify the scope of the access token. This scope indicates what the token is allowed to be used for. In most cases, your application should require a scope or scopes of its own so users can issue access tokens that can only be used with a particular application. To do so, consult the Authentication Wiki page.

OpenID Connect requires that the "openid" scope is requested. Failing to do so will result in undefined behavior.

Libraries

OAuthLib

OAuthLib is a low-level implementation of OAuth 2.0 with OpenID Connect support. It does not tie itself to a HTTP request framework. Typically, you will only use this library indirectly. If you are investigating this library, note that it is a library for both OAuth clients and OAuth providers. You will be most interested in the OAuth client sub-package.

Requests-OAuthlib

Requests-OAuthlib uses the Requests library with OAuthLib to provide an easy-to-use interface for OAuth 2.0 clients. If you need to add support to an application that doesn’t have an extension for OAuthLib, you should use this library.

Flask-OAuthlib

Flask-OAuthlib is a Flask extension that builds on top of Requests-OAuthlib. It comes with plenty of examples in the examples directory of the repository. Flask applications within Fedora Infrastructure should use this extension unless there is a good reason not to (and that reason is documented here).

Pyramid-OAuthLib

Pyramid-OAuthLib is a Pyramid extension that uses OAuthlib. It does not appear to be actively maintained, but it is a reasonable starting point for our few Pyramid applications.

Authlib

Authlib is a Python library to build OAuth and OpenID Connect servers and clients. It has integration layers for Flask and Django as protocol servers and clients, as well as client integration layers for Requests, HTTPX, Starlette and FastAPI. As a client app authenticating with OpenID Connect, it is most useful if several authentication providers are to be supported (such as social networks).

Flask-OIDC

Flask-OIDC is a Flask extension that makes using Authlib easier when using Flask with only one authentication provider (such as Fedora’s identity provider).

Mozilla-Django-OIDC

Mozilla-Django-OIDC is a Django extension for OpenID Connect.