惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

M
MIT News - Artificial intelligence
有赞技术团队
有赞技术团队
S
Schneier on Security
aimingoo的专栏
aimingoo的专栏
T
Troy Hunt's Blog
U
Unit 42
Hacker News - Newest:
Hacker News - Newest: "LLM"
V2EX - 技术
V2EX - 技术
T
The Blog of Author Tim Ferriss
V
Visual Studio Blog
H
Heimdal Security Blog
H
Hacker News: Front Page
Blog — PlanetScale
Blog — PlanetScale
博客园 - 司徒正美
Cloudbric
Cloudbric
Google DeepMind News
Google DeepMind News
C
Cisco Blogs
The Cloudflare Blog
C
Cybersecurity and Infrastructure Security Agency CISA
Microsoft Security Blog
Microsoft Security Blog
MyScale Blog
MyScale Blog
F
Fortinet All Blogs
N
News | PayPal Newsroom
Attack and Defense Labs
Attack and Defense Labs
D
DataBreaches.Net
N
News and Events Feed by Topic
Security Archives - TechRepublic
Security Archives - TechRepublic
Forbes - Security
Forbes - Security
Simon Willison's Weblog
Simon Willison's Weblog
F
Full Disclosure
The Register - Security
The Register - Security
L
LINUX DO - 热门话题
Webroot Blog
Webroot Blog
Google Online Security Blog
Google Online Security Blog
AI
AI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
I
Intezer
S
Security Affairs
阮一峰的网络日志
阮一峰的网络日志
K
Kaspersky official blog
云风的 BLOG
云风的 BLOG
博客园 - 叶小钗
T
Threatpost
Spread Privacy
Spread Privacy
小众软件
小众软件
AWS News Blog
AWS News Blog
S
Secure Thoughts
S
Security @ Cisco Blogs
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
J
Java Code Geeks

Just lepture

我用 AI 造新語 丟失的表達欲 註冊郵箱攻擊 個人域名郵箱免費方案 Markdown on ruby markup Display country flags emoji on Windows 週記,垂死病中驚坐起 程序員與文學衝突 Fireside 遷移記 Typlog 三週年 How to style RSS feed 談談獨立播客 貓與網絡暴力 那霸的夜 Authlib Under BSD License PyCon JP 2018 記 摩登 OAuth 2.0:簡介 夜思 Structure of a Flask Project 三藩記 佐渡與阿賀町記 週記,九月末 前端的基礎修養:ARIA Live Regions 週記,九月三週
Announcement of Authlib
2018-01-08 · via Just lepture

It has been 4 years since I posted Create an OAuth Server. Flask-OAuthlib has been shining in the Flask community, but it's time to say goodbye. Authlib is going to replace Flask-OAuthlib.

Authlib contains everything you need to create OAuth clients and servers. It contains:

  • python-requests OAuth1Session and OAuth2Session
  • Flask OAuth clients integrations
  • Django OAuth clients integrations
  • Flask OAuth servers implementations
  • Django OAuth servers implementations (not ready)
  • OpenID and many other things

Documentation & Playground

No, there will be no guide on how to create an OAuth server in this post. It is hard to keep information updated in a single blog post. Instead, I've deployed a real OAuth server online so that everyone can play with.

To get a better understanding, you can read the official documentation and the source code of Authlib playground:

  1. Official Documentation: https://docs.authlib.org/
  2. Source Code of Authlib: https://github.com/lepture/authlib
  3. Online Playground: https://play.authlib.org/
  4. Source Code of Playground: https://github.com/authlib/playground
Authlib Playground Screenshot

Starting from Scratch

I have several reasons to deprecate Flask-OAuthlib. But the main reason is that Flask-OAuthlib is not maintained well. And it seems things will not go well in the future. Flask-OAuthlib depends on OAuthLib which I believe is in a chaotic maintenance (although I am a maintainer too). Besides, there are many designs I don't like.

I created Authlib from scratch - from specification implementation to framework integrations. I didn't understand OAuth well enough when writing Flask-OAuthlib. However, this time, I read every RFC carefully so that there will be less misunderstanding (I'm not a native English speaker). The experience in OAuthLib helps too.

Being Monolithic

I started Authlib with a monolithic design in mind. As I've said "it is designed from specification implementation to framework integrations". Being monolithic is a feature of Authlib. I've always hated the micro modules in Node ecosystem, there are even lots of one line code modules in npm.

Being monolithic means it won't break things. When specifications changed, implementation will change too. It keeps everything synchronized. You don’t have to worry about monolithic, it doesn’t cost your memory. If you don’t import a module, it won’t be loaded.

Will it always be monolithic? It depends. As time goes and Authlib becomes mature, maybe I will separate the framework integrations from Authlib source code.

Profitable = Sustainable

Flask-OAuthlib is not sustainable. I can't spare too much time on it. That's why I created Authlib with a sustainable idea from the beginning. I hope the project will last long enough.

Profitable equals sustainable. If I can make a living on Authlib, I can spare more time on it, keeping it updated, fixing bugs, resolving vulnerable securities. OAuth server implementation is an enterprise level problem, if you are running a company, you wouldn't like to use a non-sustainable module for such an important feature. What you need is a sustainable solution.

The price model for Authlib is simple yet affordable. It is $1000/year (or $500/year if your company is small), it is just 1/10 of one month salary for one year. However, if you don't care, you can always use the open source license.

Road Map

I've released Authlib v0.3 when writing this post. It is started from Oct 21, 2017:

  1. Common client and Flask client integration is available in v0.1
  2. Django client integration is available in v0.2
  3. Flask OAuth 2 server is available in v0.3

Flask comes first, Django comes second.

The next implementation will be Flask OAuth 1 server. After that, there will be Django OAuth servers, and more OAuth 2 specification implementation. I wish I can make a version 1.0 in the end of this year.


Now, head over to the documentation and play with Authlib.