Authlib is the ultimate Python library in building OAuth and OpenID Connect clients and servers. It offers generic implementations of RFCs, including OAuth 1.0, OAuth 2.0, JWT and many more. It becomes a Monolithic project that powers from low-level specification implementation to high-level framework integrations.
I’m intended to make it profitable, so that it can be Sustainable.
Authlib is a monolithic library. While being monolithic, it keeps everything synchronized, from spec implementation to framework integrations, from client requests to server providers.
The benefits are obvious, it won’t break things. When specifications changed, implementation will change too. Let the developers of Authlib take the pain, users of Authlib should not suffer from it.
You don’t have to worry about monolithic, it doesn’t cost your memory. If you don’t import a module, it won’t be loaded. We don’t madly import everything into the root __init__.py.
Authlib is designed as flexible as possible. Since it is build from low-level specification implementation to high-level framework integrations, if a high level can’t meet your needs, you can always create one for your own based on the low level implementation.
Most of the cases, you don’t need to do such thing. Flexible has been taken
into account from the start of the project. Take OAuth 2.0 server as an
example, instead of a pre configured server, Authlib takes the advantage of
If you find anything not that flexible, you can ask help on StackOverflow or open an issue on GitHub.
Authlib is a spec-compliant library which follows the latest specifications.
We keep the generic tool functions in a
specs module. When there is a
related specification, we add it into
Currently, these specs are in the warehouse:
- done RFC5849: The OAuth 1.0 Protocol
- done RFC6749: The OAuth 2.0 Authorization Framework
- done RFC6750: The OAuth 2.0 Authorization Framework: Bearer Token Usage
- done RFC7009: OAuth 2.0 Token Revocation
- done RFC7515: JSON Web Signature
- beta RFC7516: JSON Web Encryption
- done RFC7517: JSON Web Key
- done RFC7518: JSON Web Algorithms
- done RFC7519: JSON Web Token
- done RFC7523: JWT Profile for OAuth 2.0 Client Authentication and Authorization Grants
- beta RFC7636: Proof Key for Code Exchange by OAuth Public Clients
- done RFC7662: OAuth 2.0 Token Introspection
- done OpenID Connect 1.0
This project is inspired by: