Quart API#

Quart integration for py oidc auth.

Quart is an async framework with a Flask compatible API. Because Quart supports async def route handlers, this adapter calls the async base methods directly.

Install:

pip install py-oidc-auth[quart]
conda install -c conda-forge py-oidc-auth-quart

Usage

from quart import Quart
from py_oidc_auth.quart_auth import QuartOIDCAuth

auth = QuartOIDCAuth(
    client_id="my client",
    client_secret="secret",
    discovery_url="https://idp.example.org/realms/demo/.well-known/openid-configuration",
    scopes="myscope profile email",
    broker_mode=True,
    broker_store_url="postgresql+asyncpg://user:pw@db/myapp",
)

app = Quart(__name__)
app.register_blueprint(auth.create_auth_blueprint(prefix="/api"))

@app.get("/protected")
@auth.required()
async def protected(token):
    return {"sub": token.sub}
class py_oidc_auth.quart_auth.QuartOIDCAuth(client_id: str = '', discovery_url: str = '', client_secret: str | None = None, scopes: str = 'profile email', audience: str | None = None, appname: str = 'py-oidc-auth', proxy: str = '', claims: Dict[str, Any] | None = None, offline_access: bool = True, timeout_sec: int = 10, jwks_uri: str | None = None, issuer: str | None = None, broker_mode: bool = False, broker_store_url: str | None = None, broker_store_obj: BrokerStore | None = None, broker_audience: str = 'py-oidc-auth', trusted_issuers: list[str] | None = None, broker_jwks_path: str = '/auth/v2/.well-known/jwks.json')#

Reusable OpenID Connect helper for Quart.

Provides required() optional() decorators and create_auth_blueprint() for standard auth endpoints. When broker_mode=True the decorators verify broker JWTs and the blueprint token endpoint issues broker JWTs instead of passing IDP tokens through.

required(claims: Dict[str, Any] | None = None, scopes: str = '') Callable[[F], F]#

Enforce authentication on a Quart route.

The decorated handler receives IDToken as its first positional argument.

Parameters:

  • claims – Optional claim constraints.

  • scopes – Space separated scope names.

Returns:

Decorator for Quart routes.

optional(claims: Dict[str, Any] | None = None, scopes: str = '') Callable[[F], F]#

Allow anonymous access decorator.

The decorated handler receives IDToken or None as its first positional argument.

Parameters:

  • claims – Optional claim constraints.

  • scopes – Space separated scope names.

Returns:

Decorator for Quart routes.

create_auth_blueprint(prefix: str = '', login: str | None = '/auth/v2/login', callback: str | None = '/auth/v2/callback', token: str | None = '/auth/v2/token', device_flow: str | None = '/auth/v2/device', logout: str | None = '/auth/v2/logout', userinfo: str | None = '/auth/v2/userinfo', jwks: str | None = '/auth/v2/.well-known/jwks.json') quart.Blueprint#

Build a Quart quart.Blueprint with standard auth routes.

Parameters:

  • prefix – URL prefix for all routes.

  • login – Path for login.

  • callback – Path for callback.

  • token – Path for token exchange and refresh.

  • device_flow – Path for starting the device flow.

  • logout – Path for logout.

  • userinfo – Path for userinfo.

  • jwks – Path for the JWKS endpoint (broker mode only).

Returns:

Blueprint to register on your app.

Raises:

ValueError – When broker_mode=True and token is falsy.

Request example

GET /auth/v2/userinfo HTTP/1.1
Host: app.example.org
Authorization: Bearer <access token>