Miguel Grinberg's Blog: Authentication

The Flask Mega-Tutorial, Part XXIII: Application Programming Interfaces (APIs)

Miguel Grinberg — Sun, 03 Dec 2023 10:40:21 GMT

This is the twenty third and last installment of the Flask Mega-Tutorial series, in which I'm going to tell you how to extend microblog with an application programming interface (or API) that clients can use to work with the application in a more direct way than the traditional web browser workflow.

OAuth Authentication with Flask in 2023

Miguel Grinberg — Tue, 06 Jun 2023 18:59:34 GMT

A long time ago I wrote a tutorial on how to add logins with a social network to your Flask application, using the OAuth protocol. It's been almost 9 years since I wrote that article, and believe it or not, the OAuth protocol continues to be well supported by all major players including Twitter, Facebook, Google, GitHub and many more.

But of course, 9 years is a very long time in tech. Even though not much has changed in terms of how this method of authentication works, some of the packages that I've used back then have had major upgrades, while others have become unmaintained, so an update is due.

API Authentication with Tokens

Miguel Grinberg — Fri, 03 Dec 2021 11:03:40 GMT

In this article I'm going to show you a few common patterns for client authentication based on tokens, and how can they be implemented in a Python API back end. This method of authentication works well for rich clients, like JavaScript-based front end applications running in the browser, or perhaps a command-line (CLI) application.

I have written about Authentication several times on this blog, so this article is a bit different. Since I have already provided a few authentication projects in previous articles and in my open source projects, in this article I'm going to go over all the considerations you have to take into account when deciding how to best implement authentication for your own API project.

This article was voted by my supporters on Patreon. Would you like to support my work, and as a thank you be able to vote on my future articles and also have access to a chat room where I hang out? Become a Patron!

JSON Web Tokens with Public Key Signatures

Miguel Grinberg — Mon, 11 Jun 2018 14:15:42 GMT

JSON Web Tokens offer a simple and powerful way to generate tokens for APIs. These tokens carry a payload that is cryptographically signed. While the payload itself is not encrypted, the signature protects it against tampering. In their most common format, a "secret key" is used in the generation and verification of the signature. In this article I'm going to show you a less known mechanism to generate JWTs that have signatures that can be verified without having access to the secret key.

The Flask Mega-Tutorial Part XXIII: Application Programming Interfaces (APIs) (2018)

Miguel Grinberg — Tue, 08 May 2018 20:47:45 GMT

(Great news! There is a new version of this tutorial!)

Handling Authentication Secrets in the Browser

Miguel Grinberg — Wed, 21 Jun 2017 22:15:18 GMT

I gave a talk titled Handling Authentication Secrets in the Browser at Fluent 2017 in San Jose (you can see the slides above). As a complement to the talk, I thought it would be a good idea to write down the main concepts here on the blog as well, for those that weren't at my talk or those that were, but want to study the topic with more time than the 40 minutes I had for my presentation.

Two Factor Authentication with Flask

Miguel Grinberg — Tue, 17 Feb 2015 01:26:04 GMT

In this article I'm going to introduce an authentication scheme known as two factor authentication. As the name implies, this method requires the user to provide two forms of identification: a regular password and a one-time token. This greatly increases account security, because a compromised password alone is not enough to gain access, an attacker also needs to have the token, which is different every time. You can see me do a short demonstration of this technique in the video above.

As usual, this article includes a complete example that implements this authentication technique in a Flask application. You may think this is going to be an advanced article that needs complex cryptographic techniques, specialized hardware and/or proprietary libraries, but in reality it requires none of the above. The solution is relatively simple to add if you already have username and password authentication in place, and can be done entirely with open standards and open-source software. There are even open-source token generation apps for your Android or iOS smartphone!

OAuth Authentication with Flask

Miguel Grinberg — Mon, 17 Nov 2014 15:40:16 GMT

Many web sites offer users the option to use a streamlined single-click registration and login built on third party authentication services, typically run by the big social networks. In this article I want to give you an introduction to the OAuth protocol, which is one of the most used third-party authentication mechanism. I will also show you a complete Flask application that implements "Sign In with Facebook" and "Sign In with Twitter" functionality. With these two implementations as a guide you should find it easy to add any other OAuth providers you may need.

RESTful Authentication with Flask

Miguel Grinberg — Thu, 28 Nov 2013 07:33:19 GMT

This article is the fourth in my series on RESTful APIs. Today I will be showing you a simple, yet secure way to protect a Flask based API with password or token based authentication.

The Flask Mega-Tutorial, Part V: User Logins (2012)

Miguel Grinberg — Sat, 09 Jun 2012 06:44:24 GMT

(Great news! There is a new version of this tutorial!)

This is the fifth article in the series in which I document my experience writing web applications in Python using the Flask microframework.