Docs/Add Hardware-Backed Sign-In to Your Application/ Flask (Authlib)
View as .md

Flask (Authlib)

See the Applications overview for prerequisites, configuration endpoints, and available scopes.

Authlib provides OAuth and OpenID Connect client support for Flask. Key configuration:

  • Install authlib, flask, and requests
  • Register the provider with server_metadata_url and code_challenge_method='S256' for PKCE
  • Set client_kwargs={'scope': 'openid email'}
  • Hardware attestation claims (hardware_verified, hardware_aaguid) are in the access token JWT — decode the payload with base64url and padding adjustment
  • Callback URL: /callback

Example

web/flask-authlib — Complete working example with authorization code flow, PKCE, and hardware claim extraction.