Demonstration of a Flask REST API protected by OAuth2.

pip install -r requirements.txt

FLASK_DEBUG=1 FLASK_APP=app.py flask run

If a real Authorization Server is available that supports the "Client Credentials" authorization grant, then edit the OAuthClient settings in client.py and uncomment the call to fetch_access_token. Otherwise a fake token will be used.

Then run:

$ python client.py

Or (with fake token):

$ curl --header 'Authorization: Bearer dca6f1125fb4874e058887a098dadf91f0e1e70d' 'http://127.0.0.1:5000/'

Expected output:

Hello World. Token scope = 'user:email'.

Note that the server (protected resource) currently only checks that it received a token, not whether the token is actually valid. Validation should be added using JWT, Token Introspection, or consulting a shared database with the Authorization Server.