Implement OAuth relying on Authlib

[yannj-fr]

Description

Hello,
I would like to validate here before I start the implementation that we want to use Authlib as a Oauth implementation to support more use case in the future and reduce the cost of maintenance of the Oauth stack.
Please can maintainers comment so I don't initiate a long work for nothing.

Thanks a lot !

cc @Kludex @ochafik

References

No response

[ochafik]

Hi @yannj-fr, thanks for checking in and offering your help!

Reducing maintenance cost sounds like a great objective indeed!

I'm not familiar w/ Authlib (not sure I understand their licensing model, looks like it takes a commercial license to get on their security mailing list). At what level were you thinking of integrating it?

The pattern used in #882 (extending httpx.Auth) could potentially be used, even outside the SDK itself. Whether things make it into the SDK might instead be a question for the protocol itself / e.g. this SEP suggests adding client credentials

[yannj-fr]

Discussed with the maintainers there:
The license is open source for everyone, there is a possibility to gain support through commercial license.
They provide a httpx implementation here https://docs.authlib.org/en/latest/client/httpx.html

My idea is to contribute to authlib for all rfc we need so we have minimum support to do here

[Kludex]

I proposed it on Discord, so... I'm happy.

The license is BSD-3-Clause, the same as Starlette.

[pcarleton]

I'm onboard with this. My one wish would be to do it in a way that's pluggable, so if someone does not want to use authlib, they can swap in something else.

the httpx approach seems like a good hook to make this generic.

For example, if we are prototyping around an RFC not supported in authlib, I'd like to be able to easily swap in an implementation rather than have to patch authlib and cross-link etc.

[yannj-fr]

I suggest we modernize and modularize the OAuthProvider implementation with the following goals in mind:

Composable workflow: Design the provider to expose a simple, override-friendly flow. This allows contributors and integrators to easily test or swap in custom behavior without duplicating the whole logic.

Leverage Authlib: Instead of implementing OAuth/OIDC specs manually, we should rely on authlib to handle protocol compliance. This reduces maintenance burden and ensures adherence to standards, unless we're handling custom flow control.

Configurable flows: Structure parameterization so that each officially supported OAuth flow (e.g., Authorization Code, Client Credentials, etc.) can be easily configured via clean, declarative settings.

Extensibility: Leave room for additional/custom parameters in the configuration. This makes it easier to extend or override specific parts of the provider logic while keeping the configuration accessible and consistent.

[pcarleton]

That all sounds great to me