OAuth Provider

The OAuth provider package lets your application issue authorization codes, access tokens, refresh tokens, and ID tokens to registered clients. Use it when third-party apps need to sign in with your Kernia users.

Installation

uv add kernia-oauth-provider

Import path

from kernia_oauth_provider import OAuthProviderOptions, oauth_provider

Server configuration

auth.py

import os

from kernia import KerniaOptions
from kernia.auth import init
from kernia_oauth_provider import OAuthProviderOptions, oauth_provider

from .db import adapter

auth = init(KerniaOptions(
    database=adapter,
    secret=os.environ["KERNIA_SECRET"],
    base_url=os.environ["KERNIA_BASE_URL"],
    base_path="/api/auth",
    plugins=(
        oauth_provider(OAuthProviderOptions(issuer=os.environ["KERNIA_BASE_URL"])),
    ),
))

API routes

GET/api/auth/oauth2/authorize

Validates client and consent context, then issues an authorization code.

POST/api/auth/oauth2/token

Exchanges authorization codes or refresh tokens for token responses.

GET/api/auth/oauth2/userinfo

Returns OIDC userinfo for an access token.

POST/api/auth/oauth2/revoke

Revokes a token.

POST/api/auth/oauth2/introspect

Introspects token activity and metadata.

GET/api/auth/.well-known/openid-configuration

Publishes OIDC discovery metadata.

POST/api/auth/oauth2/register

Registers an OAuth client when dynamic registration is enabled.

Schema impact

Adds OAuth client, authorization code, token, and consent related models from the standalone package. Generate migrations before enabling clients.

Behavior and options

Keep issuer, redirect URI validation, scopes, and client authentication strict.
Use HTTPS issuer URLs outside local tests.
Pair with the JWT/JWKS path for OIDC token verification.