# Copyright (c) Streamlit Inc. (2018-2022) Snowflake Inc. (2022-2025) # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. from __future__ import annotations from collections.abc import Iterator, Mapping from typing import ( TYPE_CHECKING, Any, Final, NoReturn, Union, ) from streamlit import config, logger, runtime from streamlit.auth_util import ( encode_provider_token, get_secrets_auth_section, is_authlib_installed, validate_auth_credentials, ) from streamlit.deprecation_util import ( make_deprecated_name_warning, show_deprecation_warning, ) from streamlit.errors import StreamlitAPIException, StreamlitAuthError from streamlit.proto.ForwardMsg_pb2 import ForwardMsg from streamlit.runtime.metrics_util import gather_metrics from streamlit.runtime.scriptrunner_utils.script_run_context import ( get_script_run_ctx as _get_script_run_ctx, ) from streamlit.url_util import make_url_path if TYPE_CHECKING: from streamlit.runtime.scriptrunner_utils.script_run_context import UserInfo _LOGGER: Final = logger.get_logger(__name__) AUTH_LOGIN_ENDPOINT: Final = "/auth/login" AUTH_LOGOUT_ENDPOINT: Final = "/auth/logout" @gather_metrics("login") def login(provider: str | None = None) -> None: """Initiate the login flow for the given provider. This command redirects the user to an OpenID Connect (OIDC) provider. After the user authenticates their identity, they are redirected back to the home page of your app. Streamlit stores a cookie with the user's identity information in the user's browser . You can access the identity information through |st.user|_. Call ``st.logout()`` to remove the cookie and start a new session. You can use any OIDC provider, including Google, Microsoft, Okta, and more. You must configure the provider through secrets management. Although OIDC is an extension of OAuth 2.0, you can't use generic OAuth providers. Streamlit parses the user's identity token and surfaces its attributes in ``st.user``. If the provider returns an access token, that token is ignored. Therefore, this command will not allow your app to act on behalf of a user in a secure system. For all providers, there are two shared settings, ``redirect_uri`` and ``cookie_secret``, which you must specify in an ``[auth]`` dictionary in ``secrets.toml``. Other settings must be defined as described in the ``provider`` parameter. - ``redirect_uri`` is your app's absolute URL with the pathname ``oauth2callback``. For local development using the default port, this is ``http://localhost:8501/oauth2callback``. - ``cookie_secret`` should be a strong, randomly generated secret. In addition to the shared settings, the following settings are required: - ``client_id`` - ``client_secret`` - ``server_metadata_url`` For a complete list of OIDC parameters, see `OpenID Connect Core `_ and your provider's documentation. By default, Streamlit sets ``scope="openid profile email"`` and ``prompt="select_account"``. You can change these and other OIDC parameters by passing a dictionary of settings to ``client_kwargs``. ``state`` and ``nonce``, which are used for security, are handled automatically and don't need to be specified. For more information, see Example 4. .. Important:: - You must install ``Authlib>=1.3.2`` to use this command. - Your authentication configuration is dependent on your host location. When you deploy your app, remember to update your ``redirect_uri`` within your app and your provider. - All URLs declared in the settings must be absolute (i.e., begin with ``http://`` or ``https://``). - Streamlit automatically enables CORS and XSRF protection when you configure authentication in ``secrets.toml``. This takes precedence over configuration options in ``config.toml``. - If a user is logged into your app and opens a new tab in the same browser, they will automatically be logged in to the new session with the same account. - If a user closes your app without logging out, the identity cookie will expire after 30 days. - For security reasons, authentication is not supported for embedded apps. .. |st.user| replace:: ``st.user`` .. _st.user: https://docs.streamlit.io/develop/api-reference/user/st.user Parameters ---------- provider: str or None The name of your provider configuration to use for login. If ``provider`` is ``None`` (default), Streamlit will use all settings in the ``[auth]`` dictionary within your app's ``secrets.toml`` file. Otherwise, use an ``[auth.{provider}]`` dictionary for the named provider, as shown in the examples that follow. When you pass a string to ``provider``, Streamlit will use ``redirect_uri`` and ``cookie_secret``, while ignoring any other values in the ``[auth]`` dictionary. Due to internal implementation details, Streamlit does not support using an underscore within ``provider`` at this time. Examples -------- **Example 1: Use an unnamed default identity provider** If you do not specify a name for your provider, specify all settings within the ``[auth]`` dictionary of your ``secrets.toml`` file. The following example configures Google as the default provider. For information about using OIDC with Google, see `Google Identity `_. ``.streamlit/secrets.toml``: >>> [auth] >>> redirect_uri = "http://localhost:8501/oauth2callback" >>> cookie_secret = "xxx" >>> client_id = "xxx" >>> client_secret = "xxx" >>> server_metadata_url = "https://accounts.google.com/.well-known/openid-configuration" # fmt: skip Your app code: >>> import streamlit as st >>> >>> if not st.user.is_logged_in: >>> if st.button("Log in"): >>> st.login() >>> else: >>> if st.button("Log out"): >>> st.logout() >>> st.write(f"Hello, {st.user.name}!") **Example 2: Use a named identity provider** If you specify a name for your provider, save the shared settings in the ``[auth]`` dictionary of your ``secrets.toml`` file, and save the other settings in an ``[auth.{provider}]`` dictionary, where ``{provider}`` is the name of your provider. The following example configures Microsoft as the provider. The example uses ``provider="microsoft"``, but you can use any name. This name is internal to Streamlit and is used to match the login command to its configuration. For information about using OIDC with Microsoft, see `Microsoft Entra ID `_. To configure your ``{tenant}`` value in ``server_metadata_url``, see `Microsoft identity platform `_. ``.streamlit/secrets.toml``: >>> [auth] >>> redirect_uri = "http://localhost:8501/oauth2callback" >>> cookie_secret = "xxx" >>> >>> [auth.microsoft] >>> client_id = "xxx" >>> client_secret = "xxx" >>> server_metadata_url = "https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration" Your app code: >>> import streamlit as st >>> >>> if not st.user.is_logged_in: >>> st.login("microsoft") >>> else: >>> st.write(f"Hello, {st.user.name}!") **Example 3: Use multiple, named providers** If you want to give your users a choice of authentication methods, configure multiple providers and give them each a unique name. The following example lets users choose between Okta and Microsoft to log in. Always check with your identity provider to understand the structure of their identity tokens because the returned fields may differ. Remember to set ``{tenant}`` and ``{subdomain}`` in ``server_metadata_url`` for Microsoft and Okta, respectively. >>> [auth] >>> redirect_uri = "http://localhost:8501/oauth2callback" >>> cookie_secret = "xxx" >>> >>> [auth.microsoft] >>> client_id = "xxx" >>> client_secret = "xxx" >>> server_metadata_url = "https://login.microsoftonline.com/{tenant}/v2.0/.well-known/openid-configuration" >>> >>> [auth.okta] >>> client_id = "xxx" >>> client_secret = "xxx" >>> server_metadata_url = "https://{subdomain}.okta.com/.well-known/openid-configuration" # fmt: skip Your app code: >>> import streamlit as st >>> >>> if not st.user.is_logged_in: >>> st.header("Log in:") >>> if st.button("Microsoft"): >>> st.login("microsoft") >>> if st.button("Okta"): >>> st.login("okta") >>> else: >>> if st.button("Log out"): >>> st.logout() >>> st.write(f"Hello, {st.user.name}!") **Example 4: Change the default connection settings** ``prompt="select_account"`` may be treated differently by some providers when a user is already logged into their account. If a user is logged into their Google or Microsoft account from a previous session, the provider will prompt them to select the account they want to use, even if it's the only one. However, if the user is logged into their Okta or Auth0 account from a previous session, the account will automatically be selected. ``st.logout()`` does not clear a user's related cookies. To force users to log in every time, use ``prompt="login"`` as described in Auth0's `Customize Signup and Login Prompts `_. ``.streamlit/secrets.toml``: >>> [auth] >>> redirect_uri = "http://localhost:8501/oauth2callback" >>> cookie_secret = "xxx" >>> >>> [auth.auth0] >>> client_id = "xxx" >>> client_secret = "xxx" >>> server_metadata_url = "https://{account}.{region}.auth0.com/.well-known/openid-configuration" # fmt: skip >>> client_kwargs = { "prompt" = "login" } Your app code: >>> import streamlit as st >>> if st.button("Log in"): >>> st.login("auth0") >>> if st.user.is_logged_in: >>> if st.button("Log out"): >>> st.logout() >>> st.write(f"Hello, {st.user.name}!) """ if provider is None: provider = "default" context = _get_script_run_ctx() if context is not None: if not is_authlib_installed(): raise StreamlitAuthError( """To use authentication features, you need to install """ """Authlib>=1.3.2, e.g. via `pip install Authlib`.""" ) validate_auth_credentials(provider) fwd_msg = ForwardMsg() fwd_msg.auth_redirect.url = generate_login_redirect_url(provider) context.enqueue(fwd_msg) @gather_metrics("logout") def logout() -> None: """Logout the current user. This command removes the user's information from ``st.user``, deletes their identity cookie, and redirects them back to your app's home page. This creates a new session. If the user has multiple sessions open in the same browser, ``st.user`` will not be cleared in any other session. ``st.user`` only reads from the identity cookie at the start of a session. After a session is running, you must call ``st.login()`` or ``st.logout()`` within that session to update ``st.user``. .. Note:: This does not log the user out of their underlying account from the identity provider. Example ------- ``.streamlit/secrets.toml``: >>> [auth] >>> redirect_uri = "http://localhost:8501/oauth2callback" >>> cookie_secret = "xxx" >>> client_id = "xxx" >>> client_secret = "xxx" >>> server_metadata_url = "https://accounts.google.com/.well-known/openid-configuration" # fmt: skip Your app code: >>> import streamlit as st >>> >>> if not st.user.is_logged_in: >>> if st.button("Log in"): >>> st.login() >>> else: >>> if st.button("Log out"): >>> st.logout() >>> st.write(f"Hello, {st.user.name}!") """ context = _get_script_run_ctx() if context is not None: context.user_info.clear() session_id = context.session_id if runtime.exists(): instance = runtime.get_instance() instance.clear_user_info_for_session(session_id) base_path = config.get_option("server.baseUrlPath") fwd_msg = ForwardMsg() fwd_msg.auth_redirect.url = make_url_path(base_path, AUTH_LOGOUT_ENDPOINT) context.enqueue(fwd_msg) def generate_login_redirect_url(provider: str) -> str: """Generate the login redirect URL for the given provider.""" provider_token = encode_provider_token(provider) base_path = config.get_option("server.baseUrlPath") login_path = make_url_path(base_path, AUTH_LOGIN_ENDPOINT) return f"{login_path}?provider={provider_token}" def _get_user_info() -> UserInfo: ctx = _get_script_run_ctx() if ctx is None: _LOGGER.warning( "No script run context available. st.user will return an empty dictionary." ) return {} context_user_info = ctx.user_info.copy() auth_section_exists = get_secrets_auth_section() if "is_logged_in" not in context_user_info and auth_section_exists: context_user_info["is_logged_in"] = False return context_user_info class UserInfoProxy(Mapping[str, Union[str, bool, None]]): """ A read-only, dict-like object for accessing information about the current\ user. ``st.user`` is dependent on the host platform running your Streamlit app. If your host platform has not configured the object, ``st.user`` will behave as it does in a locally running app. When authentication is configured in ``secrets.toml``, Streamlit will parse the OpenID Connect (OIDC) identity token and copy the attributes to ``st.user``. Check your provider's documentation for their available attributes (known as claims). When authentication is not configured, ``st.user`` has no attributes. You can access values via key or attribute notation. For example, use ``st.user["email"]`` or ``st.user.email`` to access the ``email`` attribute. .. Important:: Identity tokens include an issuance and expiration time. Streamlit does not implicitly check these. If you want to automatically expire a user's authentication, check these values manually and programmatically log out your user (``st.logout()``) when needed. Attributes ---------- is_logged_in: bool Whether a user is logged in. For a locally running app, this attribute is only available when authentication (``st.login()``) is configured in ``secrets.toml``. Otherwise, it does not exist. Examples -------- **Example 1: Google's identity token** If you configure a basic Google OIDC connection as shown in Example 1 of ``st.login()``, the following data is available in ``st.user``. Streamlit adds the ``is_logged_in`` attribute. Additional attributes may be available depending on the configuration of the user's Google account. For more information about Google's identity tokens, see `Obtain user information from the ID token `_ in Google's docs. Your app code: >>> import streamlit as st >>> >>> if st.user.is_logged_in: >>> st.write(st.user) Displayed data when a user is logged in: >>> { >>> "is_logged_in":true >>> "iss":"https://accounts.google.com" >>> "azp":"{client_id}.apps.googleusercontent.com" >>> "aud":"{client_id}.apps.googleusercontent.com" >>> "sub":"{unique_user_id}" >>> "email":"{user}@gmail.com" >>> "email_verified":true >>> "at_hash":"{access_token_hash}" >>> "nonce":"{nonce_string}" >>> "name":"{full_name}" >>> "picture":"https://lh3.googleusercontent.com/a/{content_path}" >>> "given_name":"{given_name}" >>> "family_name":"{family_name}" >>> "iat":{issued_time} >>> "exp":{expiration_time} >>> } **Example 2: Microsoft's identity token** If you configure a basic Microsoft OIDC connection as shown in Example 2 of ``st.login()``, the following data is available in ``st.user``. For more information about Microsoft's identity tokens, see `ID token claims reference `_ in Microsoft's docs. Your app code: >>> import streamlit as st >>> >>> if st.user.is_logged_in: >>> st.write(st.user) Displayed data when a user is logged in: >>> { >>> "is_logged_in":true >>> "ver":"2.0" >>> "iss":"https://login.microsoftonline.com/{tenant_id}/v2.0" >>> "sub":"{application_user_id}" >>> "aud":"{application_id}" >>> "exp":{expiration_time} >>> "iat":{issued_time} >>> "nbf":{start_time} >>> "name":"{full_name}" >>> "preferred_username":"{username}" >>> "oid":"{user_GUID}" >>> "email":"{email}" >>> "tid":"{tenant_id}" >>> "nonce":"{nonce_string}" >>> "aio":"{opaque_string}" >>> } """ def __getitem__(self, key: str) -> str | bool | None: try: return _get_user_info()[key] except KeyError: raise KeyError(f'st.user has no key "{key}".') def __getattr__(self, key: str) -> str | bool | None: try: return _get_user_info()[key] except KeyError: raise AttributeError(f'st.user has no attribute "{key}".') def __setattr__(self, name: str, value: str | None) -> NoReturn: raise StreamlitAPIException("st.user cannot be modified") def __setitem__(self, name: str, value: str | None) -> NoReturn: raise StreamlitAPIException("st.user cannot be modified") def __iter__(self) -> Iterator[str]: return iter(_get_user_info()) def __len__(self) -> int: return len(_get_user_info()) def to_dict(self) -> UserInfo: """ Get user info as a dictionary. This method primarily exists for internal use and is not needed for most cases. ``st.user`` returns an object that inherits from ``dict`` by default. Returns ------- Dict[str,str] A dictionary of the current user's information. """ return _get_user_info() has_shown_experimental_user_warning = False def maybe_show_deprecated_user_warning() -> None: """Show a deprecation warning for the experimental_user alias.""" global has_shown_experimental_user_warning # noqa: PLW0603 if not has_shown_experimental_user_warning: has_shown_experimental_user_warning = True show_deprecation_warning( make_deprecated_name_warning( "experimental_user", "user", "2025-11-06", ) ) class DeprecatedUserInfoProxy(UserInfoProxy): """ A deprecated alias for UserInfoProxy. This class is deprecated and will be removed in a future version of Streamlit. """ def __getattribute__(self, name: str) -> Any: maybe_show_deprecated_user_warning() return super().__getattribute__(name) def __getitem__(self, key: str) -> Any: maybe_show_deprecated_user_warning() return super().__getitem__(key)