of activity in the AI world over the last few weeks, a recent important announcement by Streamlit that it now supports OpenID Connect (OIDC) login authentication almost passed me by.
User authorisation and verification can be a crucial consideration for data scientists, machine learning engineers, and others involved in creating dashboards, machine learning proofs of concept (PoCs), and other applications. Keeping potentially sensitive data private is paramount, so you want to ensure that only authorised users can access your app.
In this article, we’ll discuss this new feature of Streamlit and develop a simple app to showcase it. Our app might be simple, but it demonstrates all the key things you need to know when creating more complex software.
What is Streamlit?
If you’ve never heard of Streamlit, it’s an open-source Python library designed to build and deploy interactive web applications with minimal code quickly. It is widely used for data visualisation, machine learning model deployment, dashboards, and internal tools. With Streamlit, developers can create web apps using Python without frontend experience in HTML, CSS, or JavaScript.
Its key features include widgets for user input, built-in caching for performance optimisation, and easy integration with data science libraries like Pandas, Matplotlib, and TensorFlow. Streamlit is particularly popular among data scientists and AI/ML practitioners for sharing insights and models in a web-based interface.
If you’d like to learn more about Streamlit, I’ve written a TDS article on using it to create a data dashboard, which you can access using this link.
What is OIDC?
OpenID Connect (OIDC) is an authentication protocol that builds upon OAuth 2.0. It allows users to securely sign in to applications using their existing credentials from identity providers like Google, Microsoft, Okta, and Auth0.
It enables single sign-on (SSO) and provides user identity information via ID tokens, including email addresses and profile details. Unlike OAuth, which focuses on authorisation, OIDC is designed explicitly for authentication, making it a standard for secure, scalable, and user-friendly login experiences across web and mobile applications.
In this article, I’ll show you how to set things up and write code for a Streamlit app that uses OIDC to prompt for your Google email and password. You can use those details to log in to the app and access a second screen that contains an example of a data dashboard.
Prerequisites
As this article focuses on using Google as an identity provider, if you don’t already have one, you’ll need a Google email address and a Google Cloud account. Once you have your email, sign in to Google Cloud with it using the link below.
https://console.cloud.google.com
If you’re worried about the expense of signing up for Google Cloud, don’t be. They offer a free 90-day trial and $300 worth of credits. You only pay for what you use, and you can cancel your Cloud account subscription at any time, before or after your free trial expires. Regardless, what we’ll be doing here should incur no cost. However, I always recommend setting up billing alerts for any cloud provider you sign up for — just in case.
We’ll return to what you must do to set up your cloud account later.
Setting up our dev environment
I’m developing using WSL2 Ubuntu Linux on Windows, but the following should also work on regular Windows. Before starting a project like this, I always create a separate Python development environment where I can install any software needed and experiment with coding. Now, anything I do in this environment will be siloed and won’t impact my other projects.
I use Miniconda for this, but you can use any method that suits you best. If you want to follow the Miniconda route and don’t already have it, you must first install Miniconda.
Now, you can set up your environment like this.
(base) $ conda create -n streamlit python=3.12 -y
(base) $ conda activate streamlit
# Install required Libraries
(streamlit) $ pip install streamlit streamlit-extras Authlib
(streamlit) $ pip install pandas matplotlib numpyWhat we’ll build
This will be a streamlit app. Initially, there will be a screen which displays the following text,
An example Streamlit app showing the use of OIDC and Google email for login authentication
Please use the button on the sidebar to log in.
On the left sidebar, there will be two buttons. One says Login, and the other says Dashboard.
If a user is not logged in, the Dashboard button will be greyed out and unavailable for use. When the user presses the Login button, a screen will be displayed asking the user to log in via Google. Once logged in, two things happen:-
- The Login button on the sidebar changes to Logout.
- The Dashboard button becomes available to use. This will display some dummy data and graphs for now.
If a logged-in user clicks the Logout button, the app resets itself to its initial state.
NB. I have deployed a working version of my app to the Streamlit community cloud. For a sneak preview, click the link below. You may need to “wake up” the app first if no one has clicked on it for a while, but this only takes a few seconds.
Set up on Google Cloud
To enable email verification using your Google Gmail account, there are a few things you have to do first on the Google Cloud. They’re pretty straightforward, so take your time and follow each step carefully. I’m assuming you’ve already set up or have a Google email and cloud account, and that you’ll be creating a new project for your work.
Go to Google Cloud Console and log in. You should see a screen similar to the one shown below.
You need to set up a project first. Click the Project Picker button. It’s immediately to the right of the Google Cloud logo, near the top left of the screen and will be labelled with the name of one of your existing projects or “Select a project” if you don’t have an existing project. In the pop-up that appears, click the New Project button located at the top right. This will let you insert a project name. Next, click on the Create button.
Once that’s done, your new project name will be displayed next to the Google Cloud logo at the top of the screen. Next, click on the hamburger-style menu at the top left of the page.
- Navigate to APIs & Services → Credentials
- Click Create Credentials → OAuth Client ID
- Select Web application
- Add http://localhost:8501/oauth2callback as an Authorized Redirect URI
- Take note of the Client ID and Client Secret as we’ll need them in a bit.
Local setup and Python code
Decide which local folder your main Python Streamlit app file will live in. In there, create a file, such as app.py, and insert the following Python code into it.
import streamlit as st
import pandas as pd
import numpy as np
import matplotlib.pyplot as plt
# ——— Page setup & state ———
st.set_page_config(page_title="SecureApp", page_icon="🔑", layout="wide")
if "page" not in st.session_state:
st.session_state.page = "main"
# ——— Auth Helpers ———
def _user_obj():
return getattr(st, "user", None)
def user_is_logged_in() -> bool:
u = _user_obj()
return bool(getattr(u, "is_logged_in", False)) if u else False
def user_name() -> str:
u = _user_obj()
return getattr(u, "name", "Guest") if u else "Guest"
# ——— Main & Dashboard Pages ———
def main():
if not user_is_logged_in():
st.title("An example Streamlit app showing the use of OIDC and Google email for login authentication")
st.subheader("Use the sidebar button to log in.")
else:
st.title("Congratulations")
st.subheader("You’re logged in! Click Dashboard on the sidebar.")
def dashboard():
st.title("Dashboard")
st.subheader(f"Welcome, {user_name()}!")
df = pd.DataFrame({
"Month": ["Jan","Feb","Mar","Apr","May","Jun"],
"Sales": np.random.randint(100,500,6),
"Profit": np.random.randint(20,100,6)
})
st.dataframe(df)
fig, ax = plt.subplots()
ax.plot(df["Month"], df["Sales"], marker="o", label="Sales")
ax.set(xlabel="Month", ylabel="Sales", title="Monthly Sales Trend")
ax.legend()
st.pyplot(fig)
fig, ax = plt.subplots()
ax.bar(df["Month"], df["Profit"], label="Profit")
ax.set(xlabel="Month", ylabel="Profit", title="Monthly Profit")
ax.legend()
st.pyplot(fig)
# ——— Sidebar & Navigation ———
st.sidebar.header("Navigation")
if user_is_logged_in():
if st.sidebar.button("Logout"):
st.logout()
st.session_state.page = "main"
st.rerun()
else:
if st.sidebar.button("Login"):
st.login("google") # or "okta"
st.rerun()
if st.sidebar.button("Dashboard", disabled=not user_is_logged_in()):
st.session_state.page = "dashboard"
st.rerun()
# ——— Page Dispatch ———
if st.session_state.page == "main":
main()
else:
dashboard()
This script builds a two-page Streamlit app with Google (or OIDC) login and a simple dashboard:
- Page setup & state
- Configures the browser tab (title/icon/layout).
- Uses
st.session_state["page"]to remember whether you’re on the “main” screen or the “dashboard.”
- Auth helpers
_user_obj()safely grab thest.userobject if it exists.user_is_logged_in()anduser_name(). Check whether you’ve logged in and get your name (or default to “Guest”).
- Main vs. Dashboard pages
- Main: If you’re not logged in, display a title/subheader prompting you to log in; if you’re logged in, display a congratulatory message and direct you to the dashboard.
- Dashboard: greets you by name, generates a dummy DataFrame of monthly sales/profit, displays it, and renders a line chart for Sales plus a bar chart for Profit.
- Sidebar navigation
- Shows a Login or Logout button depending on your status (calling
st.login("google")orst.logout()). - Shows a “Dashboard” button that’s only enabled once you’re logged in.
- Shows a Login or Logout button depending on your status (calling
- Page dispatch
- At the bottom, it checks
st.session_state.pageand runs eithermain()ordashboard()accordingly.
- At the bottom, it checks
Configuring Your secrets.toml for Google OAuth Authentication
In the same folder where your app.py file lives, create a subfolder called .streamlit. Now go into this new subfolder and create a file called secrets.toml. The Client ID and Client Secret from Google Cloud should be added to that file, along with a redirect URI and cookie secret. Your file should look something like this,
#
# secrets.toml
#
[auth]
redirect_uri = "http://localhost:8501/oauth2callback"
cookie_secret = "your-secure-random-string-anything-you-like"
[auth.google]
client_id = "************************************.apps.googleusercontent.com"
client_secret = "*************************************"
server_metadata_url = "https://accounts.google.com/.well-known/openid-configuration"Okay, we should now be able to run our app. To do that, go back to the folder where app.py lives and type this into the command line.
(streamlit) $ streamlit run app.pyIf all has gone well with your code and set-up, you should see the following screen.
Notice that the Dashboard button on the sidebar should be greyed out because you’re not logged in yet. Start by clicking the Login button on the sidebar. You should see the screen below (I’ve obscured my credentials for security reasons),
Once you choose an account and log in, the Streamlit app display will change to this.
You will also notice that the Dashboard button is now clickable, and when you click it, you should see a screen like this.
Finally, log back out, and the app should return to its initial state.
Summary
In this article, I explained that proper OIDC authorisation is now available to Streamlit users. This allows you to ensure that anyone using your app is a legitimate user. In addition to Google, you can also use popular providers such as Microsoft, OAuth, Okta, and others.
I explained what Streamlit was and its uses, and briefly described the OpenID Connect (OIDC) authentication protocol.
For my coding example, I focused on using Google as the authenticator and showed you the prerequisite steps to set it up correctly for use on Google’s Cloud platform.
I also provided a sample Streamlit app that shows Google authorisation in action. Although this is a simple app, it highlights all techniques you require should your needs grow in complexity.
