In Line 50 of oauth.py (authorize method of FacebookSignIn) there is an extra closing parenthesis after 'get_callback_url()'

If someone were to build a basic site off this framework for multiple users and perhaps add an API call in the back that touches an OAuth provider endpoint to get user information, the access token for the last logged in user (with that provider) would be used to make this call so there could potentially be a breach in privacy in trying to request your own information from a provider's API. I faced this when working with this code.

I understand its a small framework primarily demonstrating the usage of OAuth but it seems like a reasonable concern. I can submit a PR to fix it if it will be considered. I have addressed this in my material-message-board repository using a class method and some session information

I've been trying to run this example in the contact of a cPane/Passenger Python app and seem to be having trouble creating the initial table - a quick test reports the following:

(sqlite3.OperationalError) no such table: users [SQL: 'INSERT INTO users (social_id, nickname, email) VALUES (?, ?, ?)'] [parameters: ('test1', 'ntest1', 'emtest1')]

Test code below extends your example:

@app.route('/test')
def test():
    user = User(social_id='test1', nickname='ntest1', email='emtest1')
    db.session.add(user)
    #Failing on the commit:
    #(sqlite3.OperationalError) no such table: users [SQL: 'INSERT INTO users (social_id, nickname, email) VALUES (?, ?, ?)'] [parameters: ('test1', 'ntest1', 'emtest1')]
    try:
        db.session.commit()
    except BaseException as e:
        return str(e)

Looking at the size of the sqlite file, and also trying to initialises the database directly via a Python terminal, it seems that even though the SQLite file is created it is always empty (0 bytes).

I believe line 64 of app.py needs to be updated to social_id, username, email = oauth.callback(). Otherwise I think the app tries to enter the username in the email field, and leaves the username field blank, resulting in the following error.

IntegrityError: (IntegrityError) users.nickname may not be NULL u'INSERT INTO users (social_id, nickname, email) VALUES (?, ?, ?)' ('twitter$example', None, u'example')

How to obtain access token?

The base_url in this code

self.service = OAuth1Service(
            name='twitter',
            consumer_key=self.consumer_id,
            consumer_secret=self.consumer_secret,
            request_token_url='https://api.twitter.com/oauth/request_token',
            authorize_url='https://api.twitter.com/oauth/authorize',
            access_token_url='https://api.twitter.com/oauth/access_token',
            base_url='https://api.twitter.com/1.1'
        )

makes the server return an error

{
  "message": "Sorry, that page does not exist",
  "code": 34
}

I notice in the example you don't collect the user password to be stored is that deliberate? or its a case where oauth does not require web app developers to store user password data collected from say facebook or twitter or google? just need some clarification.