I was disappointed to see Flask-Security and Flask-Principal are now abandoned. We went with Flask-Allows for security at my job. It’s actively maintained with a simple API. Handles the requirements of our Flask-based ERP really well.

Yet no Flask application I've ever written needed user auth :)

Indeed, its a risky choice for that.

Try farming out the auth to a middleware. That's what I do and it works really well.

Does it interface with sqlalchemy, onboarding, email, etc?

Your auth middleware can attach a user object to environ that your downstream apps could reference.

Whatever else you do (email, onboarding, sqlalchemy) you can do downstream, or directly in the (or a different ) middleware if you want.

Like openam? or what do you suggest.

Check out Flask-User. It's a lot like the user auth in Django. Developer still around.

Believe it is a part. I mentioned user+auth, but there is commonly a lot more around that for a typical sass app. Registration, password-reset, just to name two.