Implements authentication and authorization as FastAPI dependencies

Overview

FastAPI Security

Implements authentication and authorization as dependencies in FastAPI.

Features

  • Authentication via JWT-based OAuth 2 access tokens and via Basic Auth
  • Pydantic-based User model for authenticated and anonymous users
  • Sub-classable UserPermission dependency to check against the permissions attribute returned in OAuth 2 access tokens
  • Able to extract user info from access tokens via OpenID Connect

Limitations

  • Only supports validating access tokens using public keys from a JSON Web Key Set (JWKS) endpoint. I.e. for use with external identity providers such as Auth0 and ORY Hydra.
  • Permissions can only be picked up automatically from OAuth2 tokens, from the non-standard permissions list attribute (Auth0 provides this, maybe other identity providers as well). For all other use cases, permission_overrides must be used. For example if there's a basic auth user called user1 you can set permission_overrides={"user1": ["*"]} to give the user access to all permissions, or permission_overrides={"user1": ["products:create"]} to only assign user1 with the permission products:create.

Installation

pip install fastapi-security

Usage examples

Examples on how to use can be found here.

TODO

  • Write more tests
Comments
  • Server with *only* basic auth configured returns WWW-Authenticate

    Server with *only* basic auth configured returns WWW-Authenticate "Bearer" whereas it should probably return "Basic"

    Hi!

    First off, thank you for a nice and useful package! Please find a bug report below.

    Repro

    • any fastapi app
    • fastapi security configured with:
    from fastapi_security import FastAPISecurity
    security = FastAPISecurity()
    security.init_basic_auth(settings.BASIC_AUTH_CREDENTIALS)
    
    • request:
    $ curl localhost:8080/api/v1/ -v
    

    Expected Behaviour

    Response contains WWW-Authenticate: Basic header, as it is the only supported authentication method.

    Actual Behaviour:

    $ curl localhost:8080/api/v1/ -v
    *   Trying 127.0.0.1:8080...
    * TCP_NODELAY set
    * Connected to localhost (127.0.0.1) port 8080 (#0)
    > GET /api/v1/ HTTP/1.1
    > Host: localhost:8080
    > User-Agent: curl/7.68.0
    > Accept: */*
    > 
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 401 Unauthorized
    < date: Thu, 03 Jun 2021 10:34:20 GMT
    < server: uvicorn
    < www-authenticate: Bearer
    < content-length: 43
    < content-type: application/json
    < 
    * Connection #0 to host localhost left intact
    {"detail":"Could not validate credentials"}
    

    There's a section of code that is responsible for www-authenticate header, https://github.com/jmagnusson/fastapi-security/blob/main/fastapi_security/api.py#L212-L215, that is only returning "Basic" if there is a valid Authorization: Basic ... header, which seems like it is not needed.

    According to https://datatracker.ietf.org/doc/html/rfc7235#section-4.1, a WWW-Authenticate header may contain multiple challenges,

    image,

    so it should be possible to return both Basic and Bearer if they are initialized.

    opened by immerrr 2
  • chore(main): release 0.5.0

    chore(main): release 0.5.0

    :robot: I have created a release beep boop

    0.5.0 (2022-03-11)

    ⚠ BREAKING CHANGES

    • Make oauth2 dependencies optional

    Bug Fixes

    • Make oauth2 dependencies optional (e0db0f4)

    Documentation

    • Document new extra for oauth2 support (73e1696)
    • Update changelog to conform to release-please format (c9bfb16)

    This PR was generated with Release Please. See documentation.

    autorelease: tagged 
    opened by github-actions[bot] 1
  • CI: macos, windows jobs run on ubuntu, not on the respective OS

    CI: macos, windows jobs run on ubuntu, not on the respective OS

    Problem

    By declaring ubuntu-latest on the workflows.ci like so:

    jobs:
      ci:
        runs-on: ubuntu-latest
    

    the following happens:

    bug-example (screenshot taken from the latest CI action of this project)

    However, given that the purpose of the CI is to test multiple python versions on multiple OS environments, this is not correct. Instead, the above should declare something like:

    expected (screenshot taken from another open-source project)

    Proposed Solution

    We could replace the above code snippet with a parameterized version of it:

    jobs:
      ci:
        runs-on: ${{ matrix.os }}
    
    opened by ilias-ant 0
  • Make audiences nullable in Oauth2JwtAccessTokenValidator

    Make audiences nullable in Oauth2JwtAccessTokenValidator

    Sometimes it's not required to check for aud. Previously, this library didn't allow that, requiring a list of audiences to check the JWT token against. A simple change of logic allows now allows doing so.

    opened by irdkwmnsb 0
  • Add a way to configure basic auth without storing passwords in plaintext in settings

    Add a way to configure basic auth without storing passwords in plaintext in settings

    This PR's goal is to enable storing password digests (instead of plaintext) to increase security.

    It is admittedly a very early version aimed mostly at collecting feedback. I tried to introduce this with as little change as possible to the existing functionality to maintain backward compat, althought it is probably possible to add this to the basic_auth class directly.

    I'm open to suggestions, and I have enabled edits by maintainers if you feel like applying some minor changes directly. Also, feel free to take this as a proof-of-concept, and implement it in a completely independent branch, that's absolutely fine by me.

    opened by immerrr 6
Releases(v0.5.0)
Owner
Jacob Magnusson
Jacob Magnusson
Django-registration (redux) provides user registration functionality for Django websites.

Description: Django-registration provides user registration functionality for Django websites. maintainers: Macropin, DiCato, and joshblum contributor

Andrew Cutler 920 Jan 08, 2023
Includes Automation and Personal Projects

Python Models, and Connect Forclient & OpenCv projects Completed Automation** Alarm (S

tushar malhan 1 Jan 15, 2022
Web authentication testing framework

What is this This is a framework designed to test authentication for web applications. While web proxies like ZAProxy and Burpsuite allow authenticate

OWASP 88 Jan 01, 2023
Extending the Django authentication system with a phone verification step.

Extending the Django authentication system with a phone verification step.

Miguel Grinberg 50 Dec 04, 2022
Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.

Welcome to django-allauth! Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (soc

Raymond Penners 7.7k Jan 01, 2023
Mock authentication API that acceccpts email and password and returns authentication result.

Mock authentication API that acceccpts email and password and returns authentication result.

Herman Shpryhau 1 Feb 11, 2022
Complete Two-Factor Authentication for Django providing the easiest integration into most Django projects.

Django Two-Factor Authentication Complete Two-Factor Authentication for Django. Built on top of the one-time password framework django-otp and Django'

Bouke Haarsma 1.3k Jan 04, 2023
Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack

Microsoft365_devicePhish Abusing Microsoft 365 OAuth Authorization Flow for Phishing Attack This is a simple proof-of-concept script that allows an at

Optiv Security 76 Jan 02, 2023
A Python package, that allows you to acquire your RecNet authorization bearer token with your account credentials!

RecNet-Login This is a Python package, that allows you to acquire your RecNet bearer token with your account credentials! Installation Done via git: p

Jesse 6 Aug 18, 2022
Generate payloads that force authentication against an attacker machine

Hashgrab Generates scf, url & lnk payloads to put onto a smb share. These force authentication to an attacker machine in order to grab hashes (for exa

xct 35 Dec 20, 2022
Imia is an authentication library for Starlette and FastAPI (python 3.8+).

Imia Imia (belarussian for "a name") is an authentication library for Starlette and FastAPI (python 3.8+). Production status The library is considered

Alex Oleshkevich 91 Nov 24, 2022
row level security for FastAPI framework

Row Level Permissions for FastAPI While trying out the excellent FastApi framework there was one peace missing for me: an easy, declarative way to def

Holger Frey 315 Dec 25, 2022
API with high performance to create a simple blog and Auth using OAuth2 ⛏

DogeAPI API with high performance built with FastAPI & SQLAlchemy, help to improve connection with your Backend Side to create a simple blog and Cruds

Yasser Tahiri 111 Jan 05, 2023
Flask App With Login

Flask App With Login by FranciscoCharles Este projeto basico é o resultado do estudos de algumas funcionalidades do micro framework Flask do Python. O

Charles 3 Nov 14, 2021
An introduction of Markov decision process (MDP) and two algorithms that solve MDPs (value iteration, policy iteration) along with their Python implementations.

Markov Decision Process A Markov decision process (MDP), by definition, is a sequential decision problem for a fully observable, stochastic environmen

Yu Shen 31 Dec 30, 2022
Ready to use and customizable Authentications and Authorisation management for FastAPI ⚡

AuthenticationX 💫 Ready-to-use and customizable Authentications and Oauth2 management for FastAPI ⚡ Source Code: https://github.com/yezz123/AuthX Doc

Yasser Tahiri 404 Dec 27, 2022
Object Moderation Layer

django-oml Welcome to the documentation for django-oml! OML means Object Moderation Layer, the idea is to have a mixin model that allows you to modera

Angel Velásquez 12 Aug 22, 2019
User Authentication in Flask using Flask-Login

User-Authentication-in-Flask Set up & Installation. 1 .Clone/Fork the git repo and create an environment Windows git clone https://github.com/Dev-Elie

ONDIEK ELIJAH OCHIENG 31 Dec 11, 2022
A fully tested, abstract interface to creating OAuth clients and servers.

Note: This library implements OAuth 1.0 and not OAuth 2.0. Overview python-oauth2 is a python oauth library fully compatible with python versions: 2.6

Joe Stump 3k Jan 02, 2023
Django x Elasticsearch Templates

Django x Elasticsearch Requirements Python 3.7 Django = 3 Elasticsearch 7.15 Setup Elasticsearch Install via brew Install brew tap elastic/tap brew

Aji Pratama 0 May 22, 2022