Implements authentication and authorization as FastAPI dependencies

Overview

FastAPI Security

Implements authentication and authorization as dependencies in FastAPI.

Features

  • Authentication via JWT-based OAuth 2 access tokens and via Basic Auth
  • Pydantic-based User model for authenticated and anonymous users
  • Sub-classable UserPermission dependency to check against the permissions attribute returned in OAuth 2 access tokens
  • Able to extract user info from access tokens via OpenID Connect

Limitations

  • Only supports validating access tokens using public keys from a JSON Web Key Set (JWKS) endpoint. I.e. for use with external identity providers such as Auth0 and ORY Hydra.
  • Permissions can only be picked up automatically from OAuth2 tokens, from the non-standard permissions list attribute (Auth0 provides this, maybe other identity providers as well). For all other use cases, permission_overrides must be used. For example if there's a basic auth user called user1 you can set permission_overrides={"user1": ["*"]} to give the user access to all permissions, or permission_overrides={"user1": ["products:create"]} to only assign user1 with the permission products:create.

Installation

pip install fastapi-security

Usage examples

Examples on how to use can be found here.

TODO

  • Write more tests
Comments
  • Server with *only* basic auth configured returns WWW-Authenticate

    Server with *only* basic auth configured returns WWW-Authenticate "Bearer" whereas it should probably return "Basic"

    Hi!

    First off, thank you for a nice and useful package! Please find a bug report below.

    Repro

    • any fastapi app
    • fastapi security configured with:
    from fastapi_security import FastAPISecurity
    security = FastAPISecurity()
    security.init_basic_auth(settings.BASIC_AUTH_CREDENTIALS)
    
    • request:
    $ curl localhost:8080/api/v1/ -v
    

    Expected Behaviour

    Response contains WWW-Authenticate: Basic header, as it is the only supported authentication method.

    Actual Behaviour:

    $ curl localhost:8080/api/v1/ -v
    *   Trying 127.0.0.1:8080...
    * TCP_NODELAY set
    * Connected to localhost (127.0.0.1) port 8080 (#0)
    > GET /api/v1/ HTTP/1.1
    > Host: localhost:8080
    > User-Agent: curl/7.68.0
    > Accept: */*
    > 
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 401 Unauthorized
    < date: Thu, 03 Jun 2021 10:34:20 GMT
    < server: uvicorn
    < www-authenticate: Bearer
    < content-length: 43
    < content-type: application/json
    < 
    * Connection #0 to host localhost left intact
    {"detail":"Could not validate credentials"}
    

    There's a section of code that is responsible for www-authenticate header, https://github.com/jmagnusson/fastapi-security/blob/main/fastapi_security/api.py#L212-L215, that is only returning "Basic" if there is a valid Authorization: Basic ... header, which seems like it is not needed.

    According to https://datatracker.ietf.org/doc/html/rfc7235#section-4.1, a WWW-Authenticate header may contain multiple challenges,

    image,

    so it should be possible to return both Basic and Bearer if they are initialized.

    opened by immerrr 2
  • chore(main): release 0.5.0

    chore(main): release 0.5.0

    :robot: I have created a release beep boop

    0.5.0 (2022-03-11)

    ⚠ BREAKING CHANGES

    • Make oauth2 dependencies optional

    Bug Fixes

    • Make oauth2 dependencies optional (e0db0f4)

    Documentation

    • Document new extra for oauth2 support (73e1696)
    • Update changelog to conform to release-please format (c9bfb16)

    This PR was generated with Release Please. See documentation.

    autorelease: tagged 
    opened by github-actions[bot] 1
  • CI: macos, windows jobs run on ubuntu, not on the respective OS

    CI: macos, windows jobs run on ubuntu, not on the respective OS

    Problem

    By declaring ubuntu-latest on the workflows.ci like so:

    jobs:
      ci:
        runs-on: ubuntu-latest
    

    the following happens:

    bug-example (screenshot taken from the latest CI action of this project)

    However, given that the purpose of the CI is to test multiple python versions on multiple OS environments, this is not correct. Instead, the above should declare something like:

    expected (screenshot taken from another open-source project)

    Proposed Solution

    We could replace the above code snippet with a parameterized version of it:

    jobs:
      ci:
        runs-on: ${{ matrix.os }}
    
    opened by ilias-ant 0
  • Make audiences nullable in Oauth2JwtAccessTokenValidator

    Make audiences nullable in Oauth2JwtAccessTokenValidator

    Sometimes it's not required to check for aud. Previously, this library didn't allow that, requiring a list of audiences to check the JWT token against. A simple change of logic allows now allows doing so.

    opened by irdkwmnsb 0
  • Add a way to configure basic auth without storing passwords in plaintext in settings

    Add a way to configure basic auth without storing passwords in plaintext in settings

    This PR's goal is to enable storing password digests (instead of plaintext) to increase security.

    It is admittedly a very early version aimed mostly at collecting feedback. I tried to introduce this with as little change as possible to the existing functionality to maintain backward compat, althought it is probably possible to add this to the basic_auth class directly.

    I'm open to suggestions, and I have enabled edits by maintainers if you feel like applying some minor changes directly. Also, feel free to take this as a proof-of-concept, and implement it in a completely independent branch, that's absolutely fine by me.

    opened by immerrr 6
Releases(v0.5.0)
Owner
Jacob Magnusson
Jacob Magnusson
Generate payloads that force authentication against an attacker machine

Hashgrab Generates scf, url & lnk payloads to put onto a smb share. These force authentication to an attacker machine in order to grab hashes (for exa

xct 35 Dec 20, 2022
it's a Django application to register and authenticate users using phone number.

django-phone-auth It's a Django application to register and authenticate users using phone number. CustomUser model created using AbstractUser class.

MsudD 4 Nov 29, 2022
A flask extension for managing permissions and scopes

Flask-Pundit A simple flask extension to organize resource authorization and scoping. This extension is heavily inspired by the ruby Pundit library. I

Anurag Chaudhury 49 Dec 23, 2022
A generic, spec-compliant, thorough implementation of the OAuth request-signing logic

OAuthLib - Python Framework for OAuth1 & OAuth2 *A generic, spec-compliant, thorough implementation of the OAuth request-signing logic for Python 3.5+

OAuthlib 2.5k Jan 02, 2023
The ultimate Python library in building OAuth, OpenID Connect clients and servers. JWS,JWE,JWK,JWA,JWT included.

Authlib The ultimate Python library in building OAuth and OpenID Connect servers. JWS, JWK, JWA, JWT are included. Authlib is compatible with Python2.

Hsiaoming Yang 3.4k Jan 04, 2023
Official implementation of the AAAI 2022 paper "Learning Token-based Representation for Image Retrieval"

Token: Token-based Representation for Image Retrieval PyTorch training code for Token-based Representation for Image Retrieval. We propose a joint loc

Hui Wu 42 Dec 06, 2022
This script helps you log in to your LMS account and enter the currently running session

This script helps you log in to your LMS account and enter the currently running session, all in a second

Ali Ebrahimi 5 Sep 01, 2022
A generic, spec-compliant, thorough implementation of the OAuth request-signing logic

OAuthLib - Python Framework for OAuth1 & OAuth2 *A generic, spec-compliant, thorough implementation of the OAuth request-signing logic for Python 3.5+

OAuthlib 2.5k Jan 01, 2023
Out-of-the-box support register, sign in, email verification and password recovery workflows for websites based on Django and MongoDB

Using djmongoauth What is it? djmongoauth provides out-of-the-box support for basic user management and additional operations including user registrat

hao 3 Oct 21, 2021
Web authentication testing framework

What is this This is a framework designed to test authentication for web applications. While web proxies like ZAProxy and Burpsuite allow authenticate

OWASP 88 Jan 01, 2023
蓝鲸用户管理是蓝鲸智云提供的企业组织架构和用户管理解决方案,为企业统一登录提供认证源服务。

蓝鲸用户管理 简体中文 | English 蓝鲸用户管理是蓝鲸智云提供的企业组织架构和用户管理解决方案,为企业统一登录提供认证源服务。 总览 架构设计 代码目录 功能 支持多层级的组织架构管理 支持通过多种方式同步数据:OpenLDAP、Microsoft Active Directory(MAD)

腾讯蓝鲸 35 Dec 14, 2022
JWT Key Confusion PoC (CVE-2015-9235) Written for the Hack the Box challenge - Under Construction

JWT Key Confusion PoC (CVE-2015-9235) Written for the Hack the Box challenge - Under Construction This script performs a Java Web Token Key Confusion

Alex Fronteddu 1 Jan 13, 2022
Minimal authorization through OO design and pure Ruby classes

Pundit Pundit provides a set of helpers which guide you in leveraging regular Ruby classes and object oriented design patterns to build a simple, robu

Varvet 7.8k Jan 02, 2023
Authentication, JWT, and permission scoping for Sanic

Sanic JWT Sanic JWT adds authentication protection and endpoints to Sanic. It is both easy to get up and running, and extensible for the developer. It

Adam Hopkins 229 Jan 05, 2023
Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (social) account authentication.

Welcome to django-allauth! Integrated set of Django applications addressing authentication, registration, account management as well as 3rd party (soc

Raymond Penners 7.7k Jan 01, 2023
Basic auth for Django.

easy-basicauth WARNING! THIS LIBRARY IS IN PROGRESS! ANYTHING CAN CHANGE AT ANY MOMENT WITHOUT ANY NOTICE! Installation pip install easy-basicauth Usa

bichanna 2 Mar 25, 2022
A Login/Registration GUI Application with SQLite database for manipulating data.

Login-Register_Tk A Login/Registration GUI Application with SQLite database for manipulating data. What is this program? This program is a GUI applica

Arsalan 1 Feb 01, 2022
OAuth2 goodies for the Djangonauts!

Django OAuth Toolkit OAuth2 goodies for the Djangonauts! If you are facing one or more of the following: Your Django app exposes a web API you want to

Jazzband 2.7k Jan 01, 2023
Awesome Django authorization, without the database

rules rules is a tiny but powerful app providing object-level permissions to Django, without requiring a database. At its core, it is a generic framew

1.6k Dec 30, 2022
Login System Using Django

Login System Django

Nandini Chhajed 6 Dec 12, 2021