Parse token for additional information

[afraazali]

I've been using https://github.com/elbernv/fastapi-keycloack to add security to my routes. I was trying to switch to using this library, seeing as though it is getting regular updates. I was wondering if it's currently possible to decode more from the token than what the OIDCUser object currently returns?

For example, I've added the users group memberships to the profile scope, I've also added it as it's own scope, so two questions:

1. Is it possible to fetch the group memberships from the token when using the profile scope?
2. Is it possible to add more scopes? It seems like only profile and email are currently available when adding security to the FastAPI application.

Thank you.

[yannicschroeer]

Hello @afraazali. Sorry for coming back this late to you, this notification somehow got stuck in my spam folder.

For your first question: Yes. It is possible and relatively easy to achieve. Our data transfer objects are based on pydantic models. So, if you want to extend the OIDCUser by an attribute, all you have to do is add it to its model:

/model.py

class OIDCUser(BaseModel):
    sub: str
    iat: int
    exp: int
    scope: Optional[str]
    email_verified: bool
    name: Optional[str]
    given_name: Optional[str]
    family_name: Optional[str]
    email: Optional[str]
    realm_access: Optional[dict]
    groups: Optional[List[str]]  # <---- New attribute

If your token contains a section "groups" it will be included in the OIDCUser afterward, as all the information is parsed:

...
user = OIDCUser.parse_obj(decoded_token)
...

We did not add all these attributes as they were not in our initial scope. We also are a bit short on time to add all of these ourselves, but we're happy to see a pull request for it 😊

As for the second question; I'm not sure what you mean by "adding more scopes". Could you please elaborate on that?

[afraazali]

Thank you @yannicschroeer. As for my second question, in keycloak, there are multiple optional client scopes. For example:

address
microprofile-jwt
offline_access
phone

When using idp.add_swagger_config I was wondering if it would be possible to request one or more of the optional scopes?

[yannicschroeer]

I'm still not sure I get your question. The add_swagger_config method does only configure the swagger UI to prefill the client-id and client-secret to allow the usage of the API with valid credentials without exposing the client details. Where and why would you like to use scopes in this scenario?

[afraazali]

Apologies, the actual method has nothing to do with scopes, I’m more wondering how I can request additional scopes. Like this: https://fastapi.tiangolo.com/advanced/security/oauth2-scopes/?h=scope

[yannicschroeer]

Scopes are a concept that is not explicitly bound to our package. Scopes are an authorization concept, and we mainly focus on authentication in this package. You usually request the scopes when logging in as a user. This is dependent on two factors:

• The user has this scope
• The client is allowed to issue this scope

I think what you're actually looking for is an authorization middleware. You might want to check out https://fastapi-auth-middleware.code-specialist.com/ . We recently created this package and it's main focus is to deliver plug-and-play authentication and authorization, including scope management (either provided by the IDP solution or the app itself). It works perfectly with fastapi-keycloak, but we did not finish an example yet.

I hope I got your question right this time.

[afraazali]

Thank you @yannicschroeer. This is exactly what I was looking for.