OpenIDConnect returns 'Bearer ' in the JWT string

[MaelAbgrall]

First Check

• I added a very descriptive title to this issue.
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.

Commit to Help

• I commit to help with one of those options 👆

Example Code

from fastapi.security.open_id_connect_url import OpenIdConnect
from fastapi.security import OAuth2PasswordBearer

SSO_ISSUER = config("SSO_ISSUER", cast=str)  # ex: myorg.okta.com

fastapi_oauth2 = OpenIdConnect(
  openIdConnectUrl="https://" + SSO_ISSUER +"/.well-known/openid-configuration"
)

@router.get("/withoidc", name="get-protected1")
async def withoidc(token=Depends(fastapi_oauth2)):
  print(token)
  # this will print "Bearer abcdefg..."
  # fixed by doing this
  token = token[7:]


oauth2_scheme = OAuth2PasswordBearer(tokenUrl=f"{API_PREFIX}/users/login/token")

@router.get("/withoauth2", name="get-protected2)
async def withoauth2(token=Depends(oauth2_scheme)):
  print(token)
  # this will print directly the token "abcdefg..."

Description

Hello,

I'm currently having a hard time migrating to an external identity manager using OIDC.

It took me a while to realize that one of the issue was simply from consistency:
When using the scheme in the doc (Oauth2) the jwt is "clean" aka only the jwt is in the string, and nothing else.
While using the OpenIdConnect equivalent (source of my code is here, which was a way to implement OIDC mentioned in #1837 will return 'Bearer[space]' with the jwt token. This is easily fixed by removing the seven first characters, but I would have never guessed until I actually verified what was in the token variable.

Now is this the correct way to retrieve the token and feed it to a verifier, or is this an issue of consistency in the framework?

thanks

Operating System

Linux

Operating System Details

No response

FastAPI Version

0.70.0

Python Version

3.8.9

Additional Context

No response

[DustinMoriarty]

I have been wondering about these auth classes in general. If you look at the OpenIdConnect class, it seems to do two totally unrelated things. In the __init__, it sets some config information about OIDC. In the __call__ all it does is grab the auth header without any use of the class attributes. Consequently, it does not actually add any value that I can see related to OIDC. None of this seems to have much to do with the way the other SecurityBase implementations work. I am unsure why they all share a parent class at all. The security module in general and especially the OpenIdConnect class looks to me like maybe a partially completed implementation of a bigger idea.

As a result, I am working on my own OIDC implementation for my use cases. I see that someone has attempted an external library (https://github.com/HarryMWinters/fastapi-oidc). However, it just builds on top of the existing FastAPI security library rather than considering replacing the parts which don't make sense.

I wonder if there is a vision with these auth classes that I am missing or if there would be interest in an overhaul of some of the security implementations. The security module in FastAPI seems strikingly out of place next to the rest of FastAPI, which is one of the best designed python libraries around. I would be happy to help out if any of the maintainers are interested. I hate to be developing a solution for something as reusable and standardized as OIDC for my own use cases only. However, there is a good chance that maybe I am just missing the intended use of these classes and the actual gap is in documentation. Do any of the maintainers have any thoughts?