[Question] How to actually authenticate user

[dignifi-richard]

This library was easy to set up and works great when I access the /docs link and manually click authenticate. However, I'm using FastAPI as a full web app framework with jinja2 templating pages - not just api calls. Can I use this library for authentication? The security is working because after implementation, my pages are inaccessible and I get "not authenticated" message. However, how do I actually route a user to the microsoft login page to authenticate and then bring them back to the page I want? Have any examples of this?

[JonasKs]

Hi!

I'm writing this on my phone, so let me know if anything is unclear and I'll write it a bit more extensive when I'm at a PC.

This library was easy to set up and works great when I access the /docs link and manually click authenticate.

Glad to hear you find it easy to set up and you got it working!

However, I'm using FastAPI as a full web app framework with jinja2 templating pages - not just api calls. Can I use this library for authentication?

What I write below is better explained here.

It will depend on your solution, but most likely not. This package only implement token authentication through so-called Bearer tokens. That means, on every request the token must be present in the header.

This works well for Single-Page applications (SPA), where the frontend is separated from the backend and dynamic content is rendered through JavaScript. Retrieving of the token is done solely by the frontend (using a flow known as the PKCE flow). The frontend then attach the token in the header on every API request sent to the backend. The backend does not care how the user retrieves the token, it only validates it.

In most MVC/full web applications the backend render HTML content based on variables (such as in Jinja2 you'd write {{ user.email }} to render a users email). In these applications the backend is typically involved authenticating the user, mostly using the Authorization code flow (without PKCE).

When the user is authenticated and the access token is retrieved (by the backend), the state will be kept by using sessions. The access token is no longer used (until the session expires or the user logs out and want to log in again). This package does not support that flow, nor uses sessions.

The only real way to use this package for you is to:

1. Create a route which does not depend on azure_scheme
2. On this route, implement a way for the user to retrieve the token using PKCE auth flow (same flow used in the OpenAPI documentation site. I've written a blog post about how it works here.)
3. Store the token in your front end, just like you would in a SPA
4. On every request, you send the token in the header, and the backend will validate the token and return a HTML.

I have not attempted this my self.

There is another package called fastapi-aad-auth which I have not looked at from a security perspective and cannot vouch for (seems pretty untested🙁), but it does implement session auth.

Lastly, I just want to be clear and say that I will not implement the Authorization Code Flow and sessions for MVC applications.

I'm going to close this issue, but please feel free to ask more questions. I'll still be notified 😊

[dignifi-richard]

Wow, thank you so much for that incredibly detailed and HELPFUL answer! I will take a look at the two links and the library you mention. I will absolutely keep using this package for api-only apps but I went ahead and dug into the msal library for microsoft authentication on the mvc apps. Again, thank you very much.

[JonasKs]

You're welcome! Let me know if you haven't found a solution that works for you by New Years and I'll give it a go. 😊