This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tutorial on Authorization Code Grant Flow #335
Comments
Agreed. I'd like to see evidence of support for the Authorization Code grant, as well as PKCE, for the many parties interested in building mobile clients |
I am presently struggling to implement Authorization Code flow. What has me scratching my head is: what magic is taking care of swapping the authorization code for a token? Using the FastAPI models, there doesn't seem to be a way to specify the redirect URL that the access code is POSTed to after successful authentication. As it stands, it seems like the Authorization Code flow isn't actually fully implemented in FastAPI - am I missing something? |
It is not implemented. I imagine it isn't because it would be a hassle to implement the tests and mocks for it to all work. The documentation for the password flow isn't far off though. Reading the documentation (maybe in dependencies) it states that security can be easily expanded with "depends" and additional libraries added. Also, OpenAPI specification does not implement the redirect_uri with authorization code flow as it is intended to document the endpoint. OAI/OpenAPI-Specification#1285 I completed an authorization code prototype using authlib for OAuth2 functionality and pyjwt for the token validation. I plan on refactoring the pyjwt component using authlib's native jose library and then doing a write up on it soon. This is the model for the authorization flow I created (pardon any cruft):
|
(Disclaimer: I've been scratching my head trying to figure out how SwaggerUI fits in the OAuth puzzle for a few days now and am only just starting to understand OAuth, so I could be wrong on most of this) One thing that should be mentioned when that section of the tutorial is written is that the way OpenAPI understands the OAuth flows means that the server whose API is being described is always considered (in OAuth parlance) as the "Resource Server", not the "Client". This means that a FastAPI application written to connect to some Google service to, say, perform image processing on the user's Google Photo collection shouldn't be using Before moving on to other authentication flows, the tutorial should then make it clear that |
@sm-Fifteen There are two separate components in this context: a client and resource server. (SwaggerUI in your browser is a client) This The reason I explain the above is that you are potentially conflating the two in your example and it will help you clarify your request - which isn't wrong. Your example of a FastAPI connecting to a Google service protected with OAuth would require a client. This client would require scopes to access that service. This is technically outside the feature set of what FastAPI provides. Now, if you were using Google to protect your service built using FastAPI this resource protector would be useful. Hope this helps. |
Is it possible to have a custom callback/redirect_url using My use case: I have a logged in user already. Now this user needs to authenticate a thirdparty service using OAuth2 PKCE (Code flow). The server needs to combine the logged in user with the thirdparty credentials. I've implemented this by creating my own This solution works but I'd prefer using |
@mr-bjerre OIDC does that specifically. This implementation is more for instances that would sit behind an API gateway or authentication proxy. |
@kuwv I see. I'm a rookie in these flows unfortunately. Does there exist any examples on OpenID Connect for FastAPI? I can't seem to find the sufficient guidelines for myself. Looking at If I make the following scheme openid_connect_scheme = OpenIdConnect(openIdConnectUrl="login") and add |
@mr-bjerre FastAPI uses the OpenAPI spec which is also used for SSO capabilities. https://swagger.io/docs/specification/authentication/openid-connect-discovery/ |
what kind of response should |
@wotori There are authorization tests written. You could do a quick search for The |
I am also curious to learn how to use authorization code flow with FastAPI. I have only started testing this today, however I have noticed all of the examples are based upon credentials flow. I am building a web app using FastAPI to handle requests from multiple users. The web app needs to authenticate with a third-party API. I realize that I do not necessarily need FastAPI since this is more of a "client" application. However, I was interested in using FastAPI & uvicorn so I could take advantage of using concurrent calls. I hope that in the future, there will be more support for authenticating with Authorization Code flow. |
In the password flow, the resource (the user's info, like avatar, name etc.) lives on the same server you send your password to, so the server could get you your info right away. from fastapi.security import OAuth2AuthorizationCodeBearer
import requests
oauth2_google = OAuth2AuthorizationCodeBearer(
authorizationUrl="https://accounts.google.com/o/oauth2/v2/auth",
tokenUrl="https://accounts.google.com/o/oauth2/v2/token"
)
@app.get("/users/my_profile")
def get_my_google_profile(token: str = Depends(oauth2_google)):
# I have no idea where to get user profile on google or what the parameters are. It is vendor specific.
# Check their doc.
with requests.get("https://google's profile getting api", params={"access_token" : token}) as response:
return response.json() |
Everywhere you stated |
yeah, these two just usually live together and I got them confused. I'll edit the post for accuracy. |
@ithilelda Thank you for the example! So if the user has the required header/cookie, they're simply redirected to some other resource, like Thanks in advance! |
I had similar issue when oauth2 redirection was failing because of the default redirect url is set to /oauth2-redirect.html. I found a way around by adding redirect_uri in the authorization url |
Hi, Thanks |
This issue was moved to a discussion.
You can continue the conversation there. Go to discussion →
The example provided in the docs, regarding oauth2, is based on the password flow. However, that flow is only destined to first-party apps, since it requests the user's password and must not be allowed for third-party apps to use (https://oauth.net/2/grant-types/password/). I was planning to build a complete Oauth2 server and expose it publicly, in order to allow any authorized third-party app to act in behalf of a user (if he consents through providing his credentials in my own url and allowing the required scopes). I read the following comment on https://fastapi.tiangolo.com/tutorial/security/oauth2-scopes/ :
"But if you are building an OAuth2 application that others would connect to (i.e., if you are building an authentication provider equivalent to Facebook, Google, GitHub, etc.) you should use one of the other flows.
The most common is the implicit flow.
The most secure is the code flow, but is more complex to implement as it requires more steps. As it is more complex, many providers end up suggesting the implicit flow."
Nevertheless, the implicit flow is insecure and not recommended anymore :
"The implicit grant response type "token") and other response types causing the authorization server to issue access tokens in the authorization response are vulnerable to access token leakage and access token replay as described in Section 4.1, Section 4.2, Section 4.3, and Section 4.6."
Source: https://tools.ietf.org/html/draft-ietf-oauth-security-topics-12
I suggest a minimal example using the "Authorization Code Grant" flow, since it is more secure and robust.
The text was updated successfully, but these errors were encountered: