Issues in documentation page "Simple OAuth2 with Password and Bearer"

[ricardo-reis-1970]

First check

• I added a very descriptive title to this issue.
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the FastAPI documentation, with the integrated search.
• I already searched in Google "How to X in FastAPI" and didn't find any information.
• I already read and followed all the tutorial in the docs and didn't find an answer.
• I already checked if it is not related to FastAPI but to Pydantic.
• I already checked if it is not related to FastAPI but to Swagger UI.
• I already checked if it is not related to FastAPI but to ReDoc.
• After submitting this, I commit to one of:
  • Read open issues with questions until I find 2 issues where I can help someone and add a comment to help there.
  • I already hit the "watch" button in this repository to receive notifications and I commit to help at least 2 people that ask questions in the future.
  • Implement a Pull Request for a confirmed bug.

Description

In fastapi.security.oauth2.py, line 51 (OAuth2PasswordRequestForm class definition), it's defined scope: str = Form(""). However, Form("") is not a str. Below, in line 58 we find:

self.scopes = scope.split()

This is compatible with the type but it's incompatible with the default value, as Form has no split method.

I know I'm being just picky here, but in my efforts to understand the whole thing, I did:

from fastapi.security import OAuth2PasswordRequestForm
x = OAuth2PasswordRequestForm(username='johndoe', password='secret')

and I got:

Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
  File "C:\shared\workspaces\manager-westend\.venv\lib\site-packages\fastapi\security\oauth2.py", line 58, in __init__
    self.scopes = scope.split()
AttributeError: 'Form' object has no attribute 'split'

In order for it to run, I have to do:

from fastapi.security import OAuth2PasswordRequestForm
x = OAuth2PasswordRequestForm(username='johndoe', password='secret', scope='')

This is expected. So, the beginner's question is: should the default value of scope not be "" instead of Form("")?

Is this a pull request, or just ignorance? Should I just stop poking around with dependency classes?

Environment

• OS: Windows
• FastAPI Version: 0.66.0
• Python version: 3.9.0 (tags/v3.9.0:9cf6752, Oct 5 2020, 15:34:40) [MSC v.1927 64 bit (AMD64)] on win32

Footnote

On a somewhat related topic, it is not too clear to me why we need the get_current_user functionality. Is this just to serve the /users/me endpoint? I don't see it impacting on the login process. I can still login as alice, just not do anything in there with her inactive.

[Cosmicoppai]

OAuth specifications needs username and password as form fields(which are encoded in different format ).
Hope this will help:- https://fastapi.tiangolo.com/tutorial/request-forms/

Regarding your footnote:- Yes, the get_current_user will not impact the login process, but at any point during the session, for any process if you need the info of that user you can use that endpoint.

[ricardo-reis-1970]

Thanks @Cosmicoppai for the feedback. However, I believe you're missing the point. What I wanted to highlight was not the need for fields with the specific names username and password, but rather the default value of scope. This default value is being set to Form(""), and whatever Form("") is, it does not have a .split() method.

The result is that, if we do not explicitly provide a scope value, we will get an error. My question / suggestion was to make the default value of scope to be "", instead of Form(""). Alternatively, you could make the scope parameter mandatory, or add a .split() method somewhere.

To be honest, I chased the Form object (a function, that instantiated a class that inherited from another class...) until I got lost. All I know is that if I don't provide the scope parameter in calling OAuth2PasswordRequestForm, I get an error, as per the initial description.

[Mause]

@ricardo-reis-1970 I think you've missed the point of how fastapi works as a framework - it uses that "default" value to declare what is required to the dependency injection tooling

[Cosmicoppai]

@ricardo-reis-1970 Generally in case of OAuth we're not providing the input in a way you provided. We're expecting the data from the "Form(HTML form)". so the default Form("") make sense.

[ricardo-reis-1970]

@Cosmicoppai, thank you. I believe that's the explanation someone like me usually looks for.

[Cosmicoppai]

@Cosmicoppai, thank you. I believe that's the explanation someone like me usually looks for.

I'm glad if it helped you. Have a great day ahead.