[Authorization/Permissions]: Use scopes in both route and API endpoint level #4611

papunmohanty · 2022-02-22T19:18:47Z

papunmohanty
Feb 22, 2022

Consider a route file having following code snippets

At the top I have module level router object with permissions in scopes

router = APIRouter(
    prefix="/blog",
    tags=["Blogs"],
    dependencies=[Security(token.get_current_user, scopes=["blog:read"])]  
)

Some where down the file I have an API endpoint route

@router.get("/", response_model=List[schemas.ShowBlog])
def get_all(db: Session = Depends(get_db), current_user: User = Security(token.get_current_user, scopes=["blog:admin"])):
    ...

My question is:
How can I have/use both the scopes in module level and in route level, because there may be a specific permission I want to check for an API endpoint.

Appreciate any help/thoughts.

Answered by YuriiMotov

Jun 19, 2025

This works fine at least in current version (0.115.13).
get_current_user (and its sub-dependencies) will be called twice with different scopes.

from typing import Annotated

from fastapi import APIRouter, Depends, FastAPI, Security
from fastapi.security import OAuth2PasswordBearer, SecurityScopes
from fastapi.testclient import TestClient

oauth2_scheme = OAuth2PasswordBearer(
    tokenUrl="token",
    scopes={"blog:read": "Read information.", "blog:admin": "Full access."},
)


async def get_token_validated_parsed(
    scopes: SecurityScopes, token: Annotated[str, Depends(oauth2_scheme)]
):
    print("get_token_validated_parsed is called with scopes:", scopes.scopes)
    return token


async

View full answer

YuriiMotov · 2025-06-19T10:14:31Z

YuriiMotov
Jun 19, 2025
Collaborator

This works fine at least in current version (0.115.13).
get_current_user (and its sub-dependencies) will be called twice with different scopes.

from typing import Annotated

from fastapi import APIRouter, Depends, FastAPI, Security
from fastapi.security import OAuth2PasswordBearer, SecurityScopes
from fastapi.testclient import TestClient

oauth2_scheme = OAuth2PasswordBearer(
    tokenUrl="token",
    scopes={"blog:read": "Read information.", "blog:admin": "Full access."},
)


async def get_token_validated_parsed(
    scopes: SecurityScopes, token: Annotated[str, Depends(oauth2_scheme)]
):
    print("get_token_validated_parsed is called with scopes:", scopes.scopes)
    return token


async def get_current_user(token: str = Depends(get_token_validated_parsed)):
    return {"username": "testuser"}


router = APIRouter(
    prefix="/blog",
    tags=["Blogs"],
    dependencies=[Security(get_current_user, scopes=["blog:read"])],
)


@router.get("/")
def get_all(current_user: str = Security(get_current_user, scopes=["blog:admin"])):
    pass


app = FastAPI()
app.include_router(router)


# Test


def test_():
    log = []

    async def get_token_mock(
        scopes: SecurityScopes, token: Annotated[str, Depends(oauth2_scheme)]
    ):
        log.append(str(scopes.scopes))
        return token

    app.dependency_overrides[get_token_validated_parsed] = get_token_mock

    client = TestClient(app)
    response = client.get("/blog/", headers={"Authorization": "Bearer testtoken"})
    assert response.status_code == 200, response.text

    assert len(log) == 2
    assert "['blog:read']" in log
    assert "['blog:admin']" in log

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

[Authorization/Permissions]: Use scopes in both route and API endpoint level #4611

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

[Authorization/Permissions]: Use scopes in both route and API endpoint level #4611

Uh oh!

Uh oh!

papunmohanty Feb 22, 2022

Replies: 1 comment

Uh oh!

YuriiMotov Jun 19, 2025 Collaborator

papunmohanty
Feb 22, 2022

YuriiMotov
Jun 19, 2025
Collaborator