Comments (6)
Thanks again for your kind reply :)
from fastapi-azure-auth.
After authenticating the user for the first time, it won't connect to Azure AD to authenticate user for the next 24 hours
Correct.
It will keep the the public key in user's machine for 24 hours and then refresh it with a new one.
Correct, if you refer the user's machine
as the machine where the backend API is hosted.
During the next 24 hours, while calling the APIs, no request would be sent to Azure AD
Correct.
😊
from fastapi-azure-auth.
Hi!
-
The public key(s) can be found at the url given in the response under the
jwks
key. See line 86. -
Expiry is checked using the
python-jose
library. It is configured to fail for expired tokens. The behavior is also tested here. You either have disabled auth (misconfiguration), or your token is actually not expired. -
No, the backend only cares about access tokens. Refreshing etc. should be done by the client.
from fastapi-azure-auth.
Hi!
Thank you for the feature request. How ever, I think there's some misconceptions on how this works, so I'll try to explain it:
- When the app starts, you load the configuration from e.g.
https://login.microsoftonline.com/{tenant_id}/v2.0/.well-known/openid-configuration
. - This configuration is refreshed every 24 hours
The configuration essentially is public keys from Azure. The JWT tokens are signed, and we can verify the JWT by using these public keys.
So, when a user does an API call to the backend, Azure is no longer involved. We only use the keys we have, and verify the JWT. In other words:
- User does a request to backend
- Backend use public key which is already fetched from Azure (and cached for 24 hours)
- Backend validates JWT and decodes it, but does not talk to Azure or any other system
So to give a TL;DR:
- We do not need to cache already authorized requests, as that would create more overhead. The decoding of token is very quick, and require no interaction with other systems.
Closing the issue, but please do not hesitate to comment or ask questions if something was unclear. 😊
from fastapi-azure-auth.
Thank you for the explanation. So for my better understanding:
- After authenticating the user for the first time, it won't connect to Azure AD to authenticate user for the next 24 hours
- It will keep the the public key in user's machine for 24 hours and then refresh it with a new one.
- During the next 24 hours, while calling the APIs, no request would be sent to Azure AD
Are those correct?
from fastapi-azure-auth.
Hi @JonasKs I have a few more questions about this and I'll be thankful if you take time and answer them:
-
I debugged this line, but couldn't find where the public key in that JSON. So how can I check it?
-
How does this library check the expiry date of access token? I think JWT always checks it before decoding the token, but if I just keep the swagger open and try an API (which just returns the token claims) after the expiry of the token, I can see that expiry is the past but API is still return the user without throwing any error. How does that work?
-
Is refresh token is also involved in SingleTenantAzureAuthorizationCodeBearer method and if yes, where do we keep it and when will it be used?
Thank you in advance.
from fastapi-azure-auth.
Related Issues (20)
- [Feature request] support Pydantic v2 syntax / @validator -> @field_validator HOT 5
- [BUG/Question] Fixing TypeError during WebSocket Authentication Migration from FastAPI 0.96 to 0.97 HOT 8
- Calling your APIs from Python not working HOT 22
- [Question] Middleware logging does not get request.state.user HOT 2
- Make leeway a setting available for configuration
- [Question] HOT 6
- [BUG/Question] auth_time is parsed as a string, should be int HOT 2
- [BUG/Question] Got 'Token contains invalid claims' error for the `single tenant setup example ` HOT 6
- [Question] Validate bearer token from Angular SPA (Azure AD) in FastAPI HOT 4
- [BUG/Question] Error calling openid_config.load_config with Httpx 0.25.1 HOT 4
- [Bug/Question] HOT 2
- Adding new fields for Client Secret JWT HOT 1
- [Question] Graph API call triggers "admin consent required" HOT 1
- SOLVED: CVE-2024-23342 `ecdsa` may be vulnerable to the Minerva attack HOT 3
- Facing authentication issue mentioning pkce required for cross-origin authorization code redemption HOT 1
- [BUG] got claim `acct` in type `int`, but fastapi-azure-auth is waiting for `str` HOT 1
- Add ability to specify audience and issuer to validate token claims against HOT 1
- [BUG/Question] Example use cases for scopes HOT 6
- [Feature request] Support WebSocket connections. HOT 3
- Empty raise HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastapi-azure-auth.