Comments (3)
Hi!
I'm writing this on my phone, so let me know if anything is unclear and I'll write it a bit more extensive when I'm at a PC.
This library was easy to set up and works great when I access the /docs link and manually click authenticate.
Glad to hear you find it easy to set up and you got it working!
However, I'm using FastAPI as a full web app framework with jinja2 templating pages - not just api calls. Can I use this library for authentication?
What I write below is better explained here.
It will depend on your solution, but most likely not. This package only implement token authentication through so-called Bearer tokens
. That means, on every request the token must be present in the header.
This works well for Single-Page applications (SPA), where the frontend is separated from the backend and dynamic content is rendered through JavaScript. Retrieving of the token is done solely by the frontend (using a flow known as the PKCE flow). The frontend then attach the token in the header on every API request sent to the backend. The backend does not care how the user retrieves the token, it only validates it.
In most MVC/full web applications the backend render HTML content based on variables (such as in Jinja2 you'd write {{ user.email }}
to render a users email). In these applications the backend is typically involved authenticating the user, mostly using the Authorization code flow
(without PKCE).
When the user is authenticated and the access token is retrieved (by the backend), the state will be kept by using sessions. The access token is no longer used (until the session expires or the user logs out and want to log in again). This package does not support that flow, nor uses sessions.
The only real way to use this package for you is to:
- Create a route which does not depend on
azure_scheme
- On this route, implement a way for the user to retrieve the token using PKCE auth flow (same flow used in the OpenAPI documentation site. I've written a blog post about how it works here.)
- Store the token in your front end, just like you would in a SPA
- On every request, you send the token in the header, and the backend will validate the token and return a HTML.
I have not attempted this my self.
There is another package called fastapi-aad-auth
which I have not looked at from a security perspective and cannot vouch for (seems pretty untestedπ), but it does implement session auth.
Lastly, I just want to be clear and say that I will not implement the Authorization Code Flow and sessions for MVC applications.
I'm going to close this issue, but please feel free to ask more questions. I'll still be notified π
from fastapi-azure-auth.
Wow, thank you so much for that incredibly detailed and HELPFUL answer! I will take a look at the two links and the library you mention. I will absolutely keep using this package for api-only apps but I went ahead and dug into the msal library for microsoft authentication on the mvc apps. Again, thank you very much.
from fastapi-azure-auth.
You're welcome! Let me know if you haven't found a solution that works for you by New Years and I'll give it a go. π
from fastapi-azure-auth.
Related Issues (20)
- [Feature request] support Pydantic v2 syntax / @validator -> @field_validator HOT 5
- [BUG/Question] Fixing TypeError during WebSocket Authentication Migration from FastAPI 0.96 to 0.97 HOT 8
- Calling your APIs from Python not working HOT 22
- [Question] Middleware logging does not get request.state.user HOT 2
- Make leeway a setting available for configuration
- [Question] HOT 6
- [BUG/Question] auth_time is parsed as a string, should be int HOT 2
- [BUG/Question] Got 'Token contains invalid claims' error for the `single tenant setup example ` HOT 6
- [Question] Validate bearer token from Angular SPA (Azure AD) in FastAPI HOT 4
- [BUG/Question] Error calling openid_config.load_config with Httpx 0.25.1 HOT 4
- [Bug/Question] HOT 2
- Adding new fields for Client Secret JWT HOT 1
- [Question] Graph API call triggers "admin consent required" HOT 1
- SOLVED: CVE-2024-23342 `ecdsa` may be vulnerable to the Minerva attack HOT 3
- Facing authentication issue mentioning pkce required for cross-origin authorization code redemption HOT 1
- [BUG] got claim `acct` in type `int`, but fastapi-azure-auth is waiting for `str` HOT 1
- Add ability to specify audience and issuer to validate token claims against HOT 1
- [BUG/Question] Example use cases for scopes HOT 6
- [Feature request] Support WebSocket connections. HOT 3
- Empty raise HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. πππ
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google β€οΈ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from fastapi-azure-auth.