DEV Community: Kip Parker The latest articles on DEV Community by Kip Parker (@kipparker). https://dev.to/kipparker https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F865725%2F91c4a55b-bfaa-43c7-88d2-709e466c773c.jpeg DEV Community: Kip Parker https://dev.to/kipparker en Simple FastAPI and Auth0 authentication Kip Parker Sat, 21 May 2022 11:21:45 +0000 https://dev.to/kipparker/simple-fastapi-and-auth0-authentication-pkd https://dev.to/kipparker/simple-fastapi-and-auth0-authentication-pkd <p>I was looking around for examples of how to do this and everything was a bit too complex or lengthy for the simple application I had in mind. This is a bare bones example you can build what you need with.</p> <p>Let start with the Auth0 part. Log in to your account, go to Applications &gt; APIs and click on Create API. Enter a name and an identifier - as they suggest, the identifier can be your project's URL but it isn't actually used. </p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--ybAGSvuK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://github.com/kipparker/fastapi-auth0/raw/main/media/new-api.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--ybAGSvuK--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://github.com/kipparker/fastapi-auth0/raw/main/media/new-api.png" alt="Shows the Create API form from Auth0's web interface" title="Create API" width="880" height="843"></a></p> <p>Next, get the details of the API and Application that's been created. Go to Applications, open the menu next to the application you've created and open "settings". You'll need to copy all of it, the domain, client ID and client secret.</p> <p><a href="https://res.cloudinary.com/practicaldev/image/fetch/s--gvKJ_W7Y--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://github.com/kipparker/fastapi-auth0/raw/main/media/details.png" class="article-body-image-wrapper"><img src="https://res.cloudinary.com/practicaldev/image/fetch/s--gvKJ_W7Y--/c_limit%2Cf_auto%2Cfl_progressive%2Cq_auto%2Cw_880/https://github.com/kipparker/fastapi-auth0/raw/main/media/details.png" alt="Shows the window that displays Auth0 details" title="Auth0 details" width="880" height="442"></a></p> <p>Next some code. I won't go through setting up the project, check <a href="https://github.com/kipparker/fastapi-auth0">the example repo</a> if you want details. We'll need an endpoint to secure, this will do:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">"/"</span><span class="p">)</span> <span class="k">def</span> <span class="nf">get</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="s">"message"</span><span class="p">:</span> <span class="s">"This is private"</span><span class="p">}</span> </code></pre> </div> <p>Our endpoint will be secured by requiring a valid jwt token, which arrives in the request header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="nl">"authorization"</span><span class="p">:</span><span class="w"> </span><span class="s2">"Bearer &lt;token&gt;"</span><span class="w"> </span></code></pre> </div> <p>We need two parts to add authentication - something to validate the token, and a way of injecting the authorisation code into private endpoints using FastAPI's dependencies. First of all verification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="nn">jwt</span> <span class="k">def</span> <span class="nf">verify_token</span><span class="p">(</span><span class="n">token</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">domain</span><span class="p">:</span> <span class="nb">str</span><span class="p">,</span> <span class="n">audience</span><span class="p">:</span> <span class="nb">str</span><span class="p">)</span> <span class="o">-&gt;</span> <span class="nb">dict</span><span class="p">[</span><span class="nb">str</span><span class="p">,</span> <span class="n">Any</span><span class="p">]:</span> <span class="s">""" Use the pyjwt jwkclient to get a signing key, then decode the supplied token """</span> <span class="n">jwks_client</span> <span class="o">=</span> <span class="n">jwt</span><span class="p">.</span><span class="n">PyJWKClient</span><span class="p">(</span><span class="sa">f</span><span class="s">"https://</span><span class="si">{</span><span class="n">domain</span><span class="si">}</span><span class="s">/.well-known/jwks.json"</span><span class="p">)</span> <span class="n">signing_key</span> <span class="o">=</span> <span class="n">jwks_client</span><span class="p">.</span><span class="n">get_signing_key_from_jwt</span><span class="p">(</span><span class="n">token</span><span class="p">).</span><span class="n">key</span> <span class="k">return</span> <span class="n">jwt</span><span class="p">.</span><span class="n">decode</span><span class="p">(</span> <span class="n">token</span><span class="p">,</span> <span class="n">signing_key</span><span class="p">,</span> <span class="n">algorithms</span><span class="o">=</span><span class="p">[</span><span class="s">"RS256"</span><span class="p">],</span> <span class="n">audience</span><span class="o">=</span><span class="n">audience</span><span class="p">,</span> <span class="n">issuer</span><span class="o">=</span><span class="sa">f</span><span class="s">"https://</span><span class="si">{</span><span class="n">domain</span><span class="si">}</span><span class="s">/"</span><span class="p">,</span> <span class="p">)</span> </code></pre> </div> <p>The <code>verify_token</code> function takes the token along with the domain and audience values and decodes the token. Because we're using a third-party auth provider, we need two steps:</p> <ul> <li>Use PyJWKClient to get a signing key</li> <li>Decode the token using that signing key</li> </ul> <p>For injecting into endpoints, we can use:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">fastapi.security</span> <span class="kn">import</span> <span class="n">HTTPAuthorizationCredentials</span><span class="p">,</span> <span class="n">HTTPBearer</span> <span class="kn">from</span> <span class="nn">fastapi</span> <span class="kn">import</span> <span class="n">Depends</span><span class="p">,</span> <span class="n">HTTPException</span> <span class="n">security</span> <span class="o">=</span> <span class="n">HTTPBearer</span><span class="p">()</span> <span class="k">async</span> <span class="k">def</span> <span class="nf">has_access</span><span class="p">(</span><span class="n">credentials</span><span class="p">:</span> <span class="n">HTTPAuthorizationCredentials</span> <span class="o">=</span> <span class="n">Depends</span><span class="p">(</span><span class="n">security</span><span class="p">)):</span> <span class="s">""" Function that is used to validate the token in the case that it requires it """</span> <span class="k">try</span><span class="p">:</span> <span class="n">verify_token</span><span class="p">(</span><span class="n">credentials</span><span class="p">.</span><span class="n">credentials</span><span class="p">,</span> <span class="n">AUTH0_DOMAIN</span><span class="p">,</span> <span class="n">AUTH0_AUDIENCE</span><span class="p">)</span> <span class="k">except</span> <span class="n">jwt</span><span class="p">.</span><span class="n">PyJWTError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="k">raise</span> <span class="n">HTTPException</span><span class="p">(</span><span class="n">status_code</span><span class="o">=</span><span class="mi">401</span><span class="p">,</span> <span class="n">detail</span><span class="o">=</span><span class="nb">str</span><span class="p">(</span><span class="n">e</span><span class="p">))</span> </code></pre> </div> <p><code>Depends(security)</code> checks we have the authorization header (you'll get an Unauthorised error if it's missing) and gives us access to the token as <code>credentials.credentials</code>. Any authentication errors will be <code>PyJWTError</code> errors, so we can catch those, and return the message to the API user if the token fails.</p> <p>Now we add this to the endpoint to secure it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="nn">fastapi</span> <span class="kn">import</span> <span class="n">FastAPI</span><span class="p">,</span> <span class="n">Depends</span> <span class="kn">import</span> <span class="nn">auth</span> <span class="n">app</span> <span class="o">=</span> <span class="n">FastAPI</span><span class="p">()</span> <span class="o">@</span><span class="n">app</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">"/"</span><span class="p">,</span> <span class="n">dependencies</span><span class="o">=</span><span class="p">[</span><span class="n">Depends</span><span class="p">(</span><span class="n">auth</span><span class="p">.</span><span class="n">has_access</span><span class="p">)])</span> <span class="k">def</span> <span class="nf">get</span><span class="p">():</span> <span class="k">return</span> <span class="p">{</span><span class="s">"message"</span><span class="p">:</span> <span class="s">"This is private"</span><span class="p">}</span> </code></pre> </div> <p>How about testing the endpoint? We can use the <code>requests</code> library to get a token, and add it to our authorization header:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="nn">requests</span> <span class="n">payload</span> <span class="o">=</span> <span class="p">{</span> <span class="s">"client_id"</span><span class="p">:</span> <span class="s">"&lt;CLIENT_ID&gt;"</span><span class="p">,</span> <span class="s">"client_secret"</span><span class="p">:</span> <span class="s">"&lt;CLIENT_SECRET&gt;"</span><span class="p">,</span> <span class="s">"audience"</span><span class="p">:</span> <span class="s">"&lt;AUDIENCE&gt;"</span><span class="p">,</span> <span class="s">"grant_type"</span><span class="p">:</span> <span class="s">"client_credentials"</span><span class="p">,</span> <span class="p">}</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="n">post</span><span class="p">(</span><span class="s">"https://&lt;your-domain&gt;.auth0.com/oauth/token"</span><span class="p">,</span> <span class="n">json</span><span class="o">=</span><span class="n">payload</span><span class="p">)</span> <span class="c1"># Returns {'access_token': '&lt;very-long-token&gt;', 'expires_in': 86400, 'token_type': 'Bearer'} </span> <span class="n">auth_header</span> <span class="o">=</span> <span class="p">{</span><span class="s">"authorization"</span><span class="p">:</span> <span class="sa">f</span><span class="s">"Bearer </span><span class="si">{</span><span class="n">r</span><span class="p">[</span><span class="s">'access_token'</span><span class="p">]</span><span class="si">}</span><span class="s">"</span><span class="p">}</span> <span class="n">r</span> <span class="o">=</span> <span class="n">requests</span><span class="p">.</span><span class="n">get</span><span class="p">(</span><span class="s">"http://127.0.0.1:8000/"</span><span class="p">,</span> <span class="n">headers</span><span class="o">=</span><span class="n">auth_header</span><span class="p">)</span> <span class="k">print</span><span class="p">(</span><span class="n">r</span><span class="p">.</span><span class="n">json</span><span class="p">())</span> </code></pre> </div> <p>This is deliberately a bare minimum implementation. You will want to add features. More expressive error handling might be one thing.</p> <p>If you're implementing machine to machine authorisation, you'll want to include some logic to reuse tokens until they expire, Auth0 rates are based on tokens requested.</p> <p>You might want to add scope validations if you're using different permission levels, take a look here for a nudge in the right direction: <a href="https://auth0.com/docs/quickstart/backend/python/01-authorization#validate-scopes">https://auth0.com/docs/quickstart/backend/python/01-authorization#validate-scopes</a></p> <p>Have a look at the repo for the full example: <a href="https://github.com/kipparker/fastapi-auth0">https://github.com/kipparker/fastapi-auth0</a></p> <p>References:</p> <ul> <li>Auth0 Docs: Python API: Authorization <a href="https://auth0.com/docs/quickstart/backend/python/01-authorization">https://auth0.com/docs/quickstart/backend/python/01-authorization</a> </li> <li>Securing FastAPI with JWT Token-based Authentication <a href="https://testdriven.io/blog/fastapi-jwt-auth/">https://testdriven.io/blog/fastapi-jwt-auth/</a> </li> </ul> python auth0 api