SlideShare a Scribd company logo

zopyx-fastapi-auth - authentication and authorization for FastAPI

Andreas Jung, profile picture
Andreas Jung

The document introduces Zopyx-FastAPI-Auth, an authentication solution for FastAPI, detailing its benefits such as robust data validation, async support, and automatic OpenAPI documentation. It explains key concepts of authentication and authorization, user management, and roles, along with example code for implementing these features in a FastAPI application. The document also highlights features like pluggable user sources and user management tools that facilitate interaction within a FastAPI framework.

Software
1 of 28
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
Most read
15
16
17
18
19
20
21
22
23
24
25
26
Most read
27
28
Most read
Andreas Jung • info@zopyx.com • www.zopyx.com • www.andreas-jung.com zopyx-fastapi-auth An opinionated security solution for FastAPI
Agenda • Introduction to FastAPI • Quick intro intro authentication and authorization • Key concepts of fastapi-auth • Integration and usage in FastAPI • Pluggable user source architecture • User management • Demo time • Q & A
Publishing developer & consultant since mid-90s https://www.zopyx.com https://andreas-jung.com ✉ info@zopyx.com Funder of print-css.rocks project Independent PrintCSS consulting - Software developer & software architect - Requirements engineering - Python developer & Python expert - NGOs, EDU - medical & pharmaceutical - energy - research & development quantum mechanics - CMS Solutions - Publishing Solutions - Individual software solutions About me
Introduction to FastAPI
What is FastAPI? FastAPI is a modern, fast (high-performance), web framework for building APIs with Python 3 based on standard Python type hints and the data-validation framework Pydantic. from fastapi import FastAPI app = FastAPI() @app.get("/") def read_root(): return {"Hello": "World"} @app.get("/items/{item_id}") def read_item(item_id: int, q: str = None): return {"item_id": item_id, "q": q} if __name__ == "__main__": import uvicorn uvicorn.run(app, host="0.0.0.0", port=8000)
Reasons for using FastAPI • Use of Pydantic FastAPI uses Pydantic for data validation and serialization, ensuring robust input and output handling. • Full Async Support FastAPI supports asynchronous programming, enabling high-performance and efficient request handling. • Automatic OpenAPI Generation FastAPI automatically generates OpenAPI documentation, simplifying API development and testing. • It is Fast FastAPI is optimized for speed, making it one of the fastest web frameworks available. • High Adoption Rate FastAPI’s growing popularity and community support make it a reliable choice for modern web development.
Authentication Authorization
What is authentication? • Authentication verifies the identity of a user, device, or entity. • It uses credentials like username + passwords, biometrics, or security tokens. • This ensures only authorized access to sensitive information or resources.
What is authorization? • Authorization determines what resources a user or system can access. • It occurs after authentication and enforces permissions and policies. • This ensures users can only perform actions they are permitted to.
zopyx-fastapi-auth An opinionated authentication solution for FastAPI
Why zopyx-fastapi-auth …when there are already many other solutions!? • Usecase Migration of a CMS Plone-based application from Plone to FastAPI for the University of Saarbrücken. • Problem • None of the existing authentication frameworks for FastAPI has fit our needs • No direct translation of security concepts of the legacy system available for FastAPI • Transparent authentication against three different user sources (local, SAP, LDAP)
Concepts: Permissions An access right that defines what actions a user or role can perform, such as viewing, editing, or deleting resources within an application. Permissions are defined as code. from fastapi_auth.permissions import Permission VIEW_PERMISSION = Permission(name="view", description="View permission") EDIT_PERMISSION = Permission(name="edit", description="Edit permission") DELETE_PERMISSION = Permission(name="delete", description="Delete permission")
Concepts: Roles A collection of permissions wrapped together as a role. Roles define a user’s access level and responsibilities within an application. A user can have multiple roles, each granting a different set of permissions. Roles are defined in code. from fastapi_auth.permissions import Role ADMIN_ROLE = Role( name="Administrator", description="Admin role", permissions=[VIEW_PERMISSION, EDIT_PERMISSION, DELETE_PERMISSION], ) USER_ROLE = Role( name="User", description="User role", permissions=[VIEW_PERMISSION, EDIT_PERMISSION], ) VIEWER_ROLE = Role( name="Viewer", description="Viewer role", permissions=[VIEW_PERMISSION], )
Concepts: Roles II Roles must be registered with the (gobal) roles registry. Interim solution…likely to go away soon. from fastapi_auth.roles import ROLES_REGISTRY ROLES_REGISTRY.register(ADMIN_ROLE) ROLES_REGISTRY.register(USER_ROLE) ROLES_REGISTRY.register(VIEWER_ROLE)
Concepts: Users A user represents the currently user context accessing the system. User types: • Anonymous User • Authenticated User • (Superuser) Users are stored in (external) user sources like a database, LDAP etc.
The User object in fastapi-auth • The Protected() method is used to protect an endpoint by permission, role or a custom checker • Integration with FastAPI through dependency injection • Successful authorization will return a User object • Unsuccessful authorization ➡ HTTP 403/Forbidden • User properties: name, description, roles, is_anonymous @app.get(„/admin") def admin(user: User = Depends(Protected(<protection_conditions)): return {"user": user}
Concepts II • A user can have multiple roles • A role can multiple permissions
How to use fastapi-auth in your FastAPI app? Endpoint protection by role(s) # This is an endpoint that requires the user to be authenticated. In this case, # the user must have the ADMIN_ROLE role. It is also possible to require a # permission instead. Use the Protected dependency to require authentication. # An unauthenticated request as ANONYMOUS_USER will be rejected. @app.get(„/admin") def admin(user: User = Depends(Protected(required_roles=[ADMIN_ROLE]))): return {"user": user}
How to use fastapi-auth in your FastAPI app? Endpoint protection by permission from fastapi_auth.dependencies import Protected @app.get(„/admin2") def admin2(user: User = Depends(Protected(required_permission=VIEW_PERMISSION))): return {"user": user}
How to use fastapi-auth in your FastAPI app? Endpoint protection by custom checker from fastapi_auth.dependencies import Protected def my_check(request: Request, user: User) -> bool: # perform some checks based on request and/or user.... return True # or False @app.get(„/admin3") def admin3(user: User = Depends(Protected(required_checker=my_check))): return {"user": user}
Concept of user sources • A user source manages user accounts • A user source can authenticate (or not) a user based on the parameters of a login form • …usually determined by validating the username and the password against the data stored in a database • Typical: RDBMS, LDAP etc.
Pluggable authenticators from fastapi import Request from fastapi.authenticator_registry import Authenticator, AUTHENTICATOR_REGISTRY from fastapi.users import User class MyAuthenticator(Authenticator): async def authenticate(request: Request) -> User: # extract credentials from request username = request.form.... password = request.form.... # perform authentication against your own authentication system user_data = my_backend.authenticate_user(username, password) return User(name=user_data["name"], roles=[...]) AUTHENTICATOR_REGISTRY.add_authenticator(MyAuthenticator(), 0)
Build-in user management • zopyx-fastapi-auth comes with a default user management • with sqlite as database backend • commandline utility fastapi-auth-user-admin > fastapi-auth-user-admin add <username> <password> „Role1,Role2…“ > fastapi-auth-user-admin delete <username> > fastapi-auth-user-admin lists-users > fastapi-auth-user-admin set-password <username> <new-password>
Internals • based on starlette.middleware.sessions • authentication information stored and exchanged through an encrypted cookie (symmetric encryption) • client/browser can not decrypt the cookie • lifetime of cookie: session or persistent • ToDo: • switching to secure cookies (starlette-securecookies) • better control over lifetime of cookies, expiration, revocation!?
Demo time 🥳
• https://github.com/zopyx/fastapi-auth • https://pypi.org/project/zopyx-fastapi-auth/ Resources
Questions & Answers
Thank you for listening Andreas Jung • info@zopyx.com • www.zopyx.com • www.andreas-jung.com

More Related Content

PDF
Cache Security- The Basics
InterSystems Corporation
 
PPTX
Code your Own: Authentication Provider for Blackboard Learn
Dan Rinzel
 
PPTX
Aws iam best practices to live by
John Varghese
 
PDF
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE
 
PDF
Yii Framework Security
Ilko Kacharov
 
PDF
Federated Authentication in a Campus System
Matthew Hanlon
 
PDF
E5: Predix Security with ACS & UAA (Predix Transform 2016)
Predix
 
PDF
Implementing Authorization
Torin Sandall
 
Cache Security- The Basics
InterSystems Corporation
 
Code your Own: Authentication Provider for Blackboard Learn
Dan Rinzel
 
Aws iam best practices to live by
John Varghese
 
FIWARE Global Summit - Adding Identity Management, Access Control and API Man...
FIWARE
 
Yii Framework Security
Ilko Kacharov
 
Federated Authentication in a Campus System
Matthew Hanlon
 
E5: Predix Security with ACS & UAA (Predix Transform 2016)
Predix
 
Implementing Authorization
Torin Sandall
 

Similar to zopyx-fastapi-auth - authentication and authorization for FastAPI (20)

PPT
SAP BI 7 security concepts
Siva Pradeep Bolisetti
 
PDF
MongoDB World 2019: Securing Application Data from Day One
MongoDB
 
PPTX
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
PDF
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
PPTX
Adding Identity Management and Access Control to your App
FIWARE
 
PDF
Automated Inference of Access Control Policies for Web Applications
Lionel Briand
 
PDF
Attribute-Based Access Control in Symfony
Adam Elsodaney
 
PPTX
Externalizing Authorization in Micro Services world
Sitaraman Lakshminarayanan
 
PDF
Cache Security- Configuring a Secure Environment
InterSystems Corporation
 
PPTX
Intro to Apache Shiro
Claire Hunsaker
 
PDF
S5-Authorization
zakieh alizadeh
 
PPTX
Presentation
Laxman Kumar
 
PPTX
Adding identity management and access control to your app
Álvaro Alonso González
 
PPTX
Api security-eic-prabath
WSO2
 
PDF
Securing FIWARE Architectures
FIWARE
 
PDF
Super simple application security with Apache Shiro
Marakana Inc.
 
PDF
Governance and Security Solution Patterns
WSO2
 
PDF
IBM Cloud Paris meetup 20180329 - Access Management & Social coding
IBM France Lab
 
PPTX
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
FredBrandonAuthorMCP
 
PPTX
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Precisely
 
SAP BI 7 security concepts
Siva Pradeep Bolisetti
 
MongoDB World 2019: Securing Application Data from Day One
MongoDB
 
Keycloak for Science Gateways - SGCI Technology Sampler Webinar
marcuschristie
 
Welcome to the Jungle: Pentesting AWS
Mike Felch
 
Adding Identity Management and Access Control to your App
FIWARE
 
Automated Inference of Access Control Policies for Web Applications
Lionel Briand
 
Attribute-Based Access Control in Symfony
Adam Elsodaney
 
Externalizing Authorization in Micro Services world
Sitaraman Lakshminarayanan
 
Cache Security- Configuring a Secure Environment
InterSystems Corporation
 
Intro to Apache Shiro
Claire Hunsaker
 
S5-Authorization
zakieh alizadeh
 
Presentation
Laxman Kumar
 
Adding identity management and access control to your app
Álvaro Alonso González
 
Api security-eic-prabath
WSO2
 
Securing FIWARE Architectures
FIWARE
 
Super simple application security with Apache Shiro
Marakana Inc.
 
Governance and Security Solution Patterns
WSO2
 
IBM Cloud Paris meetup 20180329 - Access Management & Social coding
IBM France Lab
 
SC-900 Capabilities of Microsoft Identity and Access Management Solutions
FredBrandonAuthorMCP
 
Q4_Fortify your IBM Power Systems with Strong Access Control_E_FINAL.pptx
Precisely
 
Ad

More from Andreas Jung (20)

PDF
A fool with a tool is still a fool - Plone Tagung 2025 in Koblenz
Andreas Jung
 
PDF
State of PrintCSS - MarkupUK 2023.pdf
Andreas Jung
 
PDF
Typesense Plone Integration Plone Conference 2022 Namur
Andreas Jung
 
PDF
Onkopedia - Plone Tagung 2020 Dresden
Andreas Jung
 
PDF
PrintCSS W3C workshop at XMLPrague 2020
Andreas Jung
 
PDF
PrintCSS workshop XMLPrague 2020
Andreas Jung
 
PDF
Plone 5.2 migration at University Ghent, Belgium
Andreas Jung
 
PDF
Back to the future - Plone 5.2 und Python 3 Migration am Beispiel Onkopedia
Andreas Jung
 
PDF
Plone migrations using plone.restapi
Andreas Jung
 
PDF
Plone Migrationen mit Plone REST API
Andreas Jung
 
PDF
Plone im Einsatz bei der Universität des Saarländes als Shop-System und Gefah...
Andreas Jung
 
PDF
Generierung von PDF aus XML/HTML mit PrintCSS
Andreas Jung
 
PDF
Creating Content Together - Plone Integration with SMASHDOCs
Andreas Jung
 
PPTX
Creating Content Together - Plone Integration with SMASHDOCs
Andreas Jung
 
PDF
The Plone and The Blockchain
Andreas Jung
 
PDF
Content Gemeinsam Erstellen: Integration Plone mit SMASHDOCs
Andreas Jung
 
PDF
PDF Generierung mit XML/HTML und CSS - was die Tools können und was nicht.
Andreas Jung
 
PDF
Why we love ArangoDB. The hunt for the right NosQL Database
Andreas Jung
 
PDF
XML Director - the technical foundation of onkopedia.com
Andreas Jung
 
PDF
PyFilesystem
Andreas Jung
 
A fool with a tool is still a fool - Plone Tagung 2025 in Koblenz
Andreas Jung
 
State of PrintCSS - MarkupUK 2023.pdf
Andreas Jung
 
Typesense Plone Integration Plone Conference 2022 Namur
Andreas Jung
 
Onkopedia - Plone Tagung 2020 Dresden
Andreas Jung
 
PrintCSS W3C workshop at XMLPrague 2020
Andreas Jung
 
PrintCSS workshop XMLPrague 2020
Andreas Jung
 
Plone 5.2 migration at University Ghent, Belgium
Andreas Jung
 
Back to the future - Plone 5.2 und Python 3 Migration am Beispiel Onkopedia
Andreas Jung
 
Plone migrations using plone.restapi
Andreas Jung
 
Plone Migrationen mit Plone REST API
Andreas Jung
 
Plone im Einsatz bei der Universität des Saarländes als Shop-System und Gefah...
Andreas Jung
 
Generierung von PDF aus XML/HTML mit PrintCSS
Andreas Jung
 
Creating Content Together - Plone Integration with SMASHDOCs
Andreas Jung
 
Creating Content Together - Plone Integration with SMASHDOCs
Andreas Jung
 
The Plone and The Blockchain
Andreas Jung
 
Content Gemeinsam Erstellen: Integration Plone mit SMASHDOCs
Andreas Jung
 
PDF Generierung mit XML/HTML und CSS - was die Tools können und was nicht.
Andreas Jung
 
Why we love ArangoDB. The hunt for the right NosQL Database
Andreas Jung
 
XML Director - the technical foundation of onkopedia.com
Andreas Jung
 
PyFilesystem
Andreas Jung
 
Ad

Recently uploaded (20)

PDF
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PPTX
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
PDF
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
PDF
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
PDF
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
PDF
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
PDF
top salesforce developer skills in 2025.pdf
CloudMetic
 
PDF
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
PPTX
Introduction to Artificial Intelligence
lohedi9363
 
PDF
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
Which alternative to Crystal Reports is best for small or large businesses.pdf
Varsha Nayak
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
CHAPTER 2 - PM Management and IT Context
KevinPutra14
 
Digital Strategies for Manufacturing Companies
Virendra Rai, PMP
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PTS Company Brochure 2025 (1).pdf.......
pts464036
 
Upgrade and Innovation Strategies for SAP ERP Customers
Virendra Rai, PMP
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Internet Downloader Manager (IDM) Crack 6.42 Build 41
ghrom2211g
 
Wondershare Filmora 15 Crack With Activation Key [2025
ghrom2211g
 
Internet Downloader Manager (IDM) Crack 6.42 Build 42 Updates Latest 2025
itskinga12
 
top salesforce developer skills in 2025.pdf
CloudMetic
 
Softaken Excel to vCard Converter Software.pdf
markwillsonmw004
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
Odoo Companies in India – Driving Business Transformation.pdf
azhuhardeen1968
 
Introduction to Artificial Intelligence
lohedi9363
 
Addressing The Cult of Project Management Tools-Why Disconnected Work is Hold...
OnePlan Solutions
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 

zopyx-fastapi-auth - authentication and authorization for FastAPI

  • 1. Andreas Jung • info@zopyx.com • www.zopyx.com • www.andreas-jung.com zopyx-fastapi-auth An opinionated security solution for FastAPI
  • 2. Agenda • Introduction to FastAPI • Quick intro intro authentication and authorization • Key concepts of fastapi-auth • Integration and usage in FastAPI • Pluggable user source architecture • User management • Demo time • Q & A
  • 3. Publishing developer & consultant since mid-90s https://www.zopyx.com https://andreas-jung.com ✉ info@zopyx.com Funder of print-css.rocks project Independent PrintCSS consulting - Software developer & software architect - Requirements engineering - Python developer & Python expert - NGOs, EDU - medical & pharmaceutical - energy - research & development quantum mechanics - CMS Solutions - Publishing Solutions - Individual software solutions About me
  • 5. What is FastAPI? FastAPI is a modern, fast (high-performance), web framework for building APIs with Python 3 based on standard Python type hints and the data-validation framework Pydantic. from fastapi import FastAPI app = FastAPI() @app.get("/") def read_root(): return {"Hello": "World"} @app.get("/items/{item_id}") def read_item(item_id: int, q: str = None): return {"item_id": item_id, "q": q} if __name__ == "__main__": import uvicorn uvicorn.run(app, host="0.0.0.0", port=8000)
  • 6. Reasons for using FastAPI • Use of Pydantic FastAPI uses Pydantic for data validation and serialization, ensuring robust input and output handling. • Full Async Support FastAPI supports asynchronous programming, enabling high-performance and efficient request handling. • Automatic OpenAPI Generation FastAPI automatically generates OpenAPI documentation, simplifying API development and testing. • It is Fast FastAPI is optimized for speed, making it one of the fastest web frameworks available. • High Adoption Rate FastAPI’s growing popularity and community support make it a reliable choice for modern web development.
  • 8. What is authentication? • Authentication verifies the identity of a user, device, or entity. • It uses credentials like username + passwords, biometrics, or security tokens. • This ensures only authorized access to sensitive information or resources.
  • 9. What is authorization? • Authorization determines what resources a user or system can access. • It occurs after authentication and enforces permissions and policies. • This ensures users can only perform actions they are permitted to.
  • 11. Why zopyx-fastapi-auth …when there are already many other solutions!? • Usecase Migration of a CMS Plone-based application from Plone to FastAPI for the University of Saarbrücken. • Problem • None of the existing authentication frameworks for FastAPI has fit our needs • No direct translation of security concepts of the legacy system available for FastAPI • Transparent authentication against three different user sources (local, SAP, LDAP)
  • 12. Concepts: Permissions An access right that defines what actions a user or role can perform, such as viewing, editing, or deleting resources within an application. Permissions are defined as code. from fastapi_auth.permissions import Permission VIEW_PERMISSION = Permission(name="view", description="View permission") EDIT_PERMISSION = Permission(name="edit", description="Edit permission") DELETE_PERMISSION = Permission(name="delete", description="Delete permission")
  • 13. Concepts: Roles A collection of permissions wrapped together as a role. Roles define a user’s access level and responsibilities within an application. A user can have multiple roles, each granting a different set of permissions. Roles are defined in code. from fastapi_auth.permissions import Role ADMIN_ROLE = Role( name="Administrator", description="Admin role", permissions=[VIEW_PERMISSION, EDIT_PERMISSION, DELETE_PERMISSION], ) USER_ROLE = Role( name="User", description="User role", permissions=[VIEW_PERMISSION, EDIT_PERMISSION], ) VIEWER_ROLE = Role( name="Viewer", description="Viewer role", permissions=[VIEW_PERMISSION], )
  • 14. Concepts: Roles II Roles must be registered with the (gobal) roles registry. Interim solution…likely to go away soon. from fastapi_auth.roles import ROLES_REGISTRY ROLES_REGISTRY.register(ADMIN_ROLE) ROLES_REGISTRY.register(USER_ROLE) ROLES_REGISTRY.register(VIEWER_ROLE)
  • 15. Concepts: Users A user represents the currently user context accessing the system. User types: • Anonymous User • Authenticated User • (Superuser) Users are stored in (external) user sources like a database, LDAP etc.
  • 16. The User object in fastapi-auth • The Protected() method is used to protect an endpoint by permission, role or a custom checker • Integration with FastAPI through dependency injection • Successful authorization will return a User object • Unsuccessful authorization ➡ HTTP 403/Forbidden • User properties: name, description, roles, is_anonymous @app.get(„/admin") def admin(user: User = Depends(Protected(<protection_conditions)): return {"user": user}
  • 17. Concepts II • A user can have multiple roles • A role can multiple permissions
  • 18. How to use fastapi-auth in your FastAPI app? Endpoint protection by role(s) # This is an endpoint that requires the user to be authenticated. In this case, # the user must have the ADMIN_ROLE role. It is also possible to require a # permission instead. Use the Protected dependency to require authentication. # An unauthenticated request as ANONYMOUS_USER will be rejected. @app.get(„/admin") def admin(user: User = Depends(Protected(required_roles=[ADMIN_ROLE]))): return {"user": user}
  • 19. How to use fastapi-auth in your FastAPI app? Endpoint protection by permission from fastapi_auth.dependencies import Protected @app.get(„/admin2") def admin2(user: User = Depends(Protected(required_permission=VIEW_PERMISSION))): return {"user": user}
  • 20. How to use fastapi-auth in your FastAPI app? Endpoint protection by custom checker from fastapi_auth.dependencies import Protected def my_check(request: Request, user: User) -> bool: # perform some checks based on request and/or user.... return True # or False @app.get(„/admin3") def admin3(user: User = Depends(Protected(required_checker=my_check))): return {"user": user}
  • 21. Concept of user sources • A user source manages user accounts • A user source can authenticate (or not) a user based on the parameters of a login form • …usually determined by validating the username and the password against the data stored in a database • Typical: RDBMS, LDAP etc.
  • 22. Pluggable authenticators from fastapi import Request from fastapi.authenticator_registry import Authenticator, AUTHENTICATOR_REGISTRY from fastapi.users import User class MyAuthenticator(Authenticator): async def authenticate(request: Request) -> User: # extract credentials from request username = request.form.... password = request.form.... # perform authentication against your own authentication system user_data = my_backend.authenticate_user(username, password) return User(name=user_data["name"], roles=[...]) AUTHENTICATOR_REGISTRY.add_authenticator(MyAuthenticator(), 0)
  • 23. Build-in user management • zopyx-fastapi-auth comes with a default user management • with sqlite as database backend • commandline utility fastapi-auth-user-admin > fastapi-auth-user-admin add <username> <password> „Role1,Role2…“ > fastapi-auth-user-admin delete <username> > fastapi-auth-user-admin lists-users > fastapi-auth-user-admin set-password <username> <new-password>
  • 24. Internals • based on starlette.middleware.sessions • authentication information stored and exchanged through an encrypted cookie (symmetric encryption) • client/browser can not decrypt the cookie • lifetime of cookie: session or persistent • ToDo: • switching to secure cookies (starlette-securecookies) • better control over lifetime of cookies, expiration, revocation!?
  • 28. Thank you for listening Andreas Jung • info@zopyx.com • www.zopyx.com • www.andreas-jung.com