FastAPI-Security
FastAPI-Security is a package that you can use together with FastAPI to easily add authentication and authorization.
Installation
With OAuth2/OIDC support:
pip install fastapi-security[oauth2]
With basic auth only:
pip install fastapi-security
Key features
With base install:
- Authentication via HTTP Basic Auth
- Pydantic-based User model for authenticated and anonymous users
- Limit endpoint access to authenticated users
- Limit endpoint access to users with an explicit set of user permissions
- Easily create endpoint for users to check their user info and permissions
With extra oauth2:
- Authentication via JWT-based OAuth 2 access tokens in addition to HTTP Basic Auth
- Ability to extract user info from access tokens via OpenID Connect
- Permissions are checked agains the permissions attribute returned in OAuth 2 access tokens
Current limitations
- Only supports validating access tokens using public keys from a JSON Web Key Set (JWKS) endpoint. I.e. for use with external identity providers such as Auth0 and ORY Hydra.
- Permissions can only be picked up automatically from OAuth2 tokens, from the non-standard
permissionslist attribute (Auth0 provides this, maybe other identity providers as well). For all other use cases,permission_overridesmust be used. For example if there's a basic auth user calleduser1you can setpermission_overrides={"user1": ["*"]}to give the user access to all permissions, orpermission_overrides={"user1": ["products:create"]}to only assignuser1with the permissionproducts:create.
Usage example
An example app using FastAPI-Security can be found here.