Closed lsmith77 closed 2 years ago
Hi @lsmith77 - thanks for the comment.
APIs don't have a notion of "authenticated user" since this is dealt in the front-end. APIs are responsible for checking the validity of the access tokens and any roles or api permissions passed in the token claims. The best way to make business decisions, assuming you have a valid token, is to look into the claims and take the appropriate action.
Your suggestion, however, is great as we don't really expose any of the token claims and most of the checks are esoteric/internal. Your PR to return the token claims makes sense. I'll test it to ensure that everything is working as expected before committing it. thx
@lsmith77 I have added a new helper method: get_token_claims
to expose the token claims. Instead of overloading the validate_scope
to do the scope validation AND return the claims, I decided to decouple the functionality and put it in a separate method :)
Thanks for the recommendation!
did you remember to push your change because I don’t see the commit yet.
Done now. I didn't push as I was working on Unit Tests :)
Thanks for checking with me CM
On Tue, Apr 12, 2022 at 11:11 PM Lukas Kahwe Smith @.***> wrote:
did you remember to push your change because I don’t see the commit yet.
— Reply to this email directly, view it on GitHub https://github.com/425show/fastapi_microsoft_identity/issues/2#issuecomment-1097597604, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7PQHWI2SCEZAT7NDAWD4TVEZQRNANCNFSM5RHD7O4Q . You are receiving this because you modified the open/close state.Message ID: @.***>
thank you! one small tweak left to do https://github.com/425show/fastapi_microsoft_identity/pull/5
I have an API where authentication is optional but if the user is identified I want to look up the settings for that specific user.
I guess this means I should not use
requires_b2c_auth
but just callvalidate_scope
to check if the request is optionally authenticated.but what I am missing now is a way to get some identifier from the JWT token (ideally the email) so that I can then do the appropriate lookup.
I guess ideally there would be a way to fetch the user with all the roles and claims.