Closed Pkumar-1988 closed 4 months ago
Huh, good catch. I didnโt know this was a feature in Swagger, honestly. Would you like to look into how to implement it? Pull requests welcome ๐
Looked into it and found:
Oauth2
, and are forced to rather instance it inside our own class due to mypy
errors when changing return types on a superclass. I've submitted a PR here https://github.com/tiangolo/fastapi/pull/5614. I'll update this thread whenever I get a reply there.
wow.. that was too quick.. thank you for the PR.. do you know when it will be pushed to artifactory
@Pkumar-1988 , we have to wait for FastAPI maintainers (tiangolo specifically) to respond first. If they accept and merge, I'll have to edit how we handle scopes in this package, since Azure don't accept and respond with the same kind of scopes (unfortunately).
In other words: I have no idea, it is in FastAPIs hands now. ๐
If you preset the scope in the swagger_ui_init_oauth
option, then you have the checkbox ticked automatically.
That's interesting, thanks! I'm tempted to close this with that solution, since the PR isn't going anywhere.
With @rhuanbarreto 's hint I can confirm the tickbox is selected automatically and it's possible to auth in endpoints directly.
Here's what I do for B2C:
SCOPE_NAME = f'https://{settings.TENANT_NAME}.onmicrosoft.com/{settings.APP_CLIENT_ID}/user_impersonation'
SCOPE_DESCRIPTION = 'user_impersonation'
SCOPES = {SCOPE_NAME: SCOPE_DESCRIPTION}
azure_scheme = B2CMultiTenantAuthorizationCodeBearer(
app_client_id=settings.APP_CLIENT_ID,
openid_config_url=OPENID_CONFIG_URL,
openapi_authorization_url=OPENID_AUTH_URL,
openapi_token_url=OPENID_TOKEN_URL,
scopes=SCOPES,
validate_iss=False,
auto_error=False,
)
Then use the scope in the FastAPI.app
instance:
app = FastAPI(
swagger_ui_oauth2_redirect_url='/oauth2-redirect',
swagger_ui_init_oauth={
'usePkceWithAuthorizationCodeGrant': True,
'clientId': settings.OPENAPI_CLIENT_ID,
'scopes': SCOPE_NAME
},
)
Thank you so much.
I think we could add this to all the docs, and then close this issue. I'll see if we can do it together with #150.
@JonasKs @davidhuser
What would you think about integrating the generated information in the settings using computed_fields? Because this would be a bigger change I would personally like to split #154 and the PR for this issue? We could also apply this to the openapi_authorization_url and openapi_token_url?
import uvicorn
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
from pydantic import AnyHttpUrl, computed_field
from pydantic_settings import BaseSettings, SettingsConfigDict
from fastapi_azure_auth import B2CMultiTenantAuthorizationCodeBearer
class Settings(BaseSettings):
BACKEND_CORS_ORIGINS: list[str | AnyHttpUrl] = ['http://localhost:8000']
TENANT_NAME: str = ""
APP_CLIENT_ID: str = ""
OPENAPI_CLIENT_ID: str = ""
AUTH_POLICY_NAME: str = ""
SCOPE_DESCRIPTION: str = "user_impersonation"
@computed_field
@property
def SCOPE_NAME(self) -> str:
return f'https://{self.TENANT_NAME}.onmicrosoft.com/{self.APP_CLIENT_ID}/{self.SCOPE_DESCRIPTION}'
@computed_field
@property
def SCOPES(self) -> dict:
return {
self.SCOPE_NAME: self.SCOPE_DESCRIPTION
}
@computed_field
@property
def OPENID_CONFIG_URL(self) -> dict:
return f'https://{self.TENANT_NAME}.b2clogin.com/{self.TENANT_NAME}.onmicrosoft.com/{self.AUTH_POLICY_NAME}/v2.0/.well-known/openid-configuration'
model_config = SettingsConfigDict(
env_file='.env',
env_file_encoding='utf-8',
case_sensitive=True
)
settings = Settings()
app = FastAPI(
swagger_ui_oauth2_redirect_url='/oauth2-redirect',
swagger_ui_init_oauth={
'usePkceWithAuthorizationCodeGrant': True,
'clientId': settings.OPENAPI_CLIENT_ID,
},
)
if settings.BACKEND_CORS_ORIGINS:
app.add_middleware(
CORSMiddleware,
allow_origins=[str(origin) for origin in settings.BACKEND_CORS_ORIGINS],
allow_credentials=True,
allow_methods=['*'],
allow_headers=['*'],
)
azure_scheme = B2CMultiTenantAuthorizationCodeBearer(
app_client_id=settings.APP_CLIENT_ID,
openid_config_url=settings.OPENID_CONFIG_URL,
openapi_authorization_url=f'https://{settings.TENANT_NAME}.b2clogin.com/{settings.TENANT_NAME}.onmicrosoft.com/{settings.AUTH_POLICY_NAME}/oauth2/v2.0/authorize',
openapi_token_url=f'https://{settings.TENANT_NAME}.b2clogin.com/{settings.TENANT_NAME}.onmicrosoft.com/{settings.AUTH_POLICY_NAME}/oauth2/v2.0/token',
scopes={
settings.SCOPES
},
validate_iss=False,
)
@app.get("/")
async def root():
return {"message": "Hello World"}
if __name__ == '__main__':
uvicorn.run('main:app', reload=True)
``ยด
I like the idea but this would be a breaking change I think as it was introduced with v2
@davidhuser But this shouldn't be a problem? Using pydantic-settings
enforces pydantic
to be version 2.0.1 or higher. This version includes the computed_field
field property.
Right now both pydantic v1 and v2 works. How ever, as stated in other issues, I don't really plan on supporting v1 pydantic other than on a backport branch for security releases.
Pydantic v1 is no longer actively developed and will only receive security fixes. I know fastapi supports both and probably will for some time, but there's no reason for every single package out there to support both, in my opinion.
Please let me know if you disagree.
I'll provide a PR for the changes :)
Awesome, thanks. I'll do my best to get to your PRs this weekend. ๐
I'm closing this - it's really a feature request to FastAPI, and I've tried to submit a PR which hasn't been accepted for years.
Sorry!
Describe the bug Scopes are missing if we select padlock symbol next to each api endpoint while trying to authorize. they do appear when we select authorize button at the top.
To Reproduce use below azure scheme
use this scheme as a dependency to your endpoint
go to /docs
you can see scopes when you click authorize button
if you click on padlock below scopes are missing
and unable to authorize as I am getting below error..