search

dorinclisu / fastapi-auth0

FastAPI authentication and authorization using auth0.com
MIT License
229 stars 39 forks source link

Question regarding differences between this project and FastAPI Cloud Auth #16

Closed rhinck closed 3 years ago

rhinck commented 3 years ago

I'm not sure if this is the proper place to ask, but here I go.

I'm new to auth0 and Fast API and was looking at the different plugins that are available. The main ones that I saw were this plugin and FastAPI Cloud Auth. If I'm not mistaken, I saw that you created an issue for that plugin back in December.

If you don't mind me asking, I was just curious what the advantage of your implementation compared to theirs is and what led to you building your own?

Thanks for your time and effort on this project!

dorinclisu commented 3 years ago

The advantage is that the code is cleaner, both implementation and application. My pain with fastapi-cloudauth was that I couldn't obtain the user email in a nice and secure way. But this might have been fixed in the meantime.

I think the choice is kind of obvious, this lib is focused on auth0 and I don't see a way to make it generic to work with other auth providers like cognito or firebase. Though maybe I'll have a look at okta since they recently acquired auth0 and there might be some changes in how they work in the long term.

rhinck commented 3 years ago

Makes sense, I thought so as well. Just wanted to get your two cents on the matter.

One other question I had was about additional scope validation. I saw that the docs for fastapi-cloudauth had an example where you could set an option to allow a request if the request had any of the scopes. Does your library currently support this or do you see this as something you could see in the future roadmap of this library?

Here's the example I'm referring to:

from fastapi_cloudauth import Operator

@app.get("/", dependencies=[Depends(auth.scope(["allowned", "scopes"], op=Operator._any))])
def api_any_scope():
    return "user has at least one of scopes (allowned, scopes)"

Thanks again!

dorinclisu commented 3 years ago

Scopes are supported using the native fastapi Security construct, which is a form of dependency injection:

from fastapi import Security

@app.get("/", dependencies=[Security(auth.get_user, scopes=["allowned", "scopes"])])
def api_any_scope():
    return "user has at least one of scopes (allowned, scopes)"

As explained in the fastapi docs, this way is more versatile especially for a complex application where you have a hierarchy of routers and subrouters, and certain scopes required at each level.

rhinck commented 3 years ago

I'll take a look further into the fastapi docs, thanks!