Archives par mot-clé : fastapi

Integrating OpenIdConnect with FastAPI’s OpenAPI UI

FastAPI is a powerful tool for building APIs with Python, but it doesn’t fully support OpenIdConnect out of the box. However, with a bit of tweaking, you can set up FastAPI’s OpenAPI UI (Swagger UI) to use OpenIdConnect authentication across all routes. This is particularly useful if you’re using an identity provider like Keycloak without having to set it inside your routes.

This is particularly useful in combination with the fastapi keycloak plugin, which doesn’t parameterize the openapi part.

What is OpenIdConnect?


OpenIdConnect is an identity layer on top of the OAuth 2.0 protocol, allowing clients to verify the identity of the end-user based on the authentication performed by an authorization server.

Setting Up OpenIdConnect in FastAPI for OpenApi


To set up OpenIdConnect in FastAPI, you need to modify the OpenAPI schema. Here’s an example:

app = FastAPI()
...
if app.openapi_schema:
    app.openapi_schema["components"]["securitySchemes"]["openId"] = {
        "type": "openIdConnect",
        "openIdConnectUrl": "https://yourkeycloakurl.com/realms/yourrealm/.well-known/openid-configuration",
    }
    app.openapi_schema["security"] = [{"openId": ["read", "write"]}]


In this code:

We’re adding a new security scheme to the OpenAPI schema. The type is openIdConnect, and the openIdConnectUrl is the well-known configuration URL of your OpenIdConnect provider (like Keycloak).
We’re setting the security property of the schema to use the OpenIdConnect scheme. The [« read », « write »] array represents the scopes that the OpenIdConnect provider should request. In this case, all our endpoints.


Wrapping Up


This approach allows you to set up OpenIdConnect authentication across all routes in FastAPI’s OpenAPI UI, without needing to manually configure each route. It’s a handy trick if you’re using an identity provider like Keycloak and want to leverage OpenIdConnect for your FastAPI application.

References