From 6f0d535085cabc48a48acd4f9e12f50ca28e03bd Mon Sep 17 00:00:00 2001 From: oxqnd Date: Wed, 4 Jun 2025 18:32:34 +0900 Subject: [PATCH 1/4] docs: clarify OpenIdConnect does not perform token validation --- fastapi/security/open_id_connect_url.py | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fastapi/security/open_id_connect_url.py b/fastapi/security/open_id_connect_url.py index c8cceb911..8b25e8e7e 100644 --- a/fastapi/security/open_id_connect_url.py +++ b/fastapi/security/open_id_connect_url.py @@ -12,6 +12,13 @@ class OpenIdConnect(SecurityBase): """ OpenID Connect authentication class. An instance of it would be used as a dependency. + + Note: + This class **does not perform any token validation or decoding**. + It only extracts the `Authorization` header and includes metadata in the OpenAPI docs. + + You must implement the actual authentication logic separately (e.g., verifying + the token signature, claims, and user handling). """ def __init__( From 935bcfa657cd600834ae5b2c5929c1781cee813c Mon Sep 17 00:00:00 2001 From: oxqnd Date: Thu, 5 Jun 2025 19:26:48 +0900 Subject: [PATCH 2/4] docs: clarify that OAuth2 classes do not perform token validation --- fastapi/security/oauth2.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/fastapi/security/oauth2.py b/fastapi/security/oauth2.py index 5ffad5986..1d0e721b9 100644 --- a/fastapi/security/oauth2.py +++ b/fastapi/security/oauth2.py @@ -393,6 +393,11 @@ class OAuth2PasswordBearer(OAuth2): OAuth2 flow for authentication using a bearer token obtained with a password. An instance of it would be used as a dependency. + Note: + This class does **not** perform token validation or decoding. + It only extracts the `Authorization` header and includes metadata in the OpenAPI docs. + You must handle actual token validation separately (e.g. signature and claims verification). + Read more about it in the [FastAPI docs for Simple OAuth2 with Password and Bearer](https://fastapi.tiangolo.com/tutorial/security/simple-oauth2/). """ @@ -489,6 +494,11 @@ class OAuth2AuthorizationCodeBearer(OAuth2): """ OAuth2 flow for authentication using a bearer token obtained with an OAuth2 code flow. An instance of it would be used as a dependency. + + Note: + This class does **not** perform token validation or decoding. + It only extracts the `Authorization` header and includes metadata in the OpenAPI docs. + You must handle actual token validation separately (e.g. signature and claims verification). """ def __init__( From 6e85699bfbbb011fbe453aaebc43fb44b4d64940 Mon Sep 17 00:00:00 2001 From: oxqnd Date: Thu, 5 Jun 2025 19:29:52 +0900 Subject: [PATCH 3/4] docs: clarify that APIKey classes do not perform validation --- fastapi/security/api_key.py | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/fastapi/security/api_key.py b/fastapi/security/api_key.py index 70c2dca8a..6a79f6fe0 100644 --- a/fastapi/security/api_key.py +++ b/fastapi/security/api_key.py @@ -24,6 +24,12 @@ class APIKeyQuery(APIKeyBase): """ API key authentication using a query parameter. + Note: + This class does **not** perform API key validation or decoding. + It only extracts the key from the request and provides OpenAPI integration. + + You must implement the actual verification logic yourself (e.g., checking against a database or list of valid keys). + This defines the name of the query parameter that should be provided in the request with the API key and integrates that into the OpenAPI documentation. It extracts the key value sent in the query parameter automatically and provides it as the @@ -116,6 +122,12 @@ class APIKeyHeader(APIKeyBase): """ API key authentication using a header. + Note: + This class does **not** perform API key validation or decoding. + It only extracts the key from the request and provides OpenAPI integration. + + You must implement the actual verification logic yourself (e.g., checking against a database or list of valid keys). + This defines the name of the header that should be provided in the request with the API key and integrates that into the OpenAPI documentation. It extracts the key value sent in the header automatically and provides it as the dependency @@ -203,6 +215,12 @@ class APIKeyHeader(APIKeyBase): class APIKeyCookie(APIKeyBase): """ API key authentication using a cookie. + + Note: + This class does **not** perform API key validation or decoding. + It only extracts the key from the request and provides OpenAPI integration. + + You must implement the actual verification logic yourself (e.g., checking against a database or list of valid keys). This defines the name of the cookie that should be provided in the request with the API key and integrates that into the OpenAPI documentation. It extracts From c579980e918aeb7290798ffdbf2033c46815dbe0 Mon Sep 17 00:00:00 2001 From: "pre-commit-ci[bot]" <66853113+pre-commit-ci[bot]@users.noreply.github.com> Date: Thu, 5 Jun 2025 10:31:03 +0000 Subject: [PATCH 4/4] =?UTF-8?q?=F0=9F=8E=A8=20[pre-commit.ci]=20Auto=20for?= =?UTF-8?q?mat=20from=20pre-commit.com=20hooks?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- fastapi/security/api_key.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fastapi/security/api_key.py b/fastapi/security/api_key.py index 6a79f6fe0..29529c7e5 100644 --- a/fastapi/security/api_key.py +++ b/fastapi/security/api_key.py @@ -215,7 +215,7 @@ class APIKeyHeader(APIKeyBase): class APIKeyCookie(APIKeyBase): """ API key authentication using a cookie. - + Note: This class does **not** perform API key validation or decoding. It only extracts the key from the request and provides OpenAPI integration.