Added OIDC - JWT Access Token validation tutorial

2 years ago · 90ef000643
6 changed files with 252 additions and 0 deletions
--- a/docs/en/docs/img/tutorial/security/image13.png
+++ b/docs/en/docs/img/tutorial/security/image13.png
--- a/docs/en/docs/img/tutorial/security/image14.png
+++ b/docs/en/docs/img/tutorial/security/image14.png
--- a/docs/en/docs/img/tutorial/security/image15.png
+++ b/docs/en/docs/img/tutorial/security/image15.png
--- a/docs/en/docs/tutorial/security/oidc-jwt.md
+++ b/docs/en/docs/tutorial/security/oidc-jwt.md
@ -0,0 +1,115 @@
 # OpenID Connect (OIDC) with JWT Access Tokens
 For this tutorial we will be using OpenID Connect (OIDC) as an *authentication* layer that builds on top of the OAuth2 *authorization* layer. 
 We will be using the Swagger UI to serve the OpenID Connect authentication flow. The **FastAPI** (default) router will implement a OAuth2 resource server that validates the JWT access tokens and grant access to the router's endpoints.
 We will use a custom claim to grant permission to endpoints for users with specific roles which are represented as a claim in the access token (there is no standard defined what the claim name is, so it has a configurable or *custom* name). Typically, the authorization server exposes the user's group membership in a specific claim in the JWT Access Token, which defaults to 'groups' in the tutorial.
 Note that the Swagger UI mirrors the OIDC main flow of the frontend that would be used in a production environment. Therefore the OIDC security scheme, as represented in the openAPI definition, is separate from the OAuth2 scheme.
 # Configure Requirements
 First, you will need to select an OpenID provider if you do not have one already. There are ones that offer free trials or free tiers to experiment with [here](https://identitymanagementinstitute.org/identity-and-access-management-vendor-list/).
 ## Setup OpenID provder
 First, we will need to configure an Applicaton (i.e. Relying Party in OpenID-speak) in the OpenID provider. This application allows the **FastAPI** client that logs in to the OpenID Connect provider:
 !!! check "Step 1 - Create Application"
    * Create an Application of type SPA
    * Select Authorization Code, Refresh Token, Require PKCE
    * Configure sign-in redirect URIs: `http://localhost:8080/docs/oauth2-redirect`
    * Configure sign-out redirect URIs: `http://localhost:8080/docs/`
    * *Write down the client id*
 Then, we will select an authorization server to verify user identities and issue tokens for secure authentication and authorization of login requests:
 !!! check "Step 2 - Configure authorization server to return a custom claim" 
    * Select/create a custom authorization server for the abovementioned application
    * Create a custom claim with the name "`groups`".
    * Map the values to the groups of which the authenticated user is member of
    * *Write down issuer URL*
    * *Write down audience*
 Finally, we will need to create a user and a group named "`Foo`" to 
 !!! check "Step 3 - Create a user and group"
    * Create a group called "`Foo`"
    * Create a user
    * Assign the "`Foo`"` group to the user
    * Assign the application of step 1 to the user
    * *Write down user/password as you will need to authenticate with it later*
 ## Configure your **FastAPI** Application
 We assume a running pip environment with **FastAPI** installed (see [here](../../index.md#installation)). 
 This example contains a `AccessTokenValidator` that validates the JWT access tokens using the jwks url that is part of the oidc well known configuration. It requires a Python JavaScript Object Signing and Encryprion (JOSE) library, a HTTP client to fetch keysets and some cache utilities.
 !!! check "Step 4 - Install AccessTokenValidator Dependencies"
    ```console
    pip install jose cachetools types-cachetools httpx 
    ```
 You need to fill in the values in the .env file that you wrote down from the previous steps:
 !!! check "Step 5 - Configure **FastAPI** environment"
    ```
    client_id = "Client Id of Step 1 here"
    issuer = "Issuer URL of Step 2 here"
    audience = "Audience of Step 2 here"
    ```
 This was the final step of the configuration.
 # Running the **FastAPI** Application
 Finally we come to the actual **FastAPI** code:
 === "Python 3.9+"
    ```Python hl_lines="112-124 127-129 134"
    {!> ../../../docs_src/security/tutorial008_an_py39.py!}
    ```
 !!! check "some small tweaks necessary?"
    * line 118, set usePkceWithAuthorizationCodeGrant if you require PKCE authentication (configured when you set up your application)
    * line 116, add additional scopes to "openid" if your authorization requires this
 If you save this file as `main.py`, you can run the app [as normal](../../index.md#run-it), for instance:
 ```bash
 uvicorn main:app --port 8080 --reload
 ```
 (*If you do not specify the correct port defined in Step 1, the authentication flow will fail*)
 # Test the **FastAPI** Application
 When the application is running, you can then point your browser to the [Interactive API Docs](../../index.md#interactive-api-docs):
 `http://localhost:8080/docs/`
 Authenticate first in the Swagger UI using the 'Authorize' button at the top and scroll to the topmost authentication flow named **'OpenIdConnect (OAuth2, authorization_code with PKCE)'**:
 <img src="/img/tutorial/security/image13.png">
 Then press the 'Authorize' button.
 When successfully authenticated, you will see that your session is 'authorized':
 <img src="/img/tutorial/security/image14.png">
 Press the 'Close' button to close this screen.
 Then execute the /hello endpoint with your user if part of the "`Foo`" group:
 <img src="/img/tutorial/security/image15.png">
 If you see "Hi!" as a response, your user was successfully authenticated and had the "`Foo`" role in the claim as required by the /hello endpoint.
 To understand the code step by step, it will help if you step through the code using a [Debugger](../debugging.md#run-your-code-with-your-debugger).
 Good luck!
 # Appendix - References
 * OIDC Terminology: https://openid.net/specs/openid-connect-core-1_0.html#Terminology
--- a/docs/en/mkdocs.yml
+++ b/docs/en/mkdocs.yml
@ -115,6 +115,7 @@ nav:
    - tutorial/security/get-current-user.md
    - tutorial/security/simple-oauth2.md
    - tutorial/security/oauth2-jwt.md
    - tutorial/security/oidc-jwt.md
  - tutorial/middleware.md
  - tutorial/cors.md
  - tutorial/sql-databases.md
--- a/docs_src/security/tutorial008_an_py39.py
+++ b/docs_src/security/tutorial008_an_py39.py
@ -0,0 +1,136 @@
 from typing import Annotated, Any, Dict, Optional
 import httpx
 from cachetools import TTLCache
 from fastapi import Depends, FastAPI, HTTPException, Security
 from fastapi.security import (
    HTTPAuthorizationCredentials,
    HTTPBearer,
    OpenIdConnect,
    SecurityScopes,
 )
 from jose import JWTError, jwt
 from pydantic import Field
 from pydantic_settings import BaseSettings
 from starlette.requests import Request
 from starlette.status import HTTP_400_BAD_REQUEST, HTTP_403_FORBIDDEN
 class AccessTokenCredentials(HTTPAuthorizationCredentials):
    token: Dict[str, Any]
 class AccessTokenValidator(HTTPBearer):
    """Generic HTTPBearer Validator that validates JWT tokens given the JWKS provided at jwks_url."""
    def __init__(
        self,
        *,
        jwks_url: str,
        audience: str,
        issuer: str,
        expire_seconds: int = 3600,
        roles_claim: str = "groups",
        scheme_name: Optional[str] = None,
        description: Optional[str] = None,
    ):
        super().__init__(scheme_name=scheme_name, description=description)
        self.uri = jwks_url
        self.audience = audience
        self.issuer = issuer
        self.roles_claim = roles_claim
        self.keyset_cache: TTLCache[str, str] = TTLCache(16, expire_seconds)
    async def get_jwt_keyset(self) -> str:
        """Retrieves keyset when expired/not cached yet."""
        result: Optional[str] = self.keyset_cache.get(self.uri)
        if result is None:
            async with httpx.AsyncClient() as client:
                response = await client.get(self.uri)
                result = self.keyset_cache[self.uri] = response.text
        return result
    async def __call__(self, request: Request, security_scopes: SecurityScopes) -> AccessTokenCredentials:  # type: ignore
        """Validates the JWT Access Token. If security_scopes are given, they are validated against the roles_claim in the Access Token."""
        # 1. Unpack bearer token
        unverified_token = await super().__call__(request)
        if not unverified_token:
            raise HTTPException(HTTP_400_BAD_REQUEST, "Invalid Access Token")
        access_token = unverified_token.credentials
        try:
            # 2. Get keyset from authorization server so that we can validate the JWT Access Token
            keyset = await self.get_jwt_keyset()
            # 3. Perform validation
            verified_token = jwt.decode(
                token=access_token,
                key=keyset,
                audience=self.audience,
                issuer=self.issuer,
            )
        except JWTError:
            raise HTTPException(
                status_code=HTTP_400_BAD_REQUEST,
                detail="Unsupported authorization code",
            )
        # 4. if security scopes are present, validate them
        if security_scopes and security_scopes.scopes:
            # 4.1 the roles_claim must be present in the access token
            scopes = verified_token.get(self.roles_claim)
            if scopes is None:
                raise HTTPException(
                    status_code=HTTP_400_BAD_REQUEST, detail="Unsupported Access Token"
                )
            # 4.2 all required roles in the roles_claim must be present
            if not set(security_scopes.scopes).issubset(set(scopes)):
                raise HTTPException(
                    status_code=HTTP_403_FORBIDDEN, detail="Not Authorized"
                )
        return AccessTokenCredentials(
            scheme=self.scheme_name, credentials=access_token, token=verified_token
        )
 class Settings(BaseSettings):
    """Settings wil be read from an .env file"""
    issuer: str = Field(default=...)
    audience: str = Field(default=...)
    client_id: str = Field(default=...)
    class Config:
        env_file = ".env"
 settings = Settings()
 # Standard OIDC URLs
 oidc_url = f"{settings.issuer}/.well-known/openid-configuration"
 jwks_url = f"{settings.issuer}/v1/keys"
 openid_connect = OpenIdConnect(openIdConnectUrl=oidc_url)
 swagger_ui_init_oauth = {
    "clientId": settings.client_id,
    "scopes": ["openid"],  # fill in additional scopes when necessary
    "appName": "Test Application",
    "usePkceWithAuthorizationCodeGrant": True,
 }
 # The openid_connect security scheme is given as a dependency so that you can authenticate using the swagger UI
 app = FastAPI(
    swagger_ui_init_oauth=swagger_ui_init_oauth, dependencies=[Depends(openid_connect)]
 )
 # the tokenvalidator is used for all endpoints that need to be authorized
 oauth2 = AccessTokenValidator(
    jwks_url=jwks_url, audience=settings.audience, issuer=settings.issuer
 )
@app.get("/hello")
 async def hello(
    token: Annotated[AccessTokenCredentials, Security(oauth2, scopes=["Foo"])]
 ) -> str:
    return "Hi!"