Implementing role-based authentication and authorization in FastAPI using OAuth2 takes your API security to the next level. It’s like setting up a bouncer at the club entrance—only those with the right credentials can get in. FastAPI makes it surprisingly straightforward to put this whole security theater into action.
Wrapping Your Head Around OAuth2
OAuth2 is the talk of the town when it comes to securing APIs. A popular authorization framework, it allows clients to get resources on behalf of users. In the FastAPI ecosystem, OAuth2 is your go-to for verifying users and giving them access according to their roles. The OAuth2 password flow is especially handy for web and mobile apps as it swaps a username and password for an access token.
Getting Started: Setting Up OAuth2 in FastAPI
First off, you need to lay the groundwork for the OAuth2 scheme in your FastAPI application. This means defining the OAuth2PasswordBearer class to inform FastAPI that you’re using a bearer token for security.
from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
app = FastAPI()
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
This snippet sets up oauth2_scheme with tokenUrl="token". Clients will hit this endpoint with their credentials to get an access token.
Nailing User Authentication
User authentication is your next big move. You’ll need functions to fetch user details and authenticate them based on the stored data.
from pydantic import BaseModel
class User(BaseModel):
username: str
email: str | None = None
full_name: str | None = None
disabled: bool | None = None
class UserInDB(User):
hashed_password: str
def get_user(db, username: str):
if username in db:
user_dict = db[username]
return UserInDB(**user_dict)
return None
def authenticate_user(fake_db, username: str, password: str):
user = get_user(fake_db, username)
if not user or not verify_password(password, user.hashed_password):
return False
return user
Here, get_user grabs a user from the database, while authenticate_user checks if the provided password matches the hashed one in the database.
Role-Based Access Control (RBAC) Magic
With RBAC, you define user roles and compare them with the required permissions for each endpoint. A RoleChecker class makes this effortless.
from typing import Annotated
class RoleChecker:
def __init__(self, allowed_roles):
self.allowed_roles = allowed_roles
def __call__(self, user: Annotated[User, Depends(get_current_active_user)]):
if user.role in self.allowed_roles:
return True
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="You don't have enough permissions")
The RoleChecker takes a list of allowed roles and verifies if the user’s role is in that list. If it’s not, it throws an HTTP exception.
Crafting Tokens and Validating Them
Once a user is authenticated, you’ll generate an access token that includes their role. This token will be validated on every request to ensure the user has the proper permissions.
from fastapi.security import OAuth2PasswordBearer
from fastapi import Depends, HTTPException, status
from jwt import encode, decode, ExpiredSignatureError, InvalidTokenError
SECRET_KEY = "your_secret_key_here"
ALGORITHM = "HS256"
async def get_current_user(token: str = Depends(oauth2_scheme)):
credentials_exception = HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Could not validate credentials")
try:
payload = decode(token, SECRET_KEY, algorithms=[ALGORITHM])
username: str = payload.get("sub")
role: str = payload.get("role")
if username is None or role is None:
raise credentials_exception
except (ExpiredSignatureError, InvalidTokenError):
raise credentials_exception
user = get_user(fake_users_db, username=username)
if user is None:
raise credentials_exception
return user
async def get_current_active_user(current_user: User = Depends(get_current_user)):
if current_user.disabled:
raise HTTPException(status_code=400, detail="Inactive user")
return current_user
This setup ensures that only authenticated, active users can access protected routes.
Putting RBAC to Work
Now it’s time to make RBAC work on your endpoints using the RoleChecker class.
from fastapi import APIRouter
router = APIRouter()
admin_role_checker = RoleChecker(["admin"])
user_role_checker = RoleChecker(["user", "admin"])
@router.get("/admin-only", dependencies=[Depends(admin_role_checker)])
async def admin_only(current_user: User = Depends(get_current_active_user)):
return {"message": "Hello, Admin!"}
@router.get("/user-only", dependencies=[Depends(user_role_checker)])
async def user_only(current_user: User = Depends(get_current_active_user)):
return {"message": "Hello, User!"}
In this example, the /admin-only route is for users with the “admin” role. The /user-only route can be accessed by anyone with either “user” or “admin” roles.
Wrapping It Up
Implementing role-based authentication and authorization in FastAPI using OAuth2 is a powerful way to protect your API. By following these steps, you can ensure your resources are secure and only accessible to authorized users. Using OAuth2 for authentication and the RoleChecker class for role-based access control gives you a solid security framework that’s both effective and easy to manage. Better security means fewer headaches down the line, and who wouldn’t want that?
By orchestrating OAuth2 and FastAPI’s built-in tools, your API can smoothly control who gets in and what they can do. It’s like having a finely tuned guest list for your API party.
