By Syed Rizwan

5-building-a-restful-api-with-fastapi-and-oauth2-authentication.html

Building a RESTful API with FastAPI and OAuth2 Authentication

Creating a RESTful API is essential in today’s software landscape, especially for applications that require user authentication and authorization. FastAPI is a modern web framework for building APIs with Python that is fast, easy to use, and supports asynchronous programming. In this article, we will walk through the process of building a RESTful API using FastAPI while implementing OAuth2 authentication.

What is FastAPI?

FastAPI is a high-performance web framework for building APIs with Python 3.6+ based on standard Python type hints. It is designed to create RESTful APIs quickly and efficiently while ensuring high performance. FastAPI automatically generates OpenAPI documentation, which is a huge advantage for developers.

Key Features of FastAPI

  • Fast: Built on Starlette for the web parts and Pydantic for the data parts, FastAPI is one of the fastest frameworks.
  • Automatic Documentation: It generates interactive API documentation using Swagger UI and ReDoc.
  • Type Safety: Python type hints allow for better code validation during development.
  • Asynchronous Support: FastAPI supports asynchronous programming out of the box.

Understanding OAuth2 Authentication

OAuth2 is an authorization framework that allows third-party applications to obtain limited access to user accounts on an HTTP service. It is widely adopted for securing APIs. When you integrate OAuth2 with your FastAPI application, you can provide secure access to your API endpoints.

Key Components of OAuth2

  • Authorization Code: Obtains an access token using a user’s credentials.
  • Client ID and Client Secret: Identifies the application requesting access.
  • Access Token: A token that grants access to protected resources.

Use Cases for FastAPI and OAuth2

  • Microservices Architecture: FastAPI is ideal for microservices that require quick interaction between services.
  • Mobile Applications: APIs secured with OAuth2 can serve mobile applications that need to access user data securely.
  • Internal Tools: Build internal dashboards and tools that require user authentication.

Step-by-Step Guide to Building a RESTful API with FastAPI and OAuth2

Step 1: Setting Up Your Environment

First, ensure you have Python and pip installed. Then, create a new directory for your project and set up a virtual environment:

mkdir fastapi-oauth2
cd fastapi-oauth2
python -m venv venv
source venv/bin/activate  # On Windows use `venv\Scripts\activate`

Next, install FastAPI and an ASGI server, such as uvicorn:

pip install fastapi uvicorn python-multipart

Step 2: Setting Up the FastAPI Application

Create a new Python file named main.py, and start coding your FastAPI application:

from fastapi import FastAPI, Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from pydantic import BaseModel

app = FastAPI()

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

Step 3: Defining User Model and Fake Database

For demonstration purposes, we’ll create a simple user model and a fake database:

class User(BaseModel):
    username: str
    email: str

# Fake database
fake_users_db = {
    "johndoe": {
        "username": "johndoe",
        "full_name": "John Doe",
        "email": "johndoe@example.com",
        "hashed_password": "fakehashedsecret",
        "disabled": False,
    }
}

Step 4: Creating OAuth2 Token Endpoint

Next, we’ll create an endpoint for generating access tokens using the OAuth2PasswordRequestForm:

@app.post("/token")
async def login(form_data: OAuth2PasswordRequestForm = Depends()):
    user = fake_users_db.get(form_data.username)
    if not user or not form_data.password == "secret":
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect username or password",
            headers={"WWW-Authenticate": "Bearer"},
        )
    return {"access_token": user["username"], "token_type": "bearer"}

Step 5: Protecting Your API Endpoints

Now, let’s create a protected route that requires an access token:

@app.get("/users/me", response_model=User)
async def read_users_me(token: str = Depends(oauth2_scheme)):
    user = fake_users_db.get(token)
    if user is None:
        raise HTTPException(status_code=404, detail="User not found")
    return user

Step 6: Running the Application

You can run your FastAPI application using the following command:

uvicorn main:app --reload

Visit http://127.0.0.1:8000/docs to access the automatically generated API documentation and try out the endpoints.

Step 7: Testing Your API

  1. Get the Token: Use the /token endpoint with curl or Postman to retrieve an access token.

Example request: bash curl -X POST "http://127.0.0.1:8000/token" -H "Content-Type: application/x-www-form-urlencoded" -d "username=johndoe&password=secret"

  1. Access Protected Route: Use the access token to call the /users/me endpoint.

Example request: bash curl -X GET "http://127.0.0.1:8000/users/me" -H "Authorization: Bearer <access_token>"

Conclusion

Building a RESTful API with FastAPI and OAuth2 authentication is a powerful approach to securing access to your applications. FastAPI's efficiency and ease of use, combined with the robust security model of OAuth2, make it an ideal choice for developers looking to create modern web APIs. By following the steps outlined in this guide, you can create a secure and scalable API that meets the needs of your applications.

Get started today, and leverage the power of FastAPI to build your next project!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.