By Syed Rizwan

creating-a-secure-api-with-fastapi-and-oauth-20-authentication.html

Creating a Secure API with FastAPI and OAuth 2.0 Authentication

In the era of digital transformation, APIs (Application Programming Interfaces) are crucial for enabling seamless interactions between different software applications. With security being a top priority, it’s vital to implement robust authentication mechanisms when developing APIs. FastAPI, a modern web framework for building APIs with Python, combined with OAuth 2.0, provides a powerful solution for creating secure APIs. In this article, we'll explore the process of building a secure API using FastAPI and OAuth 2.0 authentication, complete with practical code examples and step-by-step instructions.

What is FastAPI?

FastAPI is a high-performance web framework for building APIs with Python 3.7+ based on standard Python type hints. It is designed to be easy to use, and it allows for automatic generation of OpenAPI documentation. FastAPI is particularly well-suited for developing APIs that require high performance and security.

Key Features of FastAPI:

  • Speed: Very high performance, on par with Node.js and Go.
  • Automatic Documentation: Generates interactive API documentation using Swagger UI and ReDoc.
  • Type Safety: Leverages Python type hints for data validation and serialization.
  • Asynchronous Support: Compatible with asynchronous programming, enabling high concurrency.

What is OAuth 2.0?

OAuth 2.0 is an industry-standard protocol for authorization, allowing third-party services to exchange information without exposing user credentials. It enables applications to obtain limited access to user accounts on an HTTP service, such as Facebook or Google. OAuth 2.0 simplifies the process of granting access while ensuring that the user's credentials are kept secure.

Use Cases for OAuth 2.0:

  • Third-party API Access: Allowing applications to access user data from services like Google or Facebook.
  • Mobile Applications: Enabling secure authentication for mobile apps that interact with web services.
  • Microservices: Protecting APIs in a microservices architecture by providing centralized authentication.

Building a Secure API with FastAPI and OAuth 2.0

Prerequisites

Before we begin, ensure you have the following installed:

  • Python 3.7 or higher
  • FastAPI
  • Uvicorn (for serving the API)
  • A library for OAuth 2.0 (e.g., python-jose for JWT tokens)

You can install the necessary packages using pip:

pip install fastapi uvicorn python-jose[cryptography] passlib[bcrypt]

Step 1: Setting Up the FastAPI Application

First, let’s create a basic FastAPI application structure. Create a new directory for your project and create a file named main.py.

# main.py
from fastapi import FastAPI

app = FastAPI()

@app.get("/")
def read_root():
    return {"message": "Welcome to the secure API!"}

To run this application, execute the following command in your terminal:

uvicorn main:app --reload

Step 2: Implementing OAuth 2.0

Now let’s enhance our API with OAuth 2.0 authentication. We will use JSON Web Tokens (JWT) for this purpose.

2.1 Creating User Authentication

Add user authentication and token generation to your application. For simplicity, we will use a hardcoded user. In a real-world scenario, you would typically authenticate against a database.

from fastapi import Depends, HTTPException, status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from pydantic import BaseModel
from datetime import datetime, timedelta
from jose import JWTError, jwt

# Secret key to encode JWT tokens. In production, use an environment variable.
SECRET_KEY = "your_secret_key"
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 30

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

# Dummy user for demonstration
fake_users_db = {
    "johndoe": {
        "username": "johndoe",
        "full_name": "John Doe",
        "email": "johndoe@example.com",
        "hashed_password": "fakehashedpassword",
        "disabled": False,
    }
}

class User(BaseModel):
    username: str
    email: str | None = None
    full_name: str | None = None
    disabled: bool | None = None

class UserInDB(User):
    hashed_password: str

def verify_password(plain_password, hashed_password):
    return plain_password == hashed_password  # Replace with a proper hashing check

def get_user(db, username: str):
    if username in db:
        user_dict = db[username]
        return UserInDB(**user_dict)

def create_access_token(data: dict, expires_delta: timedelta | None = None):
    to_encode = data.copy()
    if expires_delta:
        expire = datetime.utcnow() + expires_delta
    else:
        expire = datetime.utcnow() + timedelta(minutes=15)
    to_encode.update({"exp": expire})
    encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
    return encoded_jwt

@app.post("/token")
async def login(form_data: OAuth2PasswordRequestForm = Depends()):
    user = get_user(fake_users_db, form_data.username)
    if not user or not verify_password(form_data.password, user.hashed_password):
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect username or password",
            headers={"WWW-Authenticate": "Bearer"},
        )
    access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
    access_token = create_access_token(data={"sub": user.username}, expires_delta=access_token_expires)
    return {"access_token": access_token, "token_type": "bearer"}

Step 3: Protecting Your Endpoints

Now that we can create tokens, let’s protect our endpoints. Use the Depends function from FastAPI to require authentication for specific routes.

@app.get("/users/me", response_model=User)
async def read_users_me(token: str = Depends(oauth2_scheme)):
    credentials_exception = HTTPException(
        status_code=status.HTTP_401_UNAUTHORIZED,
        detail="Could not validate credentials",
        headers={"WWW-Authenticate": "Bearer"},
    )
    try:
        payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
        username: str = payload.get("sub")
        if username is None:
            raise credentials_exception
        token_data = User(username=username)
    except JWTError:
        raise credentials_exception
    user = get_user(fake_users_db, username=token_data.username)
    if user is None:
        raise credentials_exception
    return user

Step 4: Testing Your API

You can test your API using tools like Postman or curl.

  1. Obtain a Token:

  2. Send a POST request to /token with the username and password to retrieve the JWT token.

  3. Access Protected Endpoint:

  4. Use the token to access the /users/me endpoint by adding an Authorization header.
Authorization: Bearer your_jwt_token

Conclusion

Creating a secure API using FastAPI and OAuth 2.0 authentication is straightforward and effective. FastAPI’s features, combined with the robust security offered by OAuth 2.0, give you the tools necessary to build reliable and secure APIs. The code snippets provided in this article serve as a foundation for further customization and enhancement, allowing you to tailor your API to meet specific requirements. As you continue to develop your API, consider implementing additional security measures, such as HTTPS and rate limiting, to further protect your application. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.