By Syed Rizwan

setting-up-secure-api-endpoints-in-a-fastapi-application-with-oauth2.html

Setting Up Secure API Endpoints in a FastAPI Application with OAuth2

In today's digital landscape, building secure applications is paramount. FastAPI, a high-performance web framework for building APIs with Python 3.6+ based on standard Python type hints, seamlessly integrates with OAuth2 for secure authentication. In this article, we’ll explore how to set up secure API endpoints in a FastAPI application using OAuth2, providing you with a comprehensive guide filled with code examples, step-by-step instructions, and actionable insights.

What is FastAPI?

FastAPI is an asynchronous web framework designed for building APIs quickly and efficiently. It boasts several key features:

  • Fast: Asynchronous capabilities make it one of the fastest frameworks available.
  • Easy to Use: Its intuitive design and automatic generation of interactive API documentation (Swagger UI) simplify the development process.
  • Built-in Validation: Leveraging Python type hints, FastAPI automatically validates request and response data.

Understanding OAuth2

OAuth2 is an authorization framework that enables third-party applications to obtain limited access to user accounts on an HTTP service. It is widely used for securing APIs and is supported by major platforms like Google, Facebook, and Twitter.

Use Cases for OAuth2 in FastAPI

  • Third-party integrations: Allowing users to authenticate using their existing accounts.
  • Microservices: Implementing secure communication between multiple services.
  • Mobile Applications: Enabling secure access to backend services.

Setting Up FastAPI with OAuth2

Now, let's walk through the steps to set up secure API endpoints in a FastAPI application using OAuth2.

Step 1: Install FastAPI and Uvicorn

To start, you need to install FastAPI and Uvicorn, an ASGI server that will run your application. Use the following command:

pip install fastapi uvicorn python-jose[cryptography] passlib[bcrypt]
  • python-jose: A library for creating and verifying JSON Web Tokens (JWT).
  • passlib: A password hashing library that will help securely manage user credentials.

Step 2: Create a Basic FastAPI Application

Create a new file named main.py and set up a basic FastAPI application.

from fastapi import FastAPI

app = FastAPI()

@app.get("/")
async def read_root():
    return {"Hello": "World"}

Run your application with Uvicorn:

uvicorn main:app --reload

Step 3: Implement OAuth2 with Password Flow

To secure your API, you can implement the OAuth2 password flow. This flow allows users to log in and obtain a token that can be used for subsequent requests.

Define the User Model

Create a user model to represent your users:

from pydantic import BaseModel

class User(BaseModel):
    username: str
    email: str
    full_name: str
    disabled: bool = None

Create a Token Model

Define a model for the token response:

class Token(BaseModel):
    access_token: str
    token_type: str

Set Up OAuth2 Scheme

Use FastAPI’s OAuth2PasswordBearer to handle the OAuth2 password flow:

from fastapi.security import OAuth2PasswordBearer

oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")

Create a Fake Database and User Authentication

For demonstration, we'll use a simple in-memory store for users:

fake_users_db = {
    "johndoe": {
        "username": "johndoe",
        "full_name": "John Doe",
        "email": "johndoe@example.com",
        "hashed_password": "$2b$12$eQ0F..",  # Example hash
        "disabled": False,
    }
}

def fake_hash_password(password: str):
    return "fakehashed" + password

Create Login Endpoint

Next, implement the endpoint for user login:

from fastapi import Depends, HTTPException, status
from fastapi.security import OAuth2PasswordRequestForm

@app.post("/token", response_model=Token)
async def login(form_data: OAuth2PasswordRequestForm = Depends()):
    user = fake_users_db.get(form_data.username)

    if not user or not fake_hash_password(form_data.password) == user['hashed_password']:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Incorrect username or password",
            headers={"WWW-Authenticate": "Bearer"},
        )

    return {"access_token": user['username'], "token_type": "bearer"}

Step 4: Create Secure Endpoint

Now, let’s create a secure endpoint that requires a valid token:

@app.get("/users/me", response_model=User)
async def read_users_me(token: str = Depends(oauth2_scheme)):
    user = fake_users_db.get(token)
    if user is None:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail="Invalid authentication credentials",
            headers={"WWW-Authenticate": "Bearer"},
        )
    return user

Step 5: Testing the API

  1. Start your FastAPI application.
  2. Obtain a token by sending a POST request to /token with your username and password.
  3. Access the protected endpoint /users/me by including the token in the Authorization header:
Authorization: Bearer <your_access_token>

Troubleshooting Common Issues

  • Invalid Credentials: Ensure the username and password are correct and hashed properly.
  • Token Expiry: In a production application, implement token expiry and refresh mechanisms.

Conclusion

Setting up secure API endpoints in a FastAPI application using OAuth2 is a straightforward process that enhances the security of your application. By implementing OAuth2, you can protect user data and ensure that only authorized users can access sensitive resources.

As you continue to build your FastAPI applications, remember to follow best practices for security, such as using HTTPS, validating input data, and regularly updating dependencies. With FastAPI’s speed and efficiency combined with OAuth2’s robust authentication framework, you can create secure and scalable APIs that will stand the test of time. Happy coding!

SR
Syed
Rizwan

About the Author

Syed Rizwan is a Machine Learning Engineer with 5 years of experience in AI, IoT, and Industrial Automation.