Reusable Keycloak SDK for auth-service and microservices
Project description
Auth Guardian
auth-guardian es una libreria Python para proteger APIs con Keycloak/OIDC en FastAPI, con configuracion minima y enfoque plug-and-play.
Que resuelve
- Login OIDC sin escribir todo el flujo a mano.
- Proteccion de endpoints autenticados.
- Control por roles (
admin,support, etc.). - Helpers para validacion de tokens y extraccion de roles.
Instalacion
pip install auth-guardian
Opcional (revocacion con Redis):
pip install "auth-guardian[redis]"
Configuracion minima
Define estas variables de entorno:
AUTH_BASE_URL=https://auth.tu-dominio.com
AUTH_REALM=tu-realm
AUTH_CLIENT_ID=tu-cliente
Tambien se aceptan alias legacy:
KEYCLOAK_BASE_URLKEYCLOAK_REALMKEYCLOAK_CLIENT_ID
Revocacion de tokens (sin forzar Redis)
AuthGuardian() ya trae seleccion automatica de backend de revocacion:
- Si existe
AUTH_REDIS_URLusa Redis. - Si existe
AUTH_DATABASE_URLusa base de datos (SQLAlchemy async). - Si no hay backend compartido, usa memoria local (single process).
Redis NO es obligatorio para usar la libreria.
- Sin backend compartido: autenticacion y roles funcionan normal.
- Sin backend compartido: logout elimina cookies, pero la revocacion global depende del TTL del token.
- Con Redis o Database backend: revocacion inmediata y consistente entre instancias.
Opcion Redis
AUTH_REDIS_URL=redis://redis:6379
pip install "auth-guardian[redis]"
Opcion Database (SQLAlchemy async)
AUTH_DATABASE_URL=postgresql+asyncpg://user:pass@host:5432/dbname
pip install "auth-guardian[database]"
Docker Compose simple con Redis
services:
app:
build: .
ports:
- "8000:8000"
environment:
AUTH_BASE_URL: "https://auth.tu-dominio.com"
AUTH_REALM: "tu-realm"
AUTH_CLIENT_ID: "tu-cliente"
AUTH_REDIS_URL: "redis://redis:6379"
depends_on:
- redis
redis:
image: redis:7-alpine
restart: unless-stopped
ports:
- "6379:6379"
Uso rapido en FastAPI
from fastapi import Depends, FastAPI
from auth_guardian import AuthGuardian, create_auth_router
app = FastAPI()
auth = AuthGuardian()
app.include_router(
create_auth_router(
auth=auth,
login_redirect_url="/dashboard",
logout_redirect_url="/login",
)
)
@app.get("/health")
async def health() -> dict[str, str]:
return {"status": "ok"}
@app.get("/ejemplo/v1")
async def ejemplo_v1(user: dict = Depends(auth.get_current_user)):
return {
"mensaje": f"Hola {user.get('preferred_username')}",
"email": user.get("email"),
}
@app.get("/ejemplo/v2")
async def ejemplo_v2(user: dict = Depends(auth.require_role("admin"))):
return {"mensaje": "Acceso permitido para rol admin"}
Con esto tienes:
GET /loginGET /oidc/callbackGET /logout- Proteccion por usuario autenticado y por rol.
Casos de uso comunes
- Proteger endpoints internos de microservicios.
- Habilitar login/logout en apps FastAPI sin implementar OIDC desde cero.
- Restringir secciones administrativas por rol.
- Validar tokens manualmente en procesos asincronos o workers.
Ejemplo de validacion manual
payload = await auth.get_validator().decode_access_token(token)
print(payload.get("sub"))
Caracteristicas opcionales
Revocacion inmediata (Redis)
Si defines AUTH_REDIS_URL o AUTH_DATABASE_URL, auth-guardian invalida tokens al hacer logout.
Ademas, al cerrar sesion revoca el refresh token en Keycloak para cortar renovaciones.
AUTH_REDIS_URL=redis://localhost:6379
Multi-tenant (multiples realms)
from fastapi import Request
async def resolve_tenant(request: Request) -> str | None:
return request.headers.get("X-Tenant-ID")
auth = AuthGuardian(tenant_resolver=resolve_tenant)
API publica estable
AuthGuardiancreate_auth_routerextract_client_roles(payload, client_id)AuthConfigAuthTokenValidatorAuthOIDCClientKeycloakAuthErrorTokenValidationErrorKeycloakAPIError
Buenas practicas
- Usa variables de entorno por ambiente (dev/stage/prod).
- No hardcodees secretos en codigo fuente.
- Fija version en produccion (
auth-guardian==x.y.z).
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
auth_guardian-0.1.3.tar.gz
(20.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file auth_guardian-0.1.3.tar.gz.
File metadata
- Download URL: auth_guardian-0.1.3.tar.gz
- Upload date:
- Size: 20.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3fffce71c09277e7e9f260236bf0459ab2dec89fb07471d903c3c4c9d61caa0f
|
|
| MD5 |
eb680c772e3eba41141eb6dc45260b7a
|
|
| BLAKE2b-256 |
0944cc52fe3a67e79a270748a094703d5769e6417ed97635c961a278fc50bdc5
|
File details
Details for the file auth_guardian-0.1.3-py3-none-any.whl.
File metadata
- Download URL: auth_guardian-0.1.3-py3-none-any.whl
- Upload date:
- Size: 18.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
46b437ff02714fd78fa4d31745bc1d0a9d36eb14220ea86b473cbbc62ba7c842
|
|
| MD5 |
f9a0e1a63149d07322603f4d586fad14
|
|
| BLAKE2b-256 |
afbd8b38d60d288e1eac59b06f3b1a6983736949caeb84afd515d5c7101e7e60
|
