Reusable Keycloak SDK for auth-service and microservices
Project description
Auth Guardian
auth-guardian es una libreria Python para proteger APIs con Keycloak/OIDC en FastAPI, con configuracion minima y enfoque plug-and-play.
Que resuelve
- Login OIDC sin escribir todo el flujo a mano.
- Proteccion de endpoints autenticados.
- Control por roles (
admin,support, etc.). - Helpers para validacion de tokens y extraccion de roles.
Instalacion
pip install auth-guardian
Configuracion minima
Define estas variables de entorno:
AUTH_BASE_URL=https://auth.tu-dominio.com
AUTH_REALM=tu-realm
AUTH_CLIENT_ID=tu-cliente
Tambien se aceptan alias legacy:
KEYCLOAK_BASE_URLKEYCLOAK_REALMKEYCLOAK_CLIENT_ID
Revocacion de tokens
AuthGuardian() ya trae seleccion automatica de backend de revocacion:
- Si existe
AUTH_DATABASE_URLusa base de datos (SQLAlchemy async). - Si no hay backend compartido, usa memoria local (single process).
- Sin backend compartido: autenticacion y roles funcionan normal.
- Sin backend compartido: logout elimina cookies, pero la revocacion global depende del TTL del token.
- Con Database backend: revocacion inmediata y consistente entre instancias.
Opcion Database (SQLAlchemy async)
AUTH_DATABASE_URL=postgresql+asyncpg://user:pass@host:5432/dbname
pip install "auth-guardian[database]"
Docker Compose simple con Database (PostgreSQL)
services:
app:
build: .
ports:
- "8000:8000"
environment:
AUTH_BASE_URL: "https://auth.tu-dominio.com"
AUTH_REALM: "tu-realm"
AUTH_CLIENT_ID: "tu-cliente"
AUTH_DATABASE_URL: "postgresql+asyncpg://postgres:postgres@db:5432/auth_guardian"
depends_on:
- db
db:
image: postgres:16-alpine
restart: unless-stopped
environment:
POSTGRES_DB: auth_guardian
POSTGRES_USER: postgres
POSTGRES_PASSWORD: postgres
ports:
- "5432:5432"
Uso rapido en FastAPI
from fastapi import Depends, FastAPI
from auth_guardian import AuthGuardian, create_auth_router
app = FastAPI()
auth = AuthGuardian()
app.include_router(
create_auth_router(
auth=auth,
login_redirect_url="/dashboard",
logout_redirect_url="/login",
)
)
@app.get("/health")
async def health() -> dict[str, str]:
return {"status": "ok"}
@app.get("/ejemplo/v1")
async def ejemplo_v1(user: dict = Depends(auth.get_current_user)):
return {
"mensaje": f"Hola {user.get('preferred_username')}",
"email": user.get("email"),
}
@app.get("/ejemplo/v2")
async def ejemplo_v2(user: dict = Depends(auth.require_role("admin"))):
return {"mensaje": "Acceso permitido para rol admin"}
Con esto tienes:
GET /loginGET /oidc/callbackGET /logout- Proteccion por usuario autenticado y por rol.
Casos de uso comunes
- Proteger endpoints internos de microservicios.
- Habilitar login/logout en apps FastAPI sin implementar OIDC desde cero.
- Restringir secciones administrativas por rol.
- Validar tokens manualmente en procesos asincronos o workers.
Ejemplo de validacion manual
payload = await auth.get_validator().decode_access_token(token)
print(payload.get("sub"))
Caracteristicas opcionales
Revocacion inmediata
Si defines AUTH_DATABASE_URL, auth-guardian invalida tokens al hacer logout.
Ademas, al cerrar sesion revoca el refresh token en Keycloak para cortar renovaciones.
AUTH_DATABASE_URL=postgresql+asyncpg://user:pass@host:5432/dbname
Multi-tenant (multiples realms)
from fastapi import Request
async def resolve_tenant(request: Request) -> str | None:
return request.headers.get("X-Tenant-ID")
auth = AuthGuardian(tenant_resolver=resolve_tenant)
API publica estable
AuthGuardiancreate_auth_routerextract_client_roles(payload, client_id)AuthConfigAuthTokenValidatorAuthOIDCClientKeycloakAuthErrorTokenValidationErrorKeycloakAPIError
Buenas practicas
- Usa variables de entorno por ambiente (dev/stage/prod).
- No hardcodees secretos en codigo fuente.
- Fija version en produccion (
auth-guardian==x.y.z).
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
auth_guardian-0.1.4.tar.gz
(19.6 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file auth_guardian-0.1.4.tar.gz.
File metadata
- Download URL: auth_guardian-0.1.4.tar.gz
- Upload date:
- Size: 19.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5ae9d08fb5bb86d4222e7b93f9b12063825e3c02a5dbc5e6e7dcfaa904436471
|
|
| MD5 |
7952c4ff12cc4aa283da4df23696b3e7
|
|
| BLAKE2b-256 |
4c8b711d22cfa48a751ee2e775ea1b19deead1b7f8b4570d4b5b9f784828ccda
|
File details
Details for the file auth_guardian-0.1.4-py3-none-any.whl.
File metadata
- Download URL: auth_guardian-0.1.4-py3-none-any.whl
- Upload date:
- Size: 17.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ae9fdc1dc2d54dab01d6d05f5f152b53e17080a87861a7b5b88c5f427b0da2aa
|
|
| MD5 |
5c68849314a1a811df99d2640d53916c
|
|
| BLAKE2b-256 |
fb4b48e899537f6fb270c39957c4d29b9d84d039dc83394779348fc934df9b9f
|
