Reusable Keycloak SDK for auth-service and microservices
Project description
Auth Guardian
auth-guardian es una libreria Python para proteger APIs con Keycloak/OIDC en FastAPI, con configuracion minima y enfoque plug-and-play.
Que resuelve
- Login OIDC sin escribir todo el flujo a mano.
- Proteccion de endpoints autenticados.
- Control por roles (
admin,support, etc.). - Helpers para validacion de tokens y extraccion de roles.
Instalacion
pip install auth-guardian
Configuracion minima
Define estas variables de entorno:
AUTH_BASE_URL=https://auth.tu-dominio.com
AUTH_REALM=tu-realm
AUTH_CLIENT_ID=tu-cliente
Tambien se aceptan alias legacy:
KEYCLOAK_BASE_URLKEYCLOAK_REALMKEYCLOAK_CLIENT_ID
Revocación de tokens
| Escenario | Comportamiento |
|---|---|
| Single instance (default) | Revocación inmediata en memoria local |
| Multi-instancia | Token válido hasta expirar en otras instancias |
Con RevocationBackend propio |
Revocación inmediata global |
Al hacer logout, siempre ocurre:
refresh_tokenrevocado en Keycloak (no puede renovarse)- Cookies borradas del navegador
access_tokenen blacklist local hasta expirar
Para multi-instancia, implementa RevocationBackend con tu stack:
from auth_guardian import AuthGuardian, RevocationBackend
class SharedCacheRevocationBackend(RevocationBackend):
async def revoke(self, jti: str, ttl: int) -> None: ...
async def is_revoked(self, jti: str) -> bool: ...
auth = AuthGuardian(revocation_backend=SharedCacheRevocationBackend())
Uso rapido en FastAPI
from fastapi import Depends, FastAPI
from auth_guardian import AuthGuardian, create_auth_router
app = FastAPI()
auth = AuthGuardian()
app.include_router(
create_auth_router(
auth=auth,
login_redirect_url="/dashboard",
logout_redirect_url="/login",
)
)
@app.get("/health")
async def health() -> dict[str, str]:
return {"status": "ok"}
@app.get("/ejemplo/v1")
async def ejemplo_v1(user: dict = Depends(auth.get_current_user)):
return {
"mensaje": f"Hola {user.get('preferred_username')}",
"email": user.get("email"),
}
@app.get("/ejemplo/v2")
async def ejemplo_v2(user: dict = Depends(auth.require_role("admin"))):
return {"mensaje": "Acceso permitido para rol admin"}
Con esto tienes:
GET /loginGET /oidc/callbackGET /logout- Proteccion por usuario autenticado y por rol.
Casos de uso comunes
- Proteger endpoints internos de microservicios.
- Habilitar login/logout en apps FastAPI sin implementar OIDC desde cero.
- Restringir secciones administrativas por rol.
- Validar tokens manualmente en procesos asincronos o workers.
Ejemplo de validacion manual
payload = await auth.get_validator().decode_access_token(token)
print(payload.get("sub"))
Caracteristicas opcionales
Multi-tenant (multiples realms)
from fastapi import Request
async def resolve_tenant(request: Request) -> str | None:
return request.headers.get("X-Tenant-ID")
auth = AuthGuardian(tenant_resolver=resolve_tenant)
API publica estable
AuthGuardiancreate_auth_routerextract_client_roles(payload, client_id)AuthConfigAuthTokenValidatorAuthOIDCClientKeycloakAuthErrorTokenValidationErrorKeycloakAPIError
Buenas practicas
- Usa variables de entorno por ambiente (dev/stage/prod).
- No hardcodees secretos en codigo fuente.
- Fija version en produccion (
auth-guardian==x.y.z).
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
auth_guardian-0.1.8.tar.gz
(20.6 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file auth_guardian-0.1.8.tar.gz.
File metadata
- Download URL: auth_guardian-0.1.8.tar.gz
- Upload date:
- Size: 20.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
a6d224ee9fb698eb61481ea48b33700bc816d56454cd716161f78f099d4951a3
|
|
| MD5 |
edeaaf3245c64bd77153151d238ba278
|
|
| BLAKE2b-256 |
5e5ac599d6988cf57ef1cc57841166ac3e70f15a11a909493eca8ae7b1e87203
|
File details
Details for the file auth_guardian-0.1.8-py3-none-any.whl.
File metadata
- Download URL: auth_guardian-0.1.8-py3-none-any.whl
- Upload date:
- Size: 20.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.10.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
0513e579f7d0f19f72fed17d58f4a90405ba6dd64ee9843260d201e4a55ae2d6
|
|
| MD5 |
880a95b81417e2b707d44b863a673695
|
|
| BLAKE2b-256 |
835ed8a4d0955f499d556dd96aed59722a8d32484234d55789f5b89425d0f1dc
|
