OAuth2/OIDC authentication and authorization for FastAPI APIs
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
axioms-fastapi
OAuth2/OIDC authentication and authorization for FastAPI APIs. Supports authentication and claim-based fine-grained authorization (scopes, roles, permissions) using JWT tokens.
Works with access tokens issued by various authorization servers including AWS Cognito, Auth0, Okta, Microsoft Entra, etc.
Features
- JWT token validation with automatic public key retrieval from JWKS endpoints
- Algorithm validation to prevent algorithm confusion attacks (only secure asymmetric algorithms allowed)
- Issuer validation (
issclaim) to prevent token substitution attacks - FastAPI dependency injection for authentication and authorization
- Flexible configuration with support for custom JWKS and issuer URLs
- Support for custom claim and/or namespaced claims names to support different authorization servers
- Async-ready and production-tested
Installation
pip install axioms-fastapi
Quick Start
1. Configure your FastAPI application
from fastapi import FastAPI, Depends
from axioms_fastapi import init_axioms, require_auth, require_scopes
app = FastAPI()
# Initialize Axioms with your configuration
init_axioms(
app,
AXIOMS_AUDIENCE="your-api-audience",
AXIOMS_DOMAIN="your-auth.domain.com"
)
2. Protect your routes
from axioms_fastapi import require_auth, require_permissions
@app.get("/api/protected")
async def protected_route(payload=Depends(require_auth)):
"""Route protected by JWT authentication."""
user_id = payload.sub
return {"user_id": user_id, "message": "Authenticated"}
@app.get("/api/admin")
async def admin_route(
payload=Depends(require_auth),
_=Depends(require_permissions(["admin:write"]))
):
"""Route requiring admin:write permission."""
return {"message": "Admin access granted"}
Configuration
The SDK supports the following configuration options:
AXIOMS_AUDIENCE(required): Your resource identifier or API audienceAXIOMS_DOMAIN(optional): Your auth domain - constructs issuer and JWKS URLsAXIOMS_ISS_URL(optional): Full issuer URL for validating theissclaim (recommended for security)AXIOMS_JWKS_URL(optional): Full URL to your JWKS endpoint
Configuration Hierarchy:
AXIOMS_DOMAIN→ constructs →AXIOMS_ISS_URL(if not explicitly set)AXIOMS_ISS_URL→ constructs →AXIOMS_JWKS_URL(if not explicitly set)
Environment Variables
Create a .env file:
AXIOMS_AUDIENCE=your-api-audience
AXIOMS_DOMAIN=your-auth.domain.com
# OR for custom configurations:
# AXIOMS_ISS_URL=https://your-auth.domain.com/oauth2
# AXIOMS_JWKS_URL=https://your-auth.domain.com/.well-known/jwks.json
Usage Examples
Basic Authentication
from fastapi import FastAPI, Depends
from axioms_fastapi import init_axioms, require_auth
app = FastAPI()
init_axioms(app, AXIOMS_AUDIENCE="api.example.com", AXIOMS_DOMAIN="auth.example.com")
@app.get("/profile")
async def get_profile(payload=Depends(require_auth)):
return {
"user_id": payload.sub,
"email": payload.get("email"),
"name": payload.get("name")
}
Scope-Based Authorization (OR Logic)
from axioms_fastapi import require_auth, require_scopes
@app.get("/api/resource")
async def resource_route(
payload=Depends(require_auth),
_=Depends(require_scopes(["read:resource", "write:resource"]))
):
# User needs EITHER 'read:resource' OR 'write:resource' scope
return {"data": "success"}
Role-Based Authorization
from axioms_fastapi import require_auth, require_roles
@app.get("/admin/users")
async def admin_route(
payload=Depends(require_auth),
_=Depends(require_roles(["admin", "superuser"]))
):
# User needs EITHER 'admin' OR 'superuser' role
return {"users": []}
Permission-Based Authorization
from axioms_fastapi import require_auth, require_permissions
@app.post("/api/resource")
async def create_resource(
payload=Depends(require_auth),
_=Depends(require_permissions(["resource:create"]))
):
return {"message": "Resource created"}
AND Logic (Chaining Dependencies)
@app.get("/api/strict")
async def strict_route(
payload=Depends(require_auth),
_=Depends(require_scopes(["read:resource"])),
__=Depends(require_scopes(["write:resource"]))
):
# User needs BOTH 'read:resource' AND 'write:resource' scopes
return {"data": "requires both scopes"}
Mixed Authorization
@app.get("/api/advanced")
async def advanced_route(
payload=Depends(require_auth),
_=Depends(require_scopes(["openid", "profile"])), # openid OR profile
__=Depends(require_roles(["editor"])), # AND editor role
___=Depends(require_permissions(["resource:read", "resource:write"])) # AND read OR write
):
# User needs: (openid OR profile) AND (editor) AND (read OR write)
return {"data": "complex authorization"}
Custom Claim Names
Support for different authorization servers with custom claim names:
init_axioms(
app,
AXIOMS_AUDIENCE="api.example.com",
AXIOMS_DOMAIN="auth.example.com",
AXIOMS_ROLES_CLAIMS=["cognito:groups", "roles"],
AXIOMS_PERMISSIONS_CLAIMS=["permissions", "cognito:roles"],
AXIOMS_SCOPE_CLAIMS=["scope", "scp"]
)
Error Handling
The SDK raises AxiomsHTTPException for authentication and authorization errors:
from fastapi import FastAPI, Request
from fastapi.responses import JSONResponse
from axioms_fastapi import init_axioms, AxiomsHTTPException
app = FastAPI()
init_axioms(app, AXIOMS_AUDIENCE="api.example.com", AXIOMS_DOMAIN="auth.example.com")
@app.exception_handler(AxiomsHTTPException)
async def axioms_exception_handler(request: Request, exc: AxiomsHTTPException):
return JSONResponse(
status_code=exc.status_code,
content=exc.detail,
headers=exc.headers
)
Security Features
- Algorithm Validation: Only secure asymmetric algorithms allowed (RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512)
- Issuer Validation: Validates
issclaim to prevent token substitution attacks - Automatic JWKS Retrieval: Fetches and caches public keys from JWKS endpoints
- Token Expiration: Validates
expclaim - Audience Validation: Validates
audclaim - Key ID Validation: Validates
kidheader
License
MIT
Links
- Documentation: https://axioms-fastapi.abhishek-tiwari.com
- Source Code: https://github.com/abhishektiwari/axioms-fastapi
- Issue Tracker: https://github.com/abhishektiwari/axioms-fastapi/issues
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file axioms_fastapi-0.0.1rc11762694952.tar.gz.
File metadata
- Download URL: axioms_fastapi-0.0.1rc11762694952.tar.gz
- Upload date:
- Size: 34.1 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d5df15511d0ec8b3d8cecddb1126faccc3fb89df8e34f22c5029d4be7e1b8890
|
|
| MD5 |
7069991186cf721cc4c4f9c5979616a2
|
|
| BLAKE2b-256 |
b8bd4e88507c49b4c3ca358e06ee06cf8cbf80e87c421f0ff44627dba981bc5d
|
Provenance
The following attestation bundles were made for axioms_fastapi-0.0.1rc11762694952.tar.gz:
Publisher:
release.yml on abhishektiwari/axioms-fastapi
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
axioms_fastapi-0.0.1rc11762694952.tar.gz -
Subject digest:
d5df15511d0ec8b3d8cecddb1126faccc3fb89df8e34f22c5029d4be7e1b8890 - Sigstore transparency entry: 685790089
- Sigstore integration time:
-
Permalink:
abhishektiwari/axioms-fastapi@7c14fd84c7cc7bef9e79bdfc55c9e1e873a5c398 -
Branch / Tag:
refs/pull/1/merge - Owner: https://github.com/abhishektiwari
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@7c14fd84c7cc7bef9e79bdfc55c9e1e873a5c398 -
Trigger Event:
pull_request
-
Statement type:
File details
Details for the file axioms_fastapi-0.0.1rc11762694952-py3-none-any.whl.
File metadata
- Download URL: axioms_fastapi-0.0.1rc11762694952-py3-none-any.whl
- Upload date:
- Size: 14.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
802b09ab39b60f53323ff14fa65365a1924c36cca95e331bdfa89592d9f38ca9
|
|
| MD5 |
019d8855f58ae180b2c88f4f9fc1593c
|
|
| BLAKE2b-256 |
87bbba77f6be6302009b68a174006c9137ab084bcabef3812327a76f8426a3ac
|
Provenance
The following attestation bundles were made for axioms_fastapi-0.0.1rc11762694952-py3-none-any.whl:
Publisher:
release.yml on abhishektiwari/axioms-fastapi
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
axioms_fastapi-0.0.1rc11762694952-py3-none-any.whl -
Subject digest:
802b09ab39b60f53323ff14fa65365a1924c36cca95e331bdfa89592d9f38ca9 - Sigstore transparency entry: 685790092
- Sigstore integration time:
-
Permalink:
abhishektiwari/axioms-fastapi@7c14fd84c7cc7bef9e79bdfc55c9e1e873a5c398 -
Branch / Tag:
refs/pull/1/merge - Owner: https://github.com/abhishektiwari
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@7c14fd84c7cc7bef9e79bdfc55c9e1e873a5c398 -
Trigger Event:
pull_request
-
Statement type:
