A FastAPI Security object for AWS Cognito - supports both access and id tokens
Project description
fastapi-cognito-security
A micro-library that implements a FastAPI security class for AWS Cognito security.
This library supports receiving the Cogntio access (recommended) or id token in the HTTP Authorization
header using the standard Bearer
mechansism (e.g. - Authorization: Bearer <token>
).
Installation
pip install fastapi-cognito-security
Usage
Securing an individual route
from fastapi import Depends, FastAPI
from fastapi_cognito_security import CognitoBearer
app = FastAPI()
auth = CognitoBearer(
app_client_id="my_app_client_id",
userpool_id="my_userpool_id"
)
@app.get("/", dependencies=[Depends(auth)])
async def root():
return {"message": "Hello World"}
Securing a whole api
from fastapi import Depends, FastAPI
from fastapi_cognito_security import CognitoBearer
auth = CognitoBearer(
app_client_id="my_app_client_id",
userpool_id="my_userpool_id"
)
app = FastAPI(dependencies=[Depends(auth)])
@app.get("/")
async def root():
return {"message": "Hello World"}
When called, the CognitoBearer
object will:
- Get the public keys from your AWS Cognito UserPool.
NOTE - this will only happen once, and will be cached thereafter.
- Validate the JWT by verifying:
- The JWT is correctly constructed and conforms to the public key.
- The JWT has not expired.
- The
client_id
(access token) oraud
(id token) matches theapp_client_id
.
- Return either a
fastapi_cognito_security.AccessToken
orfastapi_cognito_security.IdToken
that contains the claims.NOTE - you can use these claims for further verification either within your API or by subclassing
CognitoBearer
.
Any failure in the above steps will result in a fastapi.HTTPException
being raised.
Claims
The returned AccessToken
or IdToken
will have the standard Cognito claims converted to Python types.
AccessToken
and IdToken
Claim | Python Type |
---|---|
auth_time | datetime.datetime |
exp | datetime.datetime |
iat | datetime.datetime |
iss | pydantic.HttpUrl |
jti | uuid.UUID |
origin_jti | uuid.UUID |
sub | uuid.UUID |
- Username (
username
in access tokens andcognito:username
in id tokens) is canonicalized to the claimusername
. - All additional claims will be converted directly to basic Python types.
- All claim names will have
:
replaced with_
(e.g. -custom:thing
will becomecustom_thing
)
AccessToken
only
Claim | Python Type |
---|---|
device_key | uuid.UUID |
scope | list[str] |
Swagger/OpenAPI 3.0 Support
Because CognitoBearer
is a fastapi.HTTPBearer
, it will operate in the docs that are auotmatically
generated by FastAPI in the same way as it's parent class.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for fastapi-cognito-security-0.0.1.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | dfb0d8712636219381ac1e17f96d2e606fc98f504810939603d1e22a6b2e5a14 |
|
MD5 | 3ce0649d99e5dca49732d7f12529310f |
|
BLAKE2b-256 | ad0ae782e1c32657e447847f5084c38fb37cc819484392b7260d404a12de10df |
Hashes for fastapi_cognito_security-0.0.1-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | fcbdbad6a85e31e29d00708a56f40aaee6b5853ea4804f14db872cd89a83dba3 |
|
MD5 | 162add9f4132efcebbfff5ab184ea823 |
|
BLAKE2b-256 | 1b2341b60c45c7c16272c3c0ac07b46b21c4b707a9fb0373018d030ed347242a |