Keycloak authentication for FastAPI that helps to secure your API endpoints with RBAC with minimal configurations
Project description
FastAPI Keycloak Auth 
A lightweight library to secure FastAPI APIs using Keycloak, enabling Role-Based Access Control (RBAC) with minimal configuration.
Features
- Simple integration with Keycloak for FastAPI applications.
- Built-in support for Role-Based Access Control (RBAC) using Keycloak roles.
- Works seamlessly with both realm roles and client roles.
- Automatically decodes and validates JWT tokens.
Minimum Requirements
- Python: 3.12 or higher
- FastAPI: 0.115.6 or higher
- Keycloak: 5.1.1 or higher
Installation
Install the library using pip:
pip install fastapi-keycloak-auth
Usage Guide
1. Initialize KeycloakAuth
Start by initializing the KeycloakAuth instance with your Keycloak server configuration.
There are two ways that you can use to initialize the KeycloakAuth instance:
-
Providing keycloak configurations as arguments in the initializer
from keycloak_auth.keycloak_auth import KeycloakAuth auth = KeycloakAuth( server_url=KEYCLOAK_URL, client_id=KEYCLOAK_CLIENT_ID, realm_name=KEYCLOAK_REALM_NAME, client_secret_key=KEYCLOAK_CLIENT_SECRET, use_resource_access=True )
Replace
KEYCLOAK_URL,KEYCLOAK_CLIENT_ID,KEYCLOAK_REALM_NAME, andKEYCLOAK_CLIENT_SECRETwith your Keycloak instance details.server_url: The URL of your Keycloak server. Ex:http://localhost:8080/auth/client_id: The client ID of your Keycloak client.realm_name: The name of your Keycloak realm.client_secret_key: The client secret of your Keycloak client.use_resource_access: Set toTrueif you want to use client roles in RBAC instead of realm roles (Default is set toFalse).
-
Setting up Keycloak configurations as environmental variables (This method is recommended when this application is running in a containerized environment)
from keycloak_auth.keycloak_auth import KeycloakAuth import os os.environ['KEYCLOAK_URL'] = KEYCLOAK_URL os.environ['KEYCLOAK_CLIENT_ID'] = KEYCLOAK_CLIENT_ID os.environ['KEYCLOAK_REALM_NAME'] = KEYCLOAK_REALM_NAME os.environ['KEYCLOAK_CLIENT_SECRET'] = KEYCLOAK_CLIENT_SECRET auth = KeycloakAuth()
Replace
KEYCLOAK_URL,KEYCLOAK_CLIENT_ID,KEYCLOAK_REALM_NAME, andKEYCLOAK_CLIENT_SECRETwith your Keycloak instance details.KEYCLOAK_URL: The URL of your Keycloak server. Ex:http://localhost:8080/auth/KEYCLOAK_CLIENT_ID: The client ID of your Keycloak client.KEYCLOAK_REALM_NAME: The name of your Keycloak realm.KEYCLOAK_CLIENT_SECRET: The client secret of your Keycloak client.
2. Protect Routes with Roles
Use the RolesAllowed decorator to protect your FastAPI routes based on roles defined in Keycloak.
You can pass a list of roles that are allowed to access the route.
Important Note: make sure to add authorization: str | None = Header(default=None) as a parameter in the route function to receive the JWT token.
Otherwise, the library will not be able to decode and validate the token.
from fastapi import FastAPI, Header
from keycloak_auth.keycloak_auth import KeycloakAuth
app = FastAPI()
auth: KeycloakAuth = KeycloakAuth(
server_url=KEYCLOAK_URL,
client_id=KEYCLOAK_CLIENT_ID,
realm_name=KEYCLOAK_REALM_NAME,
client_secret_key=KEYCLOAK_CLIENT_SECRET,
use_resource_access=True
)
@app.get('/admin')
@auth.RolesAllowed(['admin'])
async def admin_route(authorization: str | None = Header(default=None)):
return {'message': 'Hello Admin'}
@app.get('/user')
@auth.RolesAllowed(['admin', 'user'])
async def user_route(authorization: str | None = Header(default=None)):
return {'message': 'Hello User'}
3. Additional Features
-
You can also use the
KeycloakAuthinstance to decode and validate JWT tokens manually.from keycloak_auth.keycloak_auth import KeycloakAuth auth = KeycloakAuth() token = auth.current_token
-
You can use the
KeycloakAuthinstance to get the current user's profile.from keycloak_auth.keycloak_auth import KeycloakAuth auth = KeycloakAuth() user = auth.get_user_info()
4. Custom Error Handling
The library automatically raises HTTPException for errors such as:
401 Unauthorized: When the token is missing or expired.403 Forbidden: When the user does not have sufficient permissions.- For advanced scenarios, you can implement additional error handling logic in your application.
License
This project is licensed under the MIT License - see the LICENSE file for details.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fastapi_keycloak_auth-1.0.2.tar.gz.
File metadata
- Download URL: fastapi_keycloak_auth-1.0.2.tar.gz
- Upload date:
- Size: 5.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
017a3f2539a20cd75ffa14ba6481903cfe11b42a4b2b63967dc62f08c84988ec
|
|
| MD5 |
09dec27131d845df158dc4e288307a26
|
|
| BLAKE2b-256 |
2610efc11f0886b6f5665187b2f1fb47f91d98e0b3031a28ebdabd06c076ffa0
|
File details
Details for the file fastapi_keycloak_auth-1.0.2-py3-none-any.whl.
File metadata
- Download URL: fastapi_keycloak_auth-1.0.2-py3-none-any.whl
- Upload date:
- Size: 5.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.0.1 CPython/3.12.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6f44f20f6700a2c0f7a8f1113ec7aadc6ff216225bfc3c23b1c1b2ae560ff2ee
|
|
| MD5 |
724dfdd46a6da91ad06e38e668a53104
|
|
| BLAKE2b-256 |
30f10a68e8f5b59c4af0a04b483f3b3449c9e07265541c9c35802aba49583cf5
|
