Reusable FastAPI app for SSO integration
Project description
FastAPI-Keycloak Integration
This package is used when you want to manage users in your services in a keycloak environment.
Install
Installation command from pypi:
pip install fastapi-keycloak-sso
Setting up the authenticate function and UserPayload to use authentication:
from fastapi import FastAPI, Depends
from fastapi_keycloak_sso.auth import UserPayload, authenticate
app = FastAPI()
@app.get('/')
def test_api(user: UserPayload = Depends(authenticate)):
pass
For proper identification, you should use the 'user' parameter in your route.
Environment Configurations
To use the authentication features of this package, you need to set the following in your '.env' file:
(Preferably the '.env' file is next to your project's main file)
# Keycloak SSO
KEYCLOAK_SERVER_URL=https://sso.domain # if using in dokcer : https://<keycloak_container>:8443
KEYCLOAK_ISSUER_PREFIX=https://sso.domain
KEYCLOAK_REALM=your_realm
KEYCLOAK_CLIENT_ID=your_client_id
KEYCLOAK_CLIENT_PK=your_client_primary_key # example: 'test-client'
KEYCLOAK_CLIENT_SECRET=your_client_secret_key
KEYCLOAK_OAUTH_REDIRECT_URI=http://127.0.0.1:8000/auth/callback/ # for login in ssr sites
KEYCLOAK_CLIENT_NAME=your_client_name
KEYCLOAK_CLIENT_TITLE=your_client_title
KEYCLOAK_ALGORITHMS=RS256
KEYCLOAK_SECRET_KEY_ALGORITHM=your_algorithm_secret_key
Permissions
To use access levels for users in your Keycloak system, you can use the decorators available in the package:
from fastapi_keycloak_sso.decorators import (
require_roles,
require_groups,
require_group_roles,
require_any_group,
require_any_role,
require_all_permissions
)
@app.get('/')
@requiire_groups('test-admin','test-editor')
def test_api(user: UserPayload = Depends(authenticate)):
pass
All decorators should be close to the rout and the associated permissions should be entered as str inside the decorator.
require_roles:
In this decorator, the user must have all the permissions entered to access rout.
require_groups:
To check that the user must exist in all groups entered in the decorator.
require_group_roles:
@require_group_roles(*group_roles, match_group_roles=False)
Checks if the user has at least one of the specified roles within any group. Use match_group_roles=True to only allow matches where the group name is also explicitly listed via @require_groups.
@app.get('/')
@require_group_roles('manager') # Any group
@require_group_roles('admin', match_group_roles=True) # Must match both group and role
def test_api():
pass
require_any_group:
The user must belong to at least one of the groups listed.
require_any_role:
The user must belong to at least one of the roles listed.
require_all_permissions:
@require_all_permissions(role_titles=[], group_titles=[], group_roles=[], match_group_roles=False)
Combined decorator that allows you to check all types of permissions in one call.
@app.get('/')
@require_all_permissions(
role_titles=['superuser'],
group_titles=['group_1'],
group_roles=['manager'],
match_group_roles=True
)
def test_api():
pass
Default APIs
To use default APIs, you must include them in your system app.
from fastapi_keycloak_sso.api.routers.base_routers import router as keycloak_router
app = FastAPI()
app.include_router(keycloak_router)
The package provides a number of default APIs to make it easy to work with your keycloak system:
- Set token cookie
- Logout token from cookie
- Create token
- Refresh token
- User profile
- Group read
- Find group detail exact
- Group create
- Group delete
- Role read
- Assign role to group
- User join to group
Setting permissions on default APIs:
By default, the existing APIs do not have any specific permissions, but you can enforce them by adding the permissions you need to your '.env' file.
It is worth noting that your input permissions are checked against user groups, and the user must have at least one of the entries.
# Keycloak access groups
KEYCLOAK_GROUP_READ_ACCESS=admin,test
KEYCLOAK_GROUP_FIND_ACCESS=admin,test
KEYCLOAK_GROUP_CREATE_ACCESS=admin,test
KEYCLOAK_GROUP_DELETE_ACCESS=admin,test
KEYCLOAK_USER_READ_ACCESS=admin,test
KEYCLOAK_ROLE_READ_ACCESS=admin,test
KEYCLOAK_ASSIGN_ROLE_GROUP_ACCESS=admin,test
KEYCLOAK_JOIN_USER_GROUP_ACCESS=admin,test
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file fastapi_keycloak_sso-0.0.2.tar.gz.
File metadata
- Download URL: fastapi_keycloak_sso-0.0.2.tar.gz
- Upload date:
- Size: 29.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5e5adcb80956d657ba7716e0ff7f017dd79e3d205c51ff188ee7d43860470ac3
|
|
| MD5 |
8a2f5b3137164a0a51558fb7c1892ac7
|
|
| BLAKE2b-256 |
3166518b948b59b0026b7318d2bda75aaa494f7d166806dbbbbf945781b76c00
|
File details
Details for the file fastapi_keycloak_sso-0.0.2-py3-none-any.whl.
File metadata
- Download URL: fastapi_keycloak_sso-0.0.2-py3-none-any.whl
- Upload date:
- Size: 30.9 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
308c3892444382d92c5696cd604789dbdf09ed531cc2f33dc8777fc5b2b5927d
|
|
| MD5 |
cc5322af25cac16bbf79e2e347ba4f28
|
|
| BLAKE2b-256 |
b794b9aefd635bbb2848fedd2968dd9380851f779ccb290b5fbf3843d91fed69
|
