Keycloak authentication for python projects
Project description
sag_py_auth
This provides a way to secure your fastapi with keycloak jwt bearer authentication.
What it does
- Secure your api endpoints
- Verifies auth tokens: signature, expiration, issuer, audience
- Allows to set permissions by specifying roles and realm roles
How to use
Installation
pip install sag_py_auth
Secure your apis
First create the fast api dependency with the auth config:
from sag_py_auth import AuthConfig, JwtAuth, TokenRole
from fastapi import Depends
auth_config = AuthConfig("https://authserver.com/auth/realms/projectName", "myaudience")
required_roles = [TokenRole("clientname", "adminrole")]
required_realm_roles = ["additionalrealmrole"]
requires_admin = Depends(JwtAuth(auth_config, required_roles, required_realm_roles))
Afterwards you can use it in your route like that:
@app.post("/posts", dependencies=[requires_admin], tags=["posts"])
async def add_post(post: PostSchema) -> dict:
Or if you use sub routes, auth can also be enforced for the entire route like that:
router = APIRouter()
router.include_router(sub_router, tags=["my_api_tag"], prefix="/subroute",dependencies=[requires_admin])
Get user information
The Jwt call directly returns a token object that can be used to get additional information.
Furthermore you can access the context directly:
from sag_py_auth import get_token as get_token_from_context
token = get_token_from_context()
This works in async calls but not in sub threads (without additional changes).
See:
- https://docs.python.org/3/library/contextvars.html
- https://kobybass.medium.com/python-contextvars-and-multithreading-faa33dbe953d
Methods available on the token object
- get_field_value: to get the value of a claim field (or an empty string if not present)
- get_roles: Gets the roles of a specific client
- has_role: Verify if a spcific client has a role
- get_realm_roles: Get the realm roles
- has_realm_role: Check if the user has a specific realm role
Log user data
It is possible to log the preferred_username and the azp value (party that created the token) of the token by adding a filter.
import logging
from sag_py_auth import UserNameLoggingFilter
console_handler = logging.StreamHandler(sys.stdout)
console_handler.addFilter(UserNameLoggingFilter())
The filter provides the following two fields as soon as the user is authenticated: user_name, authorized_party
How to publish
- Update the version in setup.py and commit your change
- Create a tag with the same version number
- Let github do the rest
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file sag-py-auth-0.1.1.tar.gz.
File metadata
- Download URL: sag-py-auth-0.1.1.tar.gz
- Upload date:
- Size: 8.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | d130a05a5696bea44ce848eadb8c75922b308caff2b7189cb77a66429bb4fbdb |
|
| MD5 | b7e0615ad8c05172fb6710ca95f15baa |
|
| BLAKE2b-256 | c730a909e2225e16bc3db02c85a4d224d078bbdd51b1dc59a76cd76b09d49e9f |
File details
Details for the file sag_py_auth-0.1.1-py3-none-any.whl.
File metadata
- Download URL: sag_py_auth-0.1.1-py3-none-any.whl
- Upload date:
- Size: 8.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/4.0.1 CPython/3.11.2
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 892b787d0d0caf1ebc605d585ce28ce50b27192b89095d24ceb8c54b66f2d2e9 |
|
| MD5 | 006567f40815757cca571e4c24ee95a9 |
|
| BLAKE2b-256 | f7f03a777d74ee133ec0f3c7a68cc1746a8965220f400c2fcd16ab75d6d455e3 |
