After running the simple flow with Google as authentication provider I get this error:

pydantic.error_wrappers.ValidationError: 6 validation errors for IDToken
name
  field required (type=value_error.missing)
preferred_username
  field required (type=value_error.missing)
auth_time
  field required (type=value_error.missing)
ver
  field required (type=value_error.missing)
amr
  field required (type=value_error.missing)
idp
  field required (type=value_error.missing)

Indeed these fields are not present in the JWT token that was generated by Google, but they are not listed as required in the spec. I believe they are always present in okta, but should be made optional to ensure compatibility with other providers.

Hello,

I have the next error: when I'm ussing grant_types=["authorization_code"],

Error:
Missing+parameter:+code_challenge_method.

How can I specify the code_challenge_method ?

thank you

Hi there,

thanks for sharing your project. We are currently implementing id_token validation in our project and found your library quite useful.

We would like to discuss a thought with you:
How about making the IDToken class configurable such that one may provide a Subclass with additional fields and validations?
Needless to say that IDToken currently allows for additional fields, but we believe that our idea might make some things easier.

Hi Harry,
thank you very much for the time you invested into the code of this repository!
I have had to walk the very stony path of figuring out how OpenID Connect and a resource server in FastAPI could work together, myself. And this helped quite a lot in understanding some details.

I also came up with a solution and was wondering what you were thinking about it. My approach was to use a maximum of the standard (existing) libraries to avoid any self-introduced security issues.
Also, I have tried to use the security models from FastAPI in order to automatically have them listed in the OpenAPI docs.

Basically, the two tools I am using are authlib (for verification of the access_token, which in my case is a Json Web Token (JWT)) and the FastAPI security model.

Here is how it should look once swagger-api/swagger-ui#3517 is fixed.
The code should already work (more or less - my final version is a bit more complex since I still try to work around the mentioned swagger-ui problem). Just a login via swagger-ui is not possible yet.

from fastapi.security.open_id_connect_url import OpenIdConnect
from starlette.middleware.sessions import SessionMiddleware
from authlib.integrations.starlette_client import OAuth
from fastapi import HTTPException
from fastapi import Request
from fastapi import Depends
from fastapi import status
import string
import random

# create your app first....
# then

# middleware required for authlib - though if you look into the code it is only used to obtain the "nonce"
# which is in this case always None and should not be checked anyways
# (since we are the resource server and the nonce is specified by the identity provider)
# but to reuse the code in authlib, we need to have the middleware installed
app.add_middleware(
    SessionMiddleware,
    secret_key="".join(random.choice(string.ascii_letters) for _ in range(16)),
)

oicd_discovery_url = "...." # the url before .well_known/...

authlib_oauth = OAuth()
authlib_oauth.register(
    name="myapp",
    server_metadata_url=oicd_discovery_url,
    #client_kwargs={"scope": "openid email offline_access profile"},
    #client_id="some-client-id", # if enabled, authlib will also check that the access token belongs to this client id (audience)
)

fastapi_oauth2 = OpenIdConnect(
    openIdConnectUrl=oicd_discovery_url,
    scheme_name="My Authentification Method",
)

async def current_user(
    request: Request, token: Optional[str] = Depends(fastapi_oauth2)
):
    # we could query the identity provider to give us some information about the user
    # userinfo = await self.authlib_oauth.myapp.userinfo(token={"access_token": token})

    # in my case, the JWT already contains all the information so I only need to decode and verify it
    try:
        # note that this also validates the JWT by validating all the claims
        user = await authlib_oauth.myapp.parse_id_token(
            request, token={"id_token": token}
        )
    except Exception as exp:
        raise HTTPException(
            status_code=status.HTTP_401_UNAUTHORIZED,
            detail=f"Supplied authentication could not be validated ({exp})",
        )
    return user

@app.get( "/me" )
def me( user = Depends(current_user)):
     return user

It seems to me that authlib also checks a few more claims than you do in your auth.py.
Comments highly appreciated. Maybe it also helps.

Best regards,
Carsten

from fastapi_oidc import IDToken
cant find the IDToken.

I could use it as bellow
from fastapi_oidc.types import IDToken

Multiple types allowed is painful

aud
REQUIRED. Audience(s) that this ID Token is intended for. It MUST contain the OAuth 2.0 client_id of the Relying Party as an audience value. It MAY also contain identifiers for other audiences. In the general case, the aud value is an array of case sensitive strings. In the common special case when there is one audience, the aud value MAY be a single case sensitive string.
https://openid.net/specs/openid-connect-core-1_0.html

Hi, @HarryMWinters

1.) How can i generate token using this library on one endpoint? And then verify it on another endpoint.
2.) Can you show me (with code) how i can authenticate a user one endpoint and not for another one using post request not swagger UI?
3.)There is so less documentation about this library

happy coding

This function does not take issuer as it's argument. It takes the full "well known uri".

oauth2_scheme = OpenIdConnect(openIdConnectUrl=issuer)

should be something like

oauth2_scheme = OpenIdConnect(openIdConnectUrl="http://localhost:8080/auth/realms/my-realm/.well-known/openid-configuration")

If I input this as the "issuer" to the config then everything is discovered and /docs with login works (but requests fail because the "issuer" doesn't match obviously)

I'll see if I can fork and fix this stuff

Hi,
We have internal okta server configured, I am using fastapi-oidc for authentication and getting the following error

Same error is seen in firefox and chrome browser

--Kiran

What good are test if they don't run? Also we should add some coverage.

I am trying to add OIDC by following your example in the documentation. I am using a docker container for mock-oidc server with the following env variables:

      - PORT=9090
      - CLIENT_ID=my-client
      - CLIENT_SECRET=my-secret
      - CLIENT_REDIRECT_URI=http://localhost:8000/protected
      - CLIENT_LOGOUT_REDIRECT_URI=http://localhost:8000/logout

in main.py I have this -

OIDC_config = {
    "client_id": os.getenv("CLIENT_ID"), 
    "base_authorization_server_uri": "http://localhost:9090/.well-known/openid-configuration",
    "issuer": "http://localhost:9090/.well-known/openid-configuration",
    "signature_cache_ttl": 3600,
}

authenticate_user: Callable = get_auth(**OIDC_config)


@app.get("/protected")
def protected(id_token: IDToken = Depends(authenticate_user)):
    return {"Hello": "World", "user_email": id_token}

On clicking authorize, its throwing me redirect uri not matching. What could be the issue. Also, in the scope OpenIdConnect (OAuth2, refresh_token), its throwing client id is invalid. I am not sure why this is happening.

Could I somehow not land in the list of api's page in the first place. Basically I would want user to first get authenticated and then the list of api's would be shown. Thanks in advance :)

Can you please provide a complete walk-through how to implement the example in an existing code?

I received the client_id, base_authorization_server_uri, issuer (must be the same as base_authorization_server_uri in my case, this is what I was told ), and I have tried using the code as shown in the readme with these values, but all I get is an empty "Available authorizations" dialog and "Not authenticated" error message in the Swagger UI.

So, what else should be added to a code in main.py like

import datetime, os, random, time
from pathlib import Path
from typing import Union, Optional
from fastapi import FastAPI, Depends, File, UploadFile, status
from fastapi.responses import FileResponse

from collections.abc import Callable
from fastapi_oidc import IDToken, get_auth

OIDC_config = {
    "client_id": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "base_authorization_server_uri": "https://url",
    "issuer": "https://url",
    "signature_cache_ttl": 3600,
}
swagger_ui_init_oauth = {
    "clientId": "xxxxxxxxxxxxxxxxxxxxxxxxxxx",
    "appName": "name",
    "usePkceWithAuthorizationCodeGrant": "true",
    ###"clientSecret": "secret",   ### Told not to use it if I use PKCE
    "oauth2RedirectUrl": "https://redirURL",
    "scopeSeparator": " ",
    "scopes": "scopes...",
}

authenticate_user: Callable = get_auth(**OIDC_config)

app = FastAPI(swagger_ui_init_oauth=swagger_ui_init_oauth)

@app.post("/highlight_file/", tags=['highlight_file'])
async def highlight_file(file: UploadFile = File(...), id_token: IDToken = Depends(authenticate_user)):
    print(f'ID Token: {id_token}')
    return await highlight_file_function(file)

async def highlight_file_function(file):
    # process file code