Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reference implementation of OAuth2 + JWT based authentication system #52

Open
devraj opened this issue Nov 20, 2022 · 0 comments
Open

Reference implementation of OAuth2 + JWT based authentication system #52

devraj opened this issue Nov 20, 2022 · 0 comments
Assignees
@devraj
Labels
documentation Improvements or additions to documentation

Comments

@devraj
Copy link
Member

devraj commented Nov 20, 2022
edited
Loading

Is your feature request related to a problem? Please describe.
In light of us dropping the use of various third party middleware for authentication see #25, #33, #34 we should provide a reference implementation of an OAuth2 based password authentication system.

This will make #31 redundant.

The solution will study the

Describe the solution you'd like
Study the OAuth2 reference implementation outlined by the FastAPI docs and implement a set of handlers that adhere to the proposed standards.

Note that the work being proposed is around authentication and sessions, not sign up and password lifecycle.

The implementation ought to provide context around getting the current user, and possibly an alternative around getting an admin user. We should also look at documenting OAuth2 scopes.

There are two intents of this implementation:

  • For use within production applications built using this template
  • As a development alternative when the project aims to use systems like AWS Cognito

FastAPI uses python-jose for the JWT packages, which has not been updated in a while. pyJWT on the other hand is receiving updates, so it will be well worth considering using that.

Describe alternatives you've considered
See the issues and projects like #25, #33, #34 fastapi-jwt-auth

Additional context
Security researchers like @ScottHelme have been writing about the redundancy of CSRF since 2019:

other discussion around Starlettel:

Question to be asked as to why we have not been paying attention to this
@devraj devraj self-assigned this Nov 20, 2022
devraj added a commit that referenced this issue Nov 20, 2022
@devraj
refactor: OAuth and JWT based authentication
428939b 
a reference implementation of password based OAuth login and JWT sessions working
this commit has the get_current_user not working properly.

note that this does not use pyjose but pyjwt instead REFS #52
devraj added a commit that referenced this issue Nov 20, 2022
@devraj
fix: decode Dependency fixes for secret value
ee27656 
pyjwt requires a list of algorithms it ought to use to decode the token, the JWT
secret key needs to be read as one, not a strong REFS #52
@devraj devraj mentioned this issue Feb 15, 2023
Closed
devraj added a commit that referenced this issue Mar 6, 2023
@devraj
refactor: moves to using user id in jwt payload REFS #52
38966ea 
previous implementation of the jwt subject was using email based on examples
where the users always login with email + passwords.

the template allows for OTP based logins where by the user may not have an
email for an extended period of time, this refactors to the subject being
set to using the user.id
@devraj devraj added the documentation Improvements or additions to documentation label Mar 6, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@devraj devraj

Labels
documentation Improvements or additions to documentation
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@devraj