Pycon.de: fastapi and oauth2 - Semona Igama¶
(One of my summaries of the 2025 pycon.de conference in Darmstadt, DE).
Full title: safeguard your precious API endpoints built on fastapi using OAuth 2.0.
She introduced herself by showing an openid oauth2 access token payload :-)
Several big companies wanted a way to have people log in more securely into their services. Originally, you’d use a username/password everywhere. They came up with oauth: a way to securely logging in on a website using an identity from an identity provider (“logging into a different website with your google account”).
Oauth2 is a generic mechanism for authorization.
OpenID builds upon oauth2 and provides authentication.
Note: oauth 2.1 is under development, they will incorporate pkce. pkce is used by openid, so they’ll mandate 2.1 once it is ready. It is handy for authentication from the frontend (on the frontend, you cannot store private secrets, so a priv/pub mechanism isn’t usable).
Fastapi has a HTTPBearer scheme, which extracts a “bearer” token from the Bearer
header. You can use this for oauth2.
(She showed some example code that I of course couldn’t type over :-) Plus a demo.)
Look at RFC 9700 “best current practice for OAuth 2.0 security”.
Photo explanation: picture from our 2024 vacation around Kassel (DE)
Reinout van Rees
My name is Reinout van Rees and I program in Python, I live in the Netherlands, I cycle recumbent bikes and I have a model railway.
- Weblog
- Preken (NL)
- Over mij (NL)
- About me (EN)
- Ligfiets (NL)
- Eifelburgenbahn (model railway)
- Videos
- PhD (EN)
Weblog feeds
Most of my website content is in my weblog. You can keep up to date by subscribing to the automatic feeds (for instance with Google reader):