Pycon.de: fastapi and oauth2 - Semona Igama

Tags: pycon, python

(One of my summaries of the 2025 pycon.de conference in Darmstadt, DE).

Full title: safeguard your precious API endpoints built on fastapi using OAuth 2.0.

She introduced herself by showing an openid oauth2 access token payload :-)

Several big companies wanted a way to have people log in more securely into their services. Originally, you’d use a username/password everywhere. They came up with oauth: a way to securely logging in on a website using an identity from an identity provider (“logging into a different website with your google account”).

  • Oauth2 is a generic mechanism for authorization.

  • OpenID builds upon oauth2 and provides authentication.

Note: oauth 2.1 is under development, they will incorporate pkce. pkce is used by openid, so they’ll mandate 2.1 once it is ready. It is handy for authentication from the frontend (on the frontend, you cannot store private secrets, so a priv/pub mechanism isn’t usable).

Fastapi has a HTTPBearer scheme, which extracts a “bearer” token from the Bearer header. You can use this for oauth2.

(She showed some example code that I of course couldn’t type over :-) Plus a demo.)

Look at RFC 9700 “best current practice for OAuth 2.0 security”.

https://reinout.vanrees.org/images/2025/pycon-26.jpeg

Photo explanation: picture from our 2024 vacation around Kassel (DE)