AimableDocs
DocsAPI Reference

Auth

Introduction to Authentication in FastAPI

Authentication is a critical component of any API, ensuring that users are who they claim to be and have the necessary permissions to access resources. In FastAPI, the "auth" domain provides endpoints to manage authentication flows, particularly focusing on OpenID Connect (OIDC) and session management. This documentation will guide you through the key concepts, workflows, and practical examples of using the authentication endpoints in FastAPI.

Key Concepts and Entities

OpenID Connect (OIDC)

OIDC is an identity layer built on top of the OAuth 2.0 protocol, allowing clients to verify the identity of an end-user based on the authentication performed by an authorization server. FastAPI provides endpoints to start and handle OIDC authentication flows with various identity providers.

Sessions

Sessions are used to maintain stateful interactions between the client and server. FastAPI supports session management through specific endpoints that handle session creation and maintenance.

Idempotency

Idempotency ensures that multiple identical requests have the same effect as a single request. This is particularly useful in network communications where duplicate requests can occur.

Common Workflows

OIDC Authentication Flow

  1. Start the OIDC Flow: Initiate the authentication process by redirecting the user to the identity provider's login page.

    curl -X GET "https://api.example.com/v1/auth/oidc/google/start?frontend_redirect_uri=https://yourapp.com/callback" -H "X-Tenant-Id: your-tenant-id"

  2. Handle the OIDC Callback: Once the user authenticates, the provider redirects back to your application with a code and state.

    curl -X GET "https://api.example.com/v1/auth/oidc/google/callback?code=auth_code&state=state_value"

  3. Create a Session: Use the authorization code to establish a session.

    curl -X POST "https://api.example.com/v1/auth/oidc/session" -H "Idempotency-Key: unique-key" -d '{"code": "auth_code", "state": "state_value"}'

Refreshing a Session

To maintain a session without requiring the user to re-authenticate, use the refresh endpoint.

curl -X POST "https://api.example.com/v1/refresh" -H "X-API-Key: your-api-key"

Practical Considerations

Authentication

Ensure that all requests to the authentication endpoints are made over HTTPS to protect sensitive information. Use appropriate headers like X-Tenant-Id and Idempotency-Key to manage multi-tenant applications and ensure idempotency.

Error Handling

Handle errors gracefully by checking response codes and messages. For instance, a 400 response might indicate a missing or invalid parameter, while a 401 response indicates authentication failure.

Security

Always validate the state parameter in the OIDC callback to prevent CSRF attacks. Store sensitive tokens securely and avoid exposing them in client-side code.

Pagination

While the endpoints described do not inherently involve pagination, consider implementing pagination strategies in your application where large datasets are involved, such as user lists or logs.

By understanding these concepts and workflows, developers can effectively integrate authentication into their FastAPI applications, ensuring secure and efficient user management.