Using a straight copy-paste of your example application, I get this pickle error.

Traceback (most recent call last):
  File "/Users/scott/.local/bin/uvicorn", line 10, in <module>
    sys.exit(main())
  File "/Users/scott/.local/lib/python3.8/site-packages/click/core.py", line 829, in __call__
    return self.main(*args, **kwargs)
  File "/Users/scott/.local/lib/python3.8/site-packages/click/core.py", line 782, in main
    rv = self.invoke(ctx)
  File "/Users/scott/.local/lib/python3.8/site-packages/click/core.py", line 1066, in invoke
    return ctx.invoke(self.callback, **ctx.params)
  File "/Users/scott/.local/lib/python3.8/site-packages/click/core.py", line 610, in invoke
    return callback(*args, **kwargs)
  File "/Users/scott/.local/lib/python3.8/site-packages/uvicorn/main.py", line 355, in main
    run(**kwargs)
  File "/Users/scott/.local/lib/python3.8/site-packages/uvicorn/main.py", line 379, in run
    server.run()
  File "/Users/scott/.local/lib/python3.8/site-packages/uvicorn/main.py", line 407, in run
    loop.run_until_complete(self.serve(sockets=sockets))
  File "uvloop/loop.pyx", line 1456, in uvloop.loop.Loop.run_until_complete
  File "/Users/scott/.local/lib/python3.8/site-packages/uvicorn/main.py", line 414, in serve
    config.load()
  File "/Users/scott/.local/lib/python3.8/site-packages/uvicorn/config.py", line 300, in load
    self.loaded_app = import_from_string(self.app)
  File "/Users/scott/.local/lib/python3.8/site-packages/uvicorn/importer.py", line 20, in import_from_string
    module = importlib.import_module(module_str)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/importlib/__init__.py", line 127, in import_module
    return _bootstrap._gcd_import(name[level:], package, level)
  File "<frozen importlib._bootstrap>", line 1014, in _gcd_import
  File "<frozen importlib._bootstrap>", line 991, in _find_and_load
  File "<frozen importlib._bootstrap>", line 975, in _find_and_load_unlocked
  File "<frozen importlib._bootstrap>", line 671, in _load_unlocked
  File "<frozen importlib._bootstrap_external>", line 783, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "./main.py", line 12, in <module>
    @app.get("/", dependencies=[Depends(auth.scope("read:users"))])
  File "/Users/scott/.local/lib/python3.8/site-packages/fastapi_cloudauth/base.py", line 83, in scope
    obj = deepcopy(self)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 172, in deepcopy
    y = _reconstruct(x, memo, *rv)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 270, in _reconstruct
    state = deepcopy(state, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 230, in _deepcopy_dict
    y[deepcopy(key, memo)] = deepcopy(value, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 230, in _deepcopy_dict
    y[deepcopy(key, memo)] = deepcopy(value, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 172, in deepcopy
    y = _reconstruct(x, memo, *rv)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 270, in _reconstruct
    state = deepcopy(state, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 230, in _deepcopy_dict
    y[deepcopy(key, memo)] = deepcopy(value, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 172, in deepcopy
    y = _reconstruct(x, memo, *rv)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 270, in _reconstruct
    state = deepcopy(state, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 230, in _deepcopy_dict
    y[deepcopy(key, memo)] = deepcopy(value, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 172, in deepcopy
    y = _reconstruct(x, memo, *rv)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 270, in _reconstruct
    state = deepcopy(state, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 146, in deepcopy
    y = copier(x, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 230, in _deepcopy_dict
    y[deepcopy(key, memo)] = deepcopy(value, memo)
  File "/Users/scott/.pyenv/versions/3.8.3/lib/python3.8/copy.py", line 161, in deepcopy
    rv = reductor(4)
TypeError: cannot pickle '_cffi_backend.FFI' object

i have this code

async def init_auth(app: FastAPI) -> None:
    logger.info("Auth: Configuring connection to {0}", repr(AUTH0_DOMAIN))
    app.state.auth0_client = Auth0(domain=AUTH0_DOMAIN)
    logger.info("Auth: Connection configured")


def _get_client(request: Request) -> Auth0:
    return request.app.state.auth0_client


def get_auth() -> Callable:
    return _get_client

init_auth is triggered on app.add_event_handler("startup", init_auth(application))

then this code does work

@router.get("/something",
            response_model=Any,
            dependencies=[
                Depends(get_auth)
            ]
            )
async def get_something(
        request: Request
):
return []

i would like to use auth.scope("read:something") with Depends but i can't seem to make it work

def get_auth_scoped(
        *,
        scope_name: str,
        client: Auth0 = Depends(get_auth)
) -> Callable:
    return client.scope(scope_name=scope_name)

and

@router.get("/something",
            response_model=Any,
            dependencies=[
                Depends(get_auth_scoped(scope_name="read:something"))
            ]
            )
async def get_something(
        request: Request
):
return []

it results in a AttributeError: 'Depends' object has no attribute 'scope'

what am i missing here? please help?

Hi, I am trying to make it work with Firebase. I am using exaclty the same code you have in the examples

import os
from fastapi import FastAPI, Depends
from fastapi_cloudauth.firebase import FirebaseCurrentUser, FirebaseClaims

app = FastAPI()

get_current_user = FirebaseCurrentUser(
    project_id="my-project-id"
)


@app.get("/user/")
def secure_user(current_user: FirebaseClaims = Depends(get_current_user)):
    # ID token is valid and getting user info from ID token
    return f"Hello, {current_user.user_id}"

but I have the following error:

 File "./src/main.py", line 7, in <module>
    get_current_user = FirebaseCurrentUser(
  File "/home/elvis/Documents/dev-tools/API/env/lib/python3.9/site-packages/fastapi_cloudauth/firebase.py", line 28, in __init__
    jwks = JWKS.firebase(url)
  File "/home/elvis/Documents/dev-tools/API/env/lib/python3.9/site-packages/fastapi_cloudauth/verification.py", line 70, in firebase
    keys = {
  File "/home/elvis/Documents/dev-tools/API/env/lib/python3.9/site-packages/fastapi_cloudauth/verification.py", line 71, in <dictcomp>
    kid: jwk.construct(publickey, algorithm="RS256")
  File "/home/elvis/Documents/dev-tools/API/env/lib/python3.9/site-packages/jose/jwk.py", line 79, in construct
    return key_class(key_data, algorithm)
  File "/home/elvis/Documents/dev-tools/API/env/lib/python3.9/site-packages/jose/backends/rsa_backend.py", line 171, in __init__
    raise JWKError(e)
jose.exceptions.JWKError: No PEM start marker "b'-----BEGIN PRIVATE KEY-----'" found

Any idea?

Thank you

Hi guys, thanks for writing this implementation!

I'm currently trying to fit this one into our set-up but I run into an issue with auto_error=False setting not being respected by the dependency injections inside fastapi_cloudauth. Fastapi-cloudauth builds on the fastapi HTTPBearer dependency injection, which raises an HTTPException when the credentials are not found in the headers. To prevent this exception, it supports the auto_error=False option. We need this to support other authentication methods.

Our authentication set-up is based on this medium article to combine multiple types of authentication. To make this work, the "auto_error=False" is essential, to make sure none of the authentication methods block each other. (see example implementation below)

Proposed fix: In base.py, there are these dependency injections for HTTPBearer(), which currently don't pass the auto_error parameter: https://github.com/tokusumi/fastapi-cloudauth/blob/36d947fd3e638683fa1cb96e194bdaa054d92ee9/fastapi_cloudauth/base.py#L153 and https://github.com/tokusumi/fastapi-cloudauth/blob/36d947fd3e638683fa1cb96e194bdaa054d92ee9/fastapi_cloudauth/base.py#L192

These dependencies do support the auto_error parameter, like: HTTPBearer(auto_error=self.auto_error). Possibly you'd want to set this up as a partial function in the constructor.

For reference: example implementation This fails on an HTTPException from HTTPBearer when the OAuth headers are not passed - which unfortunately is the case when another authentication method is used..

api_key_query_dependency = APIKeyQuery(name=settings.api_key_name, auto_error=False)
api_key_header_dependency = APIKeyHeader(name=settings.api_key_name, auto_error=False)
api_key_cookie_dependency = APIKeyCookie(name=settings.api_key_name, auto_error=False)
cognito_auth_dependency = Cognito(region=settings.aws_region,
                                  userPoolId=settings.aws_cognito_user_pool_id,
                                  auto_error=False
                                  ).scope("users")


async def get_authorization(
        api_key_query: str = Security(api_key_query_dependency),
        api_key_header: str = Security(api_key_header_dependency),
        api_key_cookie: str = Security(api_key_cookie_dependency),
        cognito_auth: str = Depends(cognito_auth_dependency),
) -> Security:
    if not cognito_auth \
            or api_key_query == settings.api_key \
            or api_key_header == settings.api_key \
            or api_key_cookie == settings.api_key:
        raise HTTPException(
            status_code=HTTP_403_FORBIDDEN, detail="Could not validate credentials"
        )

First of all I have to admit that I don't fully grasp all the oauth2 and OIDC concepts, which is probably why I stumbled accross this project to begin with, not knowing how to implement all the details myself.

Anyway, I've been reading auth0 documentation and this source code and I see it's possible to retrieve user email using Auth0Claims. But these claims are valid only if FastAPI gets an id_token as Bearer, which is recommended against in this article: https://auth0.com/blog/why-should-use-accesstokens-to-secure-an-api/ that mentions id_token is only meant for the client (which I understand is the frontend, not FastAPI).

I would love to find a reason why the official recommendation is not valid in this project.

In my fastapi API I need to know the user email for every request authorization. That's because I support multi-tenancy, where each user has CRUD access only to their own resources. I think this should be a fairly common scenario.. so I'm puzzled why there wouldn't be a straightforward way to do it.

Hello,

Is there a way to extract user_id from current user (Auth0) Auth0CurrentUser()? For example, if I use:

get_current_user = Auth0CurrentUser("dev-some-domain.eu.auth0.com")

@router.get("/")
async def get_current_user(current_user=Depends(get_current_user)):
    return current_user

as a result, I get a JSON object containing only name and email. Example:

{
  "name": "[email protected]",
  "email": "[email protected]"
}

Using the authorization modal (in the docs) ...

• if I insert an id_token and attempt to access the /users/ endpoint a JWTClaimsError is caught (i.e. "No access_token provided to compare against at_hash claim.")
  • See line 153 in verifications.py
• if I insert an access_token and attempt to access the /users/ endpoint the token_use claim is flagged (because it is equal to "id").
  • See line 86 in cognito.py

What am I missing?

Hi there,

This is almost certainly user error & not a bug, as I'm new to Auth0.

In Auth0, I have configured an application (which is a VueJS client) set up as well as an API (my FastAPI back-end).

I've managed to get authentication working using the example def main_endpoint_test(current_user: AccessUser = Depends(auth.claim(AccessUser))) - when I do this, I can get the user_id/sub, but I don't get the user email.

I tried using the other approach shown in the example: def secure_user(current_user: Auth0Claims = Depends(get_current_user)):. When I use this, I always get a 401 response. I have initialised the get_current_user passing in the domain and client_id as shown in the example - because the domain is working fine in the simpler auth method, maybe my mistake is entering the wrong value for the client_id?

What is the client ID value should I be setting here, is it my Auth0 Application's client ID (i.e. the one for the VueJS client)? Is it the custom API's ID (as far as I can tell, there is no field explicitly labelled "client ID" in auth0's APIs)?

Support a part of #35, multiple scopes with all and any combinator. As:

from fastapi_cloudauth import Operator

@app.get("/access-all/")
def secure_access_and(scope=Depends(auth.scope(["role_admin", "super_admin"]))):
    return f"Hello {scope}"

@app.get("/access-any/")
def secure_access_or(scope=Depends(auth.scope(["role_admin", "super_admin"], op=Operator._any))):
    return f"Hello {scope}"

python-jose doesn't support x509 certificates without the extra install option (anymore? I not quite sure if it was a silent breaking change). This breaks the FirebaseCurrentUser's JWKS generation because google gives x509 files for the public key.

the recommended setup on python-jose is using cryptography as the background, setup as following

pip install python-jose[cryptography]

but is sort of a debate I guess (acknowledging the fact that cryptography requires building and is not a small dependency)

At least it needs some documentation about it, so I would like to know whats good for this library.

First of all, thanks for your work, easy and clear to use 😄

The issue I'm facing isn't related to repo itself, but on how to generate the Auth0 token to have all the needed information to use the methods properly.

For some endpoints that I'm implementing I'll just need to check if the token has the required scopes and for some others I'll need to use: current_user: Auth0Claims = Depends(auth.get_current_user). However I can't find a way to request to Auth0 a token with all of this information: username and scopes. I don't know if I'm misunderstanding some information/concepts or what is going wrong...

Would appreciate some information with the steps to follow. Thanks in advance!

Hey guys so I wanted to request this feature that I think might be an interesting addition to the library that consists of adding on the Authorization documentation of each request under "HTTP Authorization Scheme" a new row called "Scopes Accepted/Required" where it would be a list of the scopes the backend requires for the request to be accepted.

If you guys could point me to where I could start exploring this feature I might be able to develop my self and contribute but right now Im not sure where does the library define documentation sections.

Here is a image of the place I refer to.

I'm a "noob" where Cognito is concerned and could be missing something about accessing the example API's. I've got an AWS User Pool defined with a user created. How do I log that user in, or get a JWT Token to use to authorize the example API to access the endpoints? Thanks for your help.

Here I have attached the Image, I have used a firebase example and just try to run on ubuntu 20. x LTS But it take long time to run while using on local machine (windows) it quickly run with in no time. is there any reason or is there any config where I am making mistake . same code run on local (windows machine ) fine but take long time on cloud which uses ubuntu

I faced with an issue when using congito auth, app client_id is not validating during token verification. So you can path any ID and it will work.

# pass some fake client_id
auth = Cognito(region=aws_region, userPoolId=aws_cognito_userpool_id, client_id='foo-bar')

# access_token - obtained from Cognito
http_auth = HTTPAuthorizationCredentials(scheme='Bearer', credentials=access_token)

await auth.verifier.verify_token(http_auth)
True

The problem is that jwt.decode (jose lib) doesn't expect client_id in token and since aud is not defined it skips validation.

When I use your Python package, things work really well, so many thanks for it. 😀

However, there is one thing, where I ask myself, whether I can do much better here. When I try to reach my doc page, it looks like this:

When I click on the locking the top right, it looks like this

And after I enter the right token_id, I can work with the doc page as intended.

However, getting the token_id is quite cumbersome, as it usually involves curl requests etc.

It would be much nicer, if I am automatically logged in from Auth0, if I authenticated somewhere else in my browser. If I did not authenticate somewhere, then this here pops up

and after authenticating, I can work as intended. Is that possible?