Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/busykoala/fastapi-opa

Fastapi OPA middleware incl. auth flow.
https://github.com/busykoala/fastapi-opa

authentication-flow authorization fastapi fastapi-opa open-policy-agent

Last synced: 2 days ago
JSON representation

Fastapi OPA middleware incl. auth flow.

Host: GitHub
URL: https://github.com/busykoala/fastapi-opa
Owner: busykoala
License: gpl-3.0
Created: 2021-04-03T16:54:48.000Z (almost 4 years ago)
Default Branch: main
Last Pushed: 2025-01-01T20:27:18.000Z (about 1 month ago)
Last Synced: 2025-01-27T08:07:48.281Z (9 days ago)
Topics: authentication-flow, authorization, fastapi, fastapi-opa, open-policy-agent
Language: Python
Homepage:
Size: 583 KB
Stars: 59
Watchers: 4
Forks: 14
Open Issues: 2
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE

Awesome Lists containing this project

README

        # Open Policy Agent middleware for FastAPI

## Table of contents

- [Contributors](#contributors)

- [What does fastapi-opa do](#about)

- [Installation](#installation)

- [How to get started](#getting-started)

- [Open Policy Agent](#opa)

- [Authentication flow](#auth-flow)

  - [API key authentication](#api-key-auth)

  - [OIDC authentication](#oidc-auth)

  - [SAML authentication](#saml-auth)

- [Custom payload enrichment](#custom-payload-enrichment)

  - [GraphQL enrichment](#gql-enrichment)



## Contributors

Thanks to all the contributors below. Furthermore thanks for raising issues.



  





  





  





  





  





  





  





  





  





## What does fastapi-opa do

The FastAPI extension `fastapi-opa` allows to add login flows and integrates

Open Policy Agent to your app.

![Flow Diagram](https://raw.githubusercontent.com/busykoala/fastapi-opa/master/assets/diagram.png)

The middleware redirects the request to the identity provider. After the

authentication it validates the token. Using the token, Open Policy Agent

decides if the response has success or failure status.



## Installation

```bash

poetry add [--extras "graphql"] [--extras "saml"] fastapi-opa 

```



## How to get started

:bulb: checkout the wiki for an environment setup with Keycloak and Open Policy Agent:  

[Getting Started with FastAPI app with Authentication and Authorization](https://github.com/busykoala/fastapi-opa/wiki#dev-setup)

The package combines authentication and authorization with FastAPI. You can

customize the `OPAMiddleware` depending on your authentication flow.

Check out these examples for the most common flows:

- OIDC: `fastapi_opa.example_oidc.py`

- SAML: `fastapi_opa.example_saml.py`

## Open Policy Agent

The middleware sends the validated and authenticated user token to Open

Policy Agent. It adds the extra attributes `request_method` and

`request_path`.

```json

{

    "input": {

        "exp": 1617466243,

        "iat": 1617465943,

        "auth_time": 1617465663,

        "jti": "9aacb638-70c6-4f0a-b0c8-dbc67f92e3d1",

        "iss": "http://localhost:8080/auth/realms/example-realm",

        "aud": "example-client",

        "sub": "ccf78dc0-e1d6-4606-99d4-9009e74e3ab4",

        "typ": "ID",

        "azp": "david",

        "session_state": "41640fe7-39d2-44bc-818c-a3360b36fb87",

        "at_hash": "2IGw-B9f5910Sll1tnfQRg",

        "acr": "0",

        "email_verified": false,

        "hr": "true",

        "preferred_username": "david",

        "user": "david",

        "subordinates": [],

        "request_method": "GET",

        "request_path": ["finance", "salary", "david"]

    }

}

```

In Open Policy Agent you can create policies using user roles,

routes, request methods etc.

An example policy (from [the official Open Policy Agent

docs](https://www.openpolicyagent.org/docs/v0.11.0/http-api-authorization/))

for this setup could look like this:

```rego

package httpapi.authz

# bob is alice's manager, and betty is charlie's.

subordinates = {"alice": [], "charlie": [], "bob": ["alice"], "betty": ["charlie"]}

# HTTP API request

import input

default allow = false

# Allow users to get their own salaries.

allow {

  some username

  input.request_method == "GET"

  input.request_path = ["finance", "salary", username]

  input.user == username

}

# Allow managers to get their subordinates' salaries.

allow {

  some username

  input.request_method == "GET"

  input.request_path = ["finance", "salary", username]

  subordinates[input.user][_] == username

}

```



## Authentication flow

Use the provided interface to set up your desired authentication flow. Then

insert it into `OPAMiddleware` (`fastapi_opa.auth.auth_interface.AuthInterface`).

Consider submitting a pull request with new flows.

You can also use these ready-to-go implementations:



### API key authentication

In the API key authentication a request header needs to match a given value.

```python

# Configure API keys

api_key_config = APIKeyConfig(

    header_key="test",

    api_key="1234"

)

api_key_auth = APIKeyAuthentication(api_key_config)

```

In the example the header `header["test"] = "1234"` authenticates the request.

For Open Policy Agent, set user to `APIKey` and the variable `client` to the

client address.



### OIDC authentication

The example in [How to get started](#getting-started) provides an example for

the implementation of the OIDC Authentication.



### SAML authentication

For the saml implementation create your certs using

`openssl req -new -x509 -days 3652 -nodes -out sp.crt -keyout sp.key` and

add the keys to the sp section of your `settings.json`. Checkout the test

settings to get an idea (`tests/test_data/saml/*.json`).

Provide the path to your own `settings.json` and `advanced_settings.json`

in the `SAMLAuthConfig` like in the example below (don't use the test data in

production).

```python

from fastapi_opa import OPAConfig

from fastapi_opa.auth.auth_saml import SAMLAuthentication

from fastapi_opa.auth.auth_saml import SAMLConfig

opa_host = "http://localhost:8181"

saml_config = SAMLConfig(settings_directory="./tests/test_data/saml")

saml_auth = SAMLAuthentication(saml_config)

opa_config = OPAConfig(authentication=saml_auth, opa_host=opa_host,

                       accepted_methods=["id_token", "access_token"])

```

Upload the certificate to your identity provider. Using Keycloak as an

identity provider you need to configure `encrypt assertion`,

`client signature required`, `force POST bindings` on creating the client.

Also configure: `Client Scopes` -> `role_list (saml)` -> `Mappers tab` ->

`role list` -> `Single Role Attribute`



## Custom payload enrichment

Use the interface `fastapi_opa.opa.opa_config.Injectable` to add

more information to the payload sent to Open Policy Agent.

Configure the injectables in the `OPAConfig`:

```python

class FancyInjectable(Injectable):

    async def extract(self, request: Request) -> List:

        return ["some", "custom", "stuff"]

fancy_inj = FancyInjectable("fancy_key", skip_endpoints=["/health", "/api/[^/]*/test])

opa_config = OPAConfig(

    authentication=oidc_auth, opa_host=opa_host, injectables=[fancy_inj]

)

```

Use `skip_endpoints` to choose which endpoints the injectable shouldn't affect.

To define an endpoint, specify an exact string or a regular expression.



### GraphQL enrichment

For GraphQL you can use the ready to go injectable:

```python

from fastapi_opa.opa.enrichment.graphql_enrichment import GraphQLInjectable`

graphql = GraphQLInjectable("gql_injectable")

opa_config = OPAConfig(authentication=oidc_auth, opa_host=opa_host, injectables=[graphql])

```