Python FastAPI: Some Further Studies on OAuth2 Security

FastAPI provides excellent tutorials that thoroughly introduce the framework. Two sections on security, namely Tutorial - User Guide Security and Advanced User Guide Security, have sparked further questions, which we are discussing in this post. Hopefully, this discussion will lead to a better understanding of how FastAPI security works.

🐍 Index of the Complete Series.


Python FastAPI: Some Further Studies on OAuth2 Security

I intend to conduct further studies on the FastAPI framework and document any necessary issues I encounter.

This post begins with an example from the Simple OAuth2 with Password and Bearer section of the Tutorial - User Guide Security. The discussions in this post will also be applicable to later OAuth2 examples in the official tutorial, which include JSON Web Token and scopes.

❶ My first question concerns OAuth2PasswordBearer: how does Swagger UI remember the access_token?

When running this example and accessing Swagger UI, we encounter a page like the one shown in the screenshot below:

Following the tutorial, logging in via the Authorize button with the credentials johndoe and secret, and accessing the /users/me path, we receive a successful response, as shown in the screenshot below:

We can observe that the token johndoe was sent via the Authorization header, as indicated in the tutorial. We understand that it is the client’s responsibility to remember the access_token. Initially, I assumed that Swagger UI might store it as a cookie. However, as seen in the screenshot below, this was not the case:

If we refresh the Swagger UI page now and access the /users/me path again, we find ourselves no longer authenticated. This can be verified by attempting to Authorize again, then refreshing the browser; accessing /users/me would return as not authenticated.

🚀 It appears that the Swagger UI client merely remembers the access_token in memory. While this point may not be significantly important, I would still like to understand it.

❷ The second question is whether the /token path within the Swagger UI functions equivalently to the Authorize button.

This question arises logically because the /token path displays the same login screen as the Authorize button, as depicted in the screenshot below:

Additionally, the response from the /token path is identical to that of the Authorize button, as shown in the screenshot below:

However, despite this similarity, accessing /users/me returns as not authenticated, as seen below:

🚀 It seems that within the Swagger UI, the /token path does NOT work the same as the Authorize button.

I feel the need to emphasize this point because I experienced confusion when I based my code on this example. Absent-mindedly, I clicked on the /token path, and while the login was successful, the protected paths “suddenly failed” within Swagger UI! This left me confused for a little while until I realised what I had done.

❸ Building upon the two previous questions, the final question is: if I use Postman to access the path /users/me with the header Authorization set to Bearer johndoe and Bearer alice, would I receive successful responses? My anticipation was that I would, and indeed, that was the case, as shown in the screenshots below:

🚀 It’s quite logical. Everything would fall apart if this didn’t work 😂

We conclude this post here. While it may not cover anything significant, these are the questions that enable me to understand FastAPI better. In a future post, we’ll delve into building our own login UI and how the /token path, OAuth2PasswordBearer, and OAuth2PasswordRequestForm come together in our custom login process.

Thank you for reading. I hope you find the information in this post useful. Stay safe, as always.

✿✿✿

Feature image source: