fastapi_aad_auth.providers.aad¶
AAD OAuth handlers.
- class fastapi_aad_auth.providers.aad.AADConfig(**kwargs)[source]¶
Configuration for the AAD application.
Includes expected claims, application registration, etc.
Can also provide additional client application ids to accept.
A list of roles can be provided to accept (requires configuring the roles in the AAD application registration manifest)
- Keyword Arguments
flow_type (fastapi_aad_auth._base.validators.token.OAuthFlowType) -- Select the OpenAPI OAuth2 flow [default:
OAuthFlowType.authorizationCode] (Can be set byFASTAPI_AUTH_OPENAPI_OAUTH2_FLOWenvironment variable)token_scopes (dict) -- Set the (global) token scopes (Can be set by
FASTAPI_AUTH_TOKEN_SCOPESenvironment variable)client_id (pydantic.types.SecretStr) -- Application Registration Client ID (Can be set by
AAD_CLIENT_IDenvironment variable)tenant_id (pydantic.types.SecretStr) -- Application Registration Tenant ID (Can be set by
AAD_TENANT_IDenvironment variable)client_secret (pydantic.types.SecretStr) -- Application Registration Client Secret (if required) (Can be set by
AAD_CLIENT_SECRETenvironment variable)scopes (list) -- Additional scopes requested - if the scope is not configured to the application this will throw an error when validating the token
client_app_ids (list) -- Additional Client App IDs to accept tokens from (when running as a backend service) (Can be set by
AAD_CLIENT_APP_IDSenvironment variable)strict (bool) -- Check that all claims are provided [default:
True] (Can be set byAAD_STRICT_CLAIM_CHECKenvironment variable)api_audience (str) -- Corresponds to the Application ID URI - used for token validation, defaults to api://{client_id} (Can be set by
AAD_API_AUDIENCEenvironment variable)redirect_uri (pydantic.networks.HttpUrl) -- The redirect URI to use - overwrites the default path handling etc (Can be set by
AAD_REDIRECT_URIenvironment variable)prompt (str) -- AAD prompt to request (Can be set by
AAD_PROMPTenvironment variable)domain_hint (str) -- AAD domain hint (Can be set by
AAD_DOMAIN_HINTenvironment variable)roles (list) -- AAD roles required in claims (Can be set by
AAD_ROLESenvironment variable)token_type (fastapi_aad_auth.providers.aad.TokenType) -- The AAD token type to use to validate (we should use the access token if it is configured, unless we are acting as a pure UI component [default:
TokenType.access]jwks_cache_ttl (int) -- Cache Time to Live value for MS JWKs token (Can be set by
AAD_JWKS_CACHE_TTLenvironment variable)
- class fastapi_aad_auth.providers.aad.AADProvider(session_validator: fastapi_aad_auth._base.validators.session.SessionValidator, client_id: str, tenant_id: str, prompt: typing.Optional[str] = None, client_secret: typing.Optional[str] = None, scopes: typing.Optional[typing.List[str]] = None, enabled: bool = True, client_app_ids: typing.Optional[typing.List[str]] = None, strict_token: bool = True, api_audience: typing.Optional[str] = None, redirect_uri: typing.Optional[str] = None, domain_hint: typing.Optional[str] = None, user_klass: type = <class 'fastapi_aad_auth._base.state.User'>, oauth_base_route: str = '/oauth', token_type: typing.Union[str, fastapi_aad_auth.providers.aad.TokenType] = TokenType.access, token_scopes: typing.Optional[typing.Dict[str, str]] = None, flow_type: fastapi_aad_auth._base.validators.token.OAuthFlowType = OAuthFlowType.authorizationCode, roles: typing.Optional[typing.List[str]] = None, jwks_cache_ttl: int = 0)[source]¶
fastapi auth backend for Azure Active Directory.
Initialise the auth backend.
- Args:
session_serializer: Session serializer object
client_id: Client ID from Azure App Registration
tenant_id: Tenant ID to connect to for Azure App Registration
- Keyword Args:
prompt: Prompt options for Azure AD
client_secret: Client secret value
scopes: Additional scopes requested
enabled: Boolean flag to enable this backend
client_app_ids: List of client apps to accept tokens from
strict_token: Strictly evaluate token
api_audience: Api Audience declared in Azure AD App registration
redirect_uri: Full URI for post authentication callbacks
domain_hint: Hint for the domain
user_klass: Class to use as a user.
flows: Customise the OAuth2 Flows in the OpenAPI docs
DEPRECATED - fastapi_aad_auth.oauth.aad:AADOAuthBackend will be deprecated in version 0.2.0, and is replaced by fastapi_aad_auth.providers.aad:AADProvider
- classmethod from_config(session_validator, config, provider_config, user_klass: Optional[type] = None)[source]¶
Load the auth backend from a config.
- Parameters
session_validator (SessionValidator) -- the session validator to use
config -- Loaded configuration
- Keyword Arguments
user_klass -- The class to use as a user
- class fastapi_aad_auth.providers.aad.AADSessionAuthenticator(session_validator, token_validator, client_id, tenant_id, redirect_path='/oauth/aad/redirect', prompt=None, client_secret=None, scopes=None, redirect_uri=None, domain_hint=None, token_type=TokenType.access)[source]¶
AAD Authenticator for interactive (UI) sessions.
Initialise AAD Authenticator for interactive (UI) sessions.
- class fastapi_aad_auth.providers.aad.AADTokenValidator(client_id: str, tenant_id: str, api_audience: typing.Optional[str] = None, scheme_name: typing.Optional[str] = None, scopes: typing.Optional[dict] = None, auto_error: bool = False, enabled: bool = True, use_pkce: bool = True, strict: bool = True, client_app_ids: typing.Optional[typing.List[str]] = None, user_klass: type = <class 'fastapi_aad_auth._base.state.User'>, flow_type: fastapi_aad_auth._base.validators.token.OAuthFlowType = OAuthFlowType.authorizationCode, roles: typing.Optional[typing.List[str]] = None, jwks_cache_ttl: int = 0)[source]¶
Validator for AAD token based authentication.
Initialise validator for AAD token based authentication.