Is there any approach to get an access token without credentials? My Api have a fixed token as a constant, and what i'm doing is sending the "secret fixed token" from the client in the header of the http request so the middleware asks to the API if the fixed token matches.
FIXED_TOKEN = 'RandomHardcodedToken'
@app.post("/auth")
async def auth_basic(token: str = Body(embed=True)):
print(token)
if(token!=FIXED_TOKEN):
raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail='Invalid Token')
My questions is : ¿Is this a bad practice? ¿Is there a good practice (like using auth2.0 with JWT or something like that) ?
If you mean without user credentials, you can use the OAuth 2.0 Client Credentials Grant type. https://datatracker.ietf.org/doc/html/rfc6749#section-4.4
There are a few different ways to set up what you've briefly described, but first you must figure out what roles each of the components in your architecture plays. Your backend might be the client which fetches an access token from the Authorization Server by sending it client credentials (typically an id and secret). Your middleware is the resource server (or the protector of it). It would receive the token and send the access token to the authorization server to validate it or validate it locally itself.