How to accept dual authentication for unprotected routes?
I've been using https://github.com/intility/fastapi-azure-auth to authenticate my uses using Azure. It's working with no issues. But for some api endpoints I need to allow users to access via API key inside the headers. I have the following code:
The unprotected endpoint:
@router.get("/", response_model=list[ContractSchema])
def get_contracts(
filters: ContractFilter = Depends(),
db: Session = Depends(get_db),
user: User = Depends(dual_authentication),
) -> list[ContractSchema]:
return []
the configuration of Azure auth and the scheme:
from fastapi_azure_auth.auth import SingleTenantAzureAuthorizationCodeBearer
from fastapi_azure_auth.user import User
azure_scheme = SingleTenantAzureAuthorizationCodeBearer(
app_client_id=settings.azure_ad.app_client_id,
tenant_id=settings.azure_ad.tenant_id,
token_version=1,
scopes={f"api://{settings.azure_ad.app_client_id}/user_impersonation": "user_impersonation"},
)
api_key_scheme = APIKeyHeader(name="x-api-key", auto_error=False)
protected_dependencies = [Security(azure_scheme, scopes=["user_impersonation"])]
def dual_authentication(
api_key: Optional[str] = Security(api_key_scheme),
azure_token: Optional[User] = Depends(azure_scheme)
) -> User:
"""Authenticate via API key or Azure AD."""
# Check for API key in the header and validate
if _is_api_key_present_and_valid(api_key):
return EXTERNAL_API_USER
# Fall back to Azure AD authentication
if azure_token:
return azure_token
# If neither is valid, raise an error
raise HTTPException(status_code=401, detail="User not authenticated")
This setup works fine with Swagger as well as using curl requests with Authorization Bearer token from Azure inside headers.
But when I do curl request to the endpoint with x-api-key in the headers without Authorization Bearer token from Azure, it gives me 401 Unauthorized error.
I know this is normal as I put Depends(azure_scheme) in the dual_authentication method. But if I remove this, then from swagger I can't access the endpoint even though I authorize using Azure. It's because, then the Authorization Bearer token is not passed in headers for this endpoint.
How to resolve that, so that the endpoint accepts either of the mechanism from Swagger and Curl requests? Which means,
- from swagger api: I authorize and send a request with authorization token in headers. 200 OK
- from curl: curl -H "X-API-Key: " http://localhost:8000/. 200 OK
- from curl: curl -H "Authorization: Bearer " http://localhost:8000/. 200 OK
The folder structure:
The configuration is in dependencies.py file. The route is in api/v1/contracts.py file.
The default OAuth schemes included with FastAPI has the auto_error configuration argument to say whether the bearer dependency should generate an error (the default) or return None instead (and let you handle the failed authentication).
The same is the case for SingleTenantAzureAuthorizationCodeBearer. This allows you to define a second azure scheme that allows authentication to fail:
azure_scheme = SingleTenantAzureAuthorizationCodeBearer(
app_client_id=settings.azure_ad.app_client_id,
tenant_id=settings.azure_ad.tenant_id,
token_version=1,
scopes={f"api://{settings.azure_ad.app_client_id}/user_impersonation": "user_impersonation"},
)
azure_scheme_allow_unauthenticated = SingleTenantAzureAuthorizationCodeBearer(
auto_error=False, # <------
app_client_id=settings.azure_ad.app_client_id,
tenant_id=settings.azure_ad.tenant_id,
token_version=1,
scopes={f"api://{settings.azure_ad.app_client_id}/user_impersonation": "user_impersonation"},
)
You can then depend on this other scheme in your dual authentication function:
def dual_authentication(
api_key: Optional[str] = Security(api_key_scheme),
azure_token: Optional[User] = Depends(azure_scheme_allow_unauthenticated)
) -> User:
# raise exception if neither authentication is valid (as it seems you're doing already)
- Get username from Azure Identity
- What prevents Databricks IP access lists from being executed
- HTTP 404 error with Swagger UI on Azure Functions app
- Azure devops - build number vs build id
- Unable to Retrieve Hidden MailFolders (isHidden = true) with Microsoft Graph API
- Parse array & json to right numbers of column
- Run script on Azure VM Scale Set when deprovisioning
- Azure Pipeline to trigger Pipeline using YAML
- Keycloak Admin Console Login - Infinite Loop
- Make Azure Keyvault secrets available in entire pipeline
- Azure Logic Apps - Queries for telemetry 2.0 show no results
- Print function not working without flush=True when used with the While loop
- Cannot authorize variable group in Azure Pipelines
- Azure Maps rejecting Route Request with ZipCode
- Create-React-App hosted in Azure getting a 404 with manual refresh or by typing the url manually on any page except the home page
- How to set up a simple Next.js web app with CI/CD on Azure?
- How to avoid explicitly acquiring access tokens when calling Microsoft Graph API in Node.js?
- Why I'm getting 404 Resource Not Found to my newly Azure OpenAI deployment?
- Scanning for malware in files uploaded to Azure
- Azure blob, controlling filename on download
- How to delete/clear active/dead-letter messages from Azure Service Bus Queue?
- How to Generate .AAB file and Sign Android app Bundle using azure pipeline
- Get Access Token from Microsoft Graph for ClientId with delegated permissions
- Can't create password containing parentheses in Azure CLI
- Azure Web App Cannot Access Azure Container Registry Using Managed Identity
- Azure Access token just created but not capable to verify that is authentic
- Querying azure table storage for null values
- Azure App Functions, Storage queue trigger
- Error while running Terraform Import Command to import Azure Key Vault
- How to get Node.js app running on Azure App Service?