fastapi-azure-auth: Scopes missing in /docs at each endpoint padlock

Describe the bug Scopes are missing if we select padlock symbol next to each api endpoint while trying to authorize. they do appear when we select authorize button at the top.

To Reproduce use below azure scheme

azure_scheme = SingleTenantAzureAuthorizationCodeBearer(
    app_client_id=settings.APP_CLIENT_ID,
    tenant_id=settings.TENANT_ID,
    scopes={
        f'api://{settings.APP_CLIENT_ID}/user_impersonation': 'user_impersonation',
    }
)

use this scheme as a dependency to your endpoint

app.include_router(api_router, prefix=settings.API_V1_STR, dependencies=[Security(azure_scheme, scopes=['user_impersonation'])])

go to /docs image

you can see scopes when you click authorize button

image

if you click on padlock below scopes are missing

image image

and unable to authorize as I am getting below error…

image

About this issue

  • Original URL
  • State: open
  • Created 2 years ago
  • Comments: 15 (13 by maintainers)

Most upvoted comments

Right now both pydantic v1 and v2 works. How ever, as stated in other issues, I don’t really plan on supporting v1 pydantic other than on a backport branch for security releases.

Pydantic v1 is no longer actively developed and will only receive security fixes. I know fastapi supports both and probably will for some time, but there’s no reason for every single package out there to support both, in my opinion.
Please let me know if you disagree.

+2
JonasKs on Oct 13, 2023

With @rhuanbarreto 's hint I can confirm the tickbox is selected automatically and it’s possible to auth in endpoints directly.

Here’s what I do for B2C:

SCOPE_NAME = f'https://{settings.TENANT_NAME}.onmicrosoft.com/{settings.APP_CLIENT_ID}/user_impersonation'
SCOPE_DESCRIPTION = 'user_impersonation'
SCOPES = {SCOPE_NAME: SCOPE_DESCRIPTION}

azure_scheme = B2CMultiTenantAuthorizationCodeBearer(
    app_client_id=settings.APP_CLIENT_ID,
    openid_config_url=OPENID_CONFIG_URL,
    openapi_authorization_url=OPENID_AUTH_URL,
    openapi_token_url=OPENID_TOKEN_URL,
    scopes=SCOPES,
    validate_iss=False,
    auto_error=False,
)

Then use the scope in the FastAPI.app instance:

app = FastAPI(
    swagger_ui_oauth2_redirect_url='/oauth2-redirect',
    swagger_ui_init_oauth={
        'usePkceWithAuthorizationCodeGrant': True,
        'clientId': settings.OPENAPI_CLIENT_ID,
        'scopes': SCOPE_NAME
    },
)
+2
davidhuser on Oct 12, 2023

If you preset the scope in the swagger_ui_init_oauth option, then you have the checkbox ticked automatically.

+1
rhuanbarreto on Oct 4, 2023

@Pkumar-1988 , we have to wait for FastAPI maintainers (tiangolo specifically) to respond first. If they accept and merge, I’ll have to edit how we handle scopes in this package, since Azure don’t accept and respond with the same kind of scopes (unfortunately).

In other words: I have no idea, it is in FastAPIs hands now. 😊

+1
JonasKs on Nov 11, 2022
Read more comments on GitHub
← fastapi-azure-auth: [BUG/Question] Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type.
bundle-tools: ERROR [unplugin-vue-i18n] Detected HTML in (nuxt3, vite, vueI18n) →