Fastapi: [QUESTION] What URL should I use for OpenIdConnect?
I am using an external OAuth2 service for SSO which is basically a Keycloak server.
So far I have been able to use the implicit flow:
base_url = "https://some.keycloak.server.com/auth/realms/main/protocol/openid-connect/"
oauth2_scheme = OAuth2(
flows=OAuthFlows(
implicit=OAuthFlowImplicit(
authorizationUrl=base_url + "auth" + "?client_id=my-app-id"
)
)
)
With this code I get the following prompt when I press authorize:
What is strange here is that I cannot prefill the _client_id_ prompt, so I have to give it an hard coded query header in the _authorizationUrl_. If I do this, swaggerUI ignores what I write in the _client_id_ prompt, but I am redirected into the SSO website and everything works fine.
But in reality, I should just be able to use the OpenIdConnect security scheme:
oauth2_scheme = OpenIdConnect(openIdConnectUrl=base_url)
So far, I've tried many combinations of URLs, but none of them work, including the automatic discovery URL that is said in the documentation:
https://some.keycloak.server.com/auth/realms/main/.well-known/openid-configuration
So my question is what is the expected URL from the API?
I checked the endpoints in https://connect2id.com/products/server/docs/api, but none of them worked.
Thanks! 馃槃
littlebrat
All 7 comments
When you go to:
https://some.keycloak.server.com/auth/realms/main/.well-known/openid-configuration
You will retrieve an json output with keys and values.
One of the keys is 'authorization_endpoint', the value should be used as authorizationUrl.
zamiramir
on 3 Sep 2019
I tried that but I get an empty window when I press the authorize button:
Is this problem on the keycloak's server end then?
littlebrat
on 3 Sep 2019
You might need to set a scope, my code:
OAUTH2_SCHEME = OAuth2(
flows=OAuthFlows(
implicit=OAuthFlowImplicit(
authorizationUrl="some_authorization_endpoint_url",
scopes={"scopekey": "scopevalue"},
)
)
)
Could you also take a look at the generated openapi.json?
Based the code above, the generated openapi.json, should have the securitySchemes value:
"securitySchemes": {
"OAuth2": {
"type": "oauth2",
"flows": {
"implicit": {
"scopes": {
"scopekey": "scopevalue"
},
"authorizationUrl": "some_authorization_endpoint_url"
}
}
}
}
EDIT:
No Scopes
Scopes are optional, and your API may not use any. In this case, specify an empty object {} in the > scopes definition, and an empty list of scopes [] in the security section:
zamiramir
on 3 Sep 2019
But the implicit flow that you linked works for me, the problem is when I try to use the class OpenIdConnect. This class only takes one argument openIdConnectUrl that is not documented - in my opinion it should use https://some.keycloak.server.com/auth/realms/main/.well-known/openid-configuration but it doesn't seem to work.
EDIT:
Also on the implicit flow that works for me I didn't set any scope.
littlebrat
on 3 Sep 2019
Swagger UI doesn't support OIDC:
OpenID Connect Discovery | Swagger UI
OIDC is currently not supported in Swagger Editor and Swagger UI. Please follow this issue for updates.
zamiramir
on 3 Sep 2019
What is strange here is that I cannot prefill the _client_id_ prompt
See #499
zamiramir
on 3 Sep 2019
Thanks for the help here @zamiramir ! :bow: :clap:
Thanks @littlebrat for coming back to close the issue. :+1:
tiangolo
on 14 Apr 2020
Related issues
zero0nee
路
3Comments
levchik
路
3Comments
scheung38
路
3Comments
cjw296
路
3Comments
danielgtaylor
路
3Comments