First, let's quickly see the parts that change from the examples in the main **Tutorial - User Guide** for [OAuth2 with Password (and hashing), Bearer with JWT tokens](../../tutorial/security/oauth2-jwt.md){.internal-link target=_blank}. Now using OAuth2 scopes:
-```Python hl_lines="2 5 9 13 47 65 106 108 109 110 111 112 113 114 115 116 122 123 124 125 129 130 131 132 133 134 135 140 154"
+```Python hl_lines="2 4 8 12 46 64 105 107 108 109 110 111 112 113 114 115 121 122 123 124 128 129 130 131 132 133 134 139 153"
{!../../../docs_src/security/tutorial005.py!}
```
The `scopes` parameter receives a `dict` with each scope as a key and the description as the value:
-```Python hl_lines="63 64 65 66"
+```Python hl_lines="62 63 64 65"
{!../../../docs_src/security/tutorial005.py!}
```
But in your application, for security, you should make sure you only add the scopes that the user is actually able to have, or the ones you have predefined.
-```Python hl_lines="155"
+```Python hl_lines="153"
{!../../../docs_src/security/tutorial005.py!}
```
We are doing it here to demonstrate how **FastAPI** handles scopes declared at different levels.
-```Python hl_lines="5 140 167"
+```Python hl_lines="4 139 166"
{!../../../docs_src/security/tutorial005.py!}
```
This `SecurityScopes` class is similar to `Request` (`Request` was used to get the request object directly).
-```Python hl_lines="9 106"
+```Python hl_lines="8 105"
{!../../../docs_src/security/tutorial005.py!}
```
In this exception, we include the scopes required (if any) as a string separated by spaces (using `scope_str`). We put that string containing the scopes in in the `WWW-Authenticate` header (this is part of the spec).
-```Python hl_lines="106 108 109 110 111 112 113 114 115 116"
+```Python hl_lines="105 107 108 109 110 111 112 113 114 115"
{!../../../docs_src/security/tutorial005.py!}
```
We also verify that we have a user with that username, and if not, we raise that same exception we created before.
-```Python hl_lines="47 117 118 119 120 121 122 123 124 125 126 127 128"
+```Python hl_lines="46 116 117 118 119 120 121 122 123 124 125 126 127"
{!../../../docs_src/security/tutorial005.py!}
```
For this, we use `security_scopes.scopes`, that contains a `list` with all these scopes as `str`.
-```Python hl_lines="129 130 131 132 133 134 135"
+```Python hl_lines="128 129 130 131 132 133 134"
{!../../../docs_src/security/tutorial005.py!}
```
If you want to play with JWT tokens and see how they work, check <a href="https://jwt.io/" class="external-link" target="_blank">https://jwt.io</a>.
-## Install `PyJWT`
+## Install `python-jose`
-We need to install `PyJWT` to generate and verify the JWT tokens in Python:
+We need to install `python-jose` to generate and verify the JWT tokens in Python:
<div class="termy">
```console
-$ pip install pyjwt
+$ pip install python-jose[cryptography]
---> 100%
```
</div>
+<a href="https://github.com/mpdavis/python-jose" class="external-link" target="_blank">Python-jose</a> requires a cryptographic backend as an extra.
+
+Here we are using the recommended one: <a href="http://cryptography.io/" class="external-link" target="_blank">pyca/cryptography</a>.
+
+!!! tip
+ This tutorial previously used <a href="https://pyjwt.readthedocs.io/" class="external-link" target="_blank">PyJWT</a>.
+
+ But it was updated to use Python-jose instead as it provides all the features from PyJWT plus some extras that you might need later when building integrations with other tools.
+
## Password hashing
"Hashing" means converting some content (a password in this case) into a sequence of bytes (just a string) that looks like gibberish.
And another one to authenticate and return a user.
-```Python hl_lines="8 49 56 57 60 61 70 71 72 73 74 75 76"
+```Python hl_lines="7 48 55 56 59 60 69 70 71 72 73 74 75"
{!../../../docs_src/security/tutorial004.py!}
```
Create a utility function to generate a new access token.
-```Python hl_lines="4 7 13 14 15 29 30 31 79 80 81 82 83 84 85 86 87"
+```Python hl_lines="6 12 13 14 28 29 30 78 79 80 81 82 83 84 85 86"
{!../../../docs_src/security/tutorial004.py!}
```
If the token is invalid, return an HTTP error right away.
-```Python hl_lines="90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107"
+```Python hl_lines="89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106"
{!../../../docs_src/security/tutorial004.py!}
```
Create a real JWT access token and return it.
-```Python hl_lines="116 117 118 119 120 121 122 123 124 125 126 127 128 129"
+```Python hl_lines="115 116 117 118 119 120 121 122 123 124 125 126 127 128"
{!../../../docs_src/security/tutorial004.py!}
```
It's optional to use it, but that's where you would put the user's identification, so we are using it here.
-JWT might be used for other things apart from identifying a user and allowing him to perform operations directly on your API.
+JWT might be used for other things apart from identifying a user and allowing them to perform operations directly on your API.
For example, you could identify a "car" or a "blog post".
Then you could add permissions about that entity, like "drive" (for the car) or "edit" (for the blog).
-And then, you could give that JWT token to a user (or bot), and he could use it to perform those actions (drive the car, or edit the blog post) without even needing to have an account, just with the JWT token your API generated for that.
+And then, you could give that JWT token to a user (or bot), and they could use it to perform those actions (drive the car, or edit the blog post) without even needing to have an account, just with the JWT token your API generated for that.
Using these ideas, JWT can be used for way more sophisticated scenarios.
It gives you all the flexibility to choose the ones that fit your project the best.
-And you can use directly many well maintained and widely used packages like `passlib` and `pyjwt`, because **FastAPI** doesn't require any complex mechanisms to integrate external packages.
+And you can use directly many well maintained and widely used packages like `passlib` and `python-jose`, because **FastAPI** doesn't require any complex mechanisms to integrate external packages.
But it provides you the tools to simplify the process as much as possible without compromising flexibility, robustness, or security.
from datetime import datetime, timedelta
from typing import Optional
-import jwt
from fastapi import Depends, FastAPI, HTTPException, status
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
-from jwt import PyJWTError
+from jose import JWTError, jwt
from passlib.context import CryptContext
from pydantic import BaseModel
if username is None:
raise credentials_exception
token_data = TokenData(username=username)
- except PyJWTError:
+ except JWTError:
raise credentials_exception
user = get_user(fake_users_db, username=token_data.username)
if user is None:
from datetime import datetime, timedelta
from typing import List, Optional
-import jwt
from fastapi import Depends, FastAPI, HTTPException, Security, status
from fastapi.security import (
OAuth2PasswordBearer,
OAuth2PasswordRequestForm,
SecurityScopes,
)
-from jwt import PyJWTError
+from jose import JWTError, jwt
from passlib.context import CryptContext
from pydantic import BaseModel, ValidationError
raise credentials_exception
token_scopes = payload.get("scopes", [])
token_data = TokenData(scopes=token_scopes, username=username)
- except (PyJWTError, ValidationError):
+ except (JWTError, ValidationError):
raise credentials_exception
user = get_user(fake_users_db, username=token_data.username)
if user is None:
"pyyaml >=5.3.1,<6.0.0"
]
dev = [
- "pyjwt >=1.7.1,<2.0.0",
+ "python-jose[cryptography] >=3.1.0,<4.0.0",
"passlib[bcrypt] >=1.7.2,<2.0.0",
"autoflake >=1.3.1,<2.0.0",
"flake8 >=3.8.3,<4.0.0",
projects / thirdparty / fastapi / fastapi.git / commitdiff
