Using easyauth with FastAPI and requests

[w-markus]

Hi there!

I'd like to control a device by using a REST-API. However, I'd like restrict the access.

So far, I have written a python script based on FastAPI which provides all the routes that resemble the functions of my device (e.g. turn something on/off). I also added the functionality provided by easyauth to authenticate with a separate easyauth-server (i.e. there is a separate script to run the authentication server). I happily used the docs here. This works well, as I can see from the build in "docs"-route, both for the auth-server and the REST-API.

Now, I'd like to access the above not by use of a web browser but from within another python script that uses the requests package (or something else suitable). Unfortunately, I couldn't find an example nor some documentation which points me into some direction.
I reckon I need to find out how to authenticate using some requests.get(), how to get a token and how to use the token for further calls to the REST-API of my device.

Someone here, who can help, please?

Thanks a lot in advance
Markus

[codemation]

Hey @w-markus , in order to access a protected endpoint, a script will need to attach an auth header containing a generated bearer token.

import os
import requests

username = 'admin' # or other created user
password = os.environ['PW_FROM_ENV']

# required header for using username / password to request a token
headers = {'accept': 'application/json', 'content-type': 'application/x-www-form-urlencoded'}

token_request = requests.post(
    'http://my-token_server/auth/token', 
    headers=headers, 
    data=f'username={username}&password={password}'
)

token = token_request['access_token'] # you could use service account token instead
headers = {'Authorization': f'Bearer {token}'}

# use headers for accessing any other protected endpoint
r = requests.get('http://other-service/api/v1/data', headers=headers)

You can replace requesting a token if you create service account & generate a token for the service account and use the same way as token here

[w-markus]

Thank you so much. Works really nicely. The only thing I changed was replacing token_request[...] by token_request.json()[...] for conveniently printing the response and getting the token as an ascii string.

[w-markus]

My excitement came a little to early.

When accessing the easyauth-protected server's docs (http:my-protected-server/docs) via a browser I first authorize (with the help of an extra easyauth authorization server), which works fine. But on trying a GET-call from the docs list, I receive an error.
From the console logs:

 EasyAuthServer ERROR    error decoding token
Traceback (most recent call last):
  File "C:\Users\cri\AppData\Roaming\Python\Python38\site-packages\easyauth\router.py", line 109, in mock_function
    token = self.parent.decode_token(token)[1]
  File "C:\Users\cri\AppData\Roaming\Python\Python38\site-packages\easyauth\client.py", line 564, in decode_token
    return jwt.verify_jwt(token, self._public_key, ["RS256"])
  File "C:\Users\cri\AppData\Roaming\Python\Python38\site-packages\python_jwt\__init__.py", line 169, in verify_jwt
    token.deserialize(jwt, pub_key)
  File "C:\Users\cri\AppData\Roaming\Python\Python38\site-packages\jwcrypto\jws.py", line 475, in deserialize
    self.verify(key, alg)
  File "C:\Users\cri\AppData\Roaming\Python\Python38\site-packages\jwcrypto\jws.py", line 386, in verify
    raise InvalidJWSSignature('Verification failed for all '
jwcrypto.jws.InvalidJWSSignature: Verification failed for all signatures["Failed: [InvalidJWSSignature('Verification failed')]"]

However, accessing the application server via a script (like described in the previous post) everything seems to work.

Puzzled!

The versions of the packages are as follows:

aiohttp==3.8.3
aioredis==2.0.0
aiosignal==1.3.1
aiosmtplib==2.0.0
anyio==3.6.2
async-timeout==4.0.2
attrs==22.1.0
bcrypt==3.2.0
blinker==1.5
cachetools==5.2.0
certifi==2022.9.24
cffi==1.15.1
charset-normalizer==2.1.1
click==8.1.3
colorama==0.4.6
cryptography==38.0.3
databases==0.5.3
defusedxml==0.7.1
Deprecated==1.2.13
dnspython==2.2.1
docutils==0.19
easy-auth==1.0.26
easyadmin==0.169
easyrpc==0.245
easyschedule==0.107
ecdsa==0.18.0
email-validator==1.1.3
example==0.1.0
fakeredis==1.10.1
fastapi==0.86.0
fastapi-mail==0.3.7
frozenlist==1.3.3
google-api-core==2.10.2
google-api-python-client==2.31.0
google-auth==2.14.1
google-auth-httplib2==0.1.0
googleapis-common-protos==1.56.4
gunicorn==20.1.0
h11==0.12.0
httpcore==0.15.0
httplib2==0.21.0
httptools==0.3.0
httpx==0.23.0
idna==3.4
Jinja2==3.1.2
jwcrypto==1.4.2
makefun==1.9.5
MarkupSafe==2.1.1
multidict==6.0.2
numpy==1.23.4
odfpy==1.4.1
packaging==21.3
pandas==1.5.1
passlib==1.7.4
protobuf==4.21.9
pyasn1==0.4.8
pyasn1-modules==0.2.8
pycparser==2.21
pydantic==1.9.1
pydbantic==0.0.25
PyJWT==2.0.0
pyOpenSSL==22.1.0
pyparsing==3.0.9
python-dateutil==2.8.2
python-jose==3.3.0
python-jwt==3.3.0
python-multipart==0.0.5
pytz==2022.6
redis==4.3.4
requests==2.28.1
rfc3986==1.5.0
rsa==4.9
six==1.16.0
sniffio==1.3.0
sortedcontainers==2.4.0
SQLAlchemy==1.4.28
starlette==0.20.4
typing_extensions==4.4.0
uritemplate==4.1.1
urllib3==1.26.12
uvicorn==0.19.0
websockets==10.4
wrapt==1.14.1
yarl==1.8

[codemation]

Typically InvalidJWSSignature will occur when a token is missing or set as invalid. From the /docs page you can verify that you have the correct token cookie set via ctrl + shift + i (application -> cookies ). If the connected service is connected to the easy auth server correctly, you can just access /login to apply the token as a cookie first, then navigate back to /docs and the cookie should still be applied.