Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[QUESTION] Security scopes

See original GitHub issue

How can the scope parameter of the Security object be accessed?

Security accepts scopes as a parameter but the callable doesn’t seem to be able to access it. The use case is essentially what is mentioned in the documentation - require certain scopes to be present to access an endpoint, or generate a 403 error.

What if you don’t need the security parameter in the callback?

In the above use case, I’d like to require one of a set of scopes to be present but which one isn’t really important. Using Security requires that a parameter be added like:

arg = Security(<callable>)

In callable(), test for the scopes and throw an HTTPException as needed. The problem is that arg isn’t needed, so its ugly to pass it to the function. A much cleaner implementation would be to use a decorator - similar to the Starlette requires - like:

@requires(["user:read", "admin"])

Is this possible with the FastAPI design? If so, how does the decorate get passed a list of scopes (from the request)?

Issue Analytics

State:
Created 5 years ago
Reactions:1
Comments:6 (3 by maintainers)

Top GitHub Comments

3reactions

tiangolocommented, Apr 9, 2019

Here it is! 🎉 🍰 🚀

https://fastapi.tiangolo.com/tutorial/security/oauth2-scopes/

@mattlaue the problem is that you probably still want to read the token, at least at some point, to verify that it’s valid.

But the new SecurityScopes allows you to read the scopes in a dependency that can be used in other dependencies or path operations.

Those dependencies and path operations can declare their own required scopes. And the sub-dependency (that is probably reading the token and verifying it directly) can access all those required scopes from the dependants.

So, you can have a central point that checks and verifies all the scopes, and then in different path operations you can have Security dependencies with different scopes, for example:

@app.get("/somepath1/")
def some_path_1(current_user: User = Security(get_current_user, scopes=["some", "scopes"])):
    ...

@app.get("/somepath2/")
def some_path_2(current_user: User = Security(get_current_user, scopes=["something", "different"])):
    ...

def other_dependency(current_user: User = Security(get_current_user, scopes=["subdependency", "required"])):
    ...

@app.get("/somepath3/")
def some_path_3(sub_dep = Depends(other_dependency), current_user: User = Security(get_current_user, scopes=["more"])):
    ...

0reactions

lsaintcommented, Aug 27, 2021

Is there any mechanism to overwrite security scopes? I had 10 URL in a router:

router = Router(dependencies=[Security(XXXBearer(), scopes=["admin"])])

@router.post("/url1/")
def url1_func():
    ...

@router.post("/url2/")
def url2_func():
    ...

@router.post("/url3/")
def url2_func():
    ...

...

let’s say, the url3’s scopes only require ["user"],
how should I do?

@router.post("/url3/")
def url2_func(a = Security(XXXBearer(), scopes=["user"])):
    # it did not work like this
    # the require scopes were still ["admin"]