Security - FastAPI

Tags

Top Highlights

• OpenAPI (previously known as Swagger) is the open specification for building APIs (now part of the Linux Foundation).

• There was an OAuth 1, which is very different from OAuth2, and more complex, as it included direct specifications on how to encrypt the communication.

• OAuth2 is a specification that defines several ways to handle authentication and authorization.

• It includes ways to authenticate using a "third party". That's what all the systems with "login with Facebook, Google, Twitter, GitHub" use underneath.

• OAuth2 doesn't specify how to encrypt the communication, it expects you to have your application served with HTTPS.

• OpenID Connect is another specification, based on OAuth2.

• It just extends OAuth2 specifying some things that are relatively ambiguous in OAuth2

• For example, Google login uses OpenID Connect (which underneath uses OAuth2).

• But Facebook login doesn't support OpenID Connect. It has its own flavor of OAuth2.

• OpenAPI has a way to define multiple security "schemes".

• apiKey: an application specific key that can come from: A query parameter. A header. A cookie.

• openIdConnect: has a way to define how to discover OAuth2 authentication data automatically. This automatic discovery is what is defined in the OpenID Connect specification.

• oauth2: all the OAuth2 ways to handle security (called "flows"). Several of these flows are appropriate for building an OAuth 2.0 authentication provider (like Google, Facebook, Twitter, GitHub, etc): implicit clientCredentials authorizationCode

• But there is one specific "flow" that can be perfectly used for handling authentication in the same application directly: password

• http: standard HTTP authentication systems, including: bearer: a header Authorization with a value of Bearer plus a token. This is inherited from OAuth2. HTTP Basic authentication