Question: Any way to hide the /docs that is compatible with fastapi_msal? about fastapi_msal HOT 7 CLOSED

OK.. best way is to solve in a different layer https://docs.microsoft.com/en-us/azure/app-service/overview-authentication-authorization . I can confirm it works well.. at least for a SINGLE container app. (This feature is not available for multi container deployments yet, per the documentation as of today anyways).

from fastapi_msal.

Hi @jlerman44,

about this

I am trying to hide my documentation (so /docs, /redoc, and /openapi.json not accessible without msal login)

I'm not sure you can have a conditional documentation so only who is already authenticated can see them.
I will add that while the documentation feature in fastapi is amazing, it has its downsides and it is quite a headache to "hack" it. So I suggest either show it or hide.

If you wish to switch only the fastapi_msal parts this could be done via the configuration class MSALClientConfig
In the example provide you can set:

client_config: MSALClientConfig = MSALClientConfig()
client_config.show_in_docs = False  # False currently is default
# you can also set your own customized routing paths
client_config.login_path = ...   # This is the initial path to start the login process (should be call by the application client)
client_config.token_path = ...   # This is the path that you provide to MS on the app registration process.
                                 # it will be used by MS as the token call-back
client_config.logout_path = ...  # This is the path the application client will use to logout the user

The docs are important only if you use them for the actual initialization process.
Indeed, if you will start with the docs the library will try to follow the already implemented OAuth2 path which is part of the open_api websites (hence the "strange" redirects you mentioned).
But if you are not going to use the docs at all - it won't be redirecting to them.

Though ideally this would be Microsoft based login.

This could be achieved by the following adaptations to your code:

1. When you would like to show the client the login page - redirect to the login_path
   the default login path is "/_login_route"
2. The callback url is the one set on the client config class - default is "/token"
   Make sure to register "YOUR_URL/token" as part of the app registration process.

A short deep dive into the paths, router etc.
The router itself is implemented in the MSALAuthorization class.
There are two different token path classes:
GET operation method - this is useful if you wish to interact directly with the MS based login as mentioned.
Since MS callback is a GET call

POST operation method - this is useful if you use the documentation or any client which retrieve the token from MS and than forward the token to the API (This is the "offical" way of the OAuth2 flow - but I think it is not always correct to use it)

There are two different methods since they are also sourced from different places and holds different APIs.
To make the documentation and the MS direct approach work nice together I had to take this approach.

from fastapi_msal.

Thanks for these helpful pointers! I will probably press on to try to find a way to hide the /docs behind a username and password while keeping fastapi_msal working. This is really important to me. If you have further ideas here, please let me know!

Also, I think the redirect URL that is being used by default is YOUR_URL/docs/oauth2-redirect and not YOUR_URL/token. Is that strange?

from fastapi_msal.

This also can be closed.

from fastapi_msal.

Hi @jlerman44,

The strange behavior is the mixture of using the FastAPI OpenAPI documentation website to simulate the login etc. vs how this should be used in production.
To be honest, you have a very solid point which is related to non exist documentation for this project. I only now realise it is quite a complex... 😬
Must admit I'm not expert in that field and if you can assist with setting up the basic of it that would be amazing!

BTW I've created my own private poc basedr to what MS created in this repository:
https://github.com/Azure-Samples/ms-identity-python-webapp
If you believe you can find it useful, please let me know and I'll be happy to clean it up and share it.

from fastapi_msal.

This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.

from fastapi_msal.

This issue was closed because it has been stalled for 5 days with no activity.

from fastapi_msal.