Secure APIs with FastAPI and the Microsoft Identity Platform Transcripts
Chapter: Building a Secure API
Lecture: Securing FastAPI with Azure AD
0:00 Okay, let's pick up from where we left off. In the previous module we created an app registration inside Azure Active Directory.
0:09 That will be used by our API to validate tokens and provide access and authorization to
0:15 incoming requests. In this module we will look at what it takes to change our code and integrate with Azure Active directory.
0:24 You could go out and write your own code but to make our lives easier, we actually provide you with a library to do that ordinarily,
0:32 MSAL will be able to implement what we do. But unfortunately, the current version of MSAL Python is only able to acquire access tokens
0:42 and authenticate from Azure Active Directory. It does not contain functionality to validate incoming tokens in API's.
0:50 This will be coming. But in the meantime, we do have a solution. There's a package in PyPI called Fast Api Microsoft identity. That does exactly that.
0:59 It's designed to validate incoming tokens against Azure Active Directory or B2C And if you remember, as you said any open ID connect and Oauth2
1:08 compatible library will be able to work with Azure Active directory.
1:12 In this course we're going to build and expand on the existing source code that was provided in previous Fast API courses.
1:19 This is available on github under talk Python, Modern API's with fast API. We will use chapter 8 source code to add the
1:28 authentication and the appropriate configuration settings to work with azure active directory. The first thing we need to do is clone the project from.
1:36 Github git clone and then give it a name. That makes sense for you. I will name this fast A PI-AAD
1:47 Change directory and then change directory again to chapter 8. Now we can open this project in VS Code. I like to use
2:02 VS Code but you can open this project in your favorite IDE. There are a few things that we need to change to integrate our identity
2:09 component into this project. We will start by creating a new settings.json file and copying the values from this template.
2:18 If you followed along in the course you'll know that the main.py code expects a
2:23 settings.json file and then in the requirements we need to add our Microsoft identity package
2:30 We will run the restore soon remember that the necessary information to integrate with Azure
2:36 Active Directory is in our app registration so let's go to our app registration. If you don't remember how to get there aad.portal.azure.com.
2:45 Sign into the directory that we created as part of the previous step navigate to your App registration and copy the client ID. And the tenant ID.
3:01 This information needs to go inside your settings.json ensure to save the file and that's all we have to do with settings.json.
3:11 Now we can start using the FastAPI much of the identity library in our code. We'll start with main we need to import the initialize methods,
3:23 you know what since our settings are inside settings.json we will pull that information and
3:31 pass it into our configure off method which we will define now. This will initialize our authentication code.
3:43 Let's save this. And now if we open our api weather api again we need to import the necessary components from our library.
3:56 Now remember that our authentication library does two things. One is to check for an authenticated request and the second is to check for valid
4:04 scopes here, we're going to define the expected scope which we should match in the
4:10 access token. This needs to match what we can configure in our app registration.
4:15 If we jump very quickly back into our app registration and look at the exposed api We have two scopes. A weather.write.
4:22 And weather.read these are exposed by our API App registration and are expected in the access token parking our code,
4:29 we expose this on line 14 with the expected scope variable. Then in our methods we need to add requires of in the method itself we need
4:40 to first validate the scope, expect scope and the request object at this point you'll
4:50 notice that the request object that is expected in the helper methods does not exist.
4:55 So let's add it which is a request and to expose that or make it available We need to import it from the FastAPI from fastapi import request.
5:12 Save this lastly we need to capture any authentication errors that may occur as the validation
5:17 takes place for that. We need to add a couple more lines of code Lines
5:23 23 and 24 are responsible for capturing any errors raised during the authentication and authorization process
5:29 The Fast api Microsoft identity library will capture and raise the appropriate error message with
5:36 the associate http error codes. Either 401 unauthenticated or 403 unauthorized along with
5:45 a meaningful error message. To help you resolve the problem in the calling client. A 401
5:50 error message will be returned if there is no valid token in the incoming request, A 403 error message will be returned.
5:58 If the token is missing the appropriate scopes and permissions. For example if the user doesn't have access to this particular api and that's it.
6:07 Three lines of code to implement authentication in our Api endpoint. We need to import it. We need to expose the request object.
6:15 We need to add the wrapper method or the attributes and the function and then finally we need to validate the incoming scope.
6:22 This will check for an authenticated request and this will make sure that the right api
6:28 permissions have been acquired when calling this endpoint and if this one or this line fails
6:36 then an authentication error will bubble up and send back to the user. We're going to spin up our visual environment and install all our dependencies.
6:47 The one thing left now is to actually run the API. And make sure that the code is working if you're like me
6:55 and you like to run and debug your code through the IDE. Especially in VS code we can create a launch.json file.
7:02 You realize that we're working with a Python application and it has some options to work with different frameworks. We can choose the FastAPI one.
7:11 All we have to do is just launch the application. There is one small thing we have to change here and that is the entry point
7:19 which is API which corresponds to our API object that gets initialized here
7:26 and with that we can launch our application And this is great because it's now listening at port 8000 on local host which we can test,
7:36 let's bring up a browser and navigate so far. So good. What will happen if we test our api endpoint which we just secured
7:48 weather and you might think that this is broken, you might think that the application has failed but in fact this is an expected error
7:58 This is because our request did not contain an access token in the header and therefore the API responded with a 401 in the next chapter.
8:07 We'll see how we can do that using Postman or any other apytesting tools like Thunder client which I am using right now.