Secure APIs with FastAPI and the Microsoft Identity Platform Transcripts
Chapter: JSON Web Token (JWT) Authentication
Lecture: Handling authentication and authorization errors

Learn more about this course
Login or purchase this course to watch this video and the rest of the course contents.
0:00 The Oauth2 spec provides guidance on how to handle errors during authentication and authorization.
0:07 Using the error portion in the error response and here is a sample response from Azure
0:13 Active Directory. We can see the information that is sent to the authentication clients when
0:19 they attempt to log in a user or validate a token along with recommended corrective actions
0:24 Now there are a lot of errors that can be pushed out by Azure Active Directory and will go very quickly through some of them to give you an idea on
0:34 what to expect and how to fix them. For example if you receive an invalid request then that means that there was a protocol
0:41 error and the way to fix it is by fixing the submitted data and resubmitting the
0:46 authentication request or invalid grant. You need to try a new request to the authorizing
0:51 point to get a new authorization code for an unauthorized client.
0:55 This usually happens when the client application isn't registered in Azure Active directory or hasn't been added to the user's Active directory.
1:03 The application can prompt the user with instructions for installing the application and adding it to
1:08 Azure Active Directory. This is most common in multi tenant applications.
1:12 Imagine using Azure Active Directory with Adobe or Salesforce at work and using your corporate account
1:18 for single sign on. So convenient if these applications have not been registered correctly by
1:23 the Azure Active Directory admin then this is the error that you will see when you attempt to sign in invalid clients.
1:31 The client credentials are invalid to fix the application
1:34 administrator needs to update their credentials for unsupported grant type changed the grant type in the
1:40 request. This type of affairs should occur only during development and should be detected during
1:45 initial testing. Invalid request this indicates that the resource if it exists, has not been configured in the tenant.
1:53 The application can prompt the user with instructions for installing the application and adding into the
1:58 azure active directory tenant. During development this usually indicates an incorrectly setup testament or a typo
2:05 in the name of the scope being requested, interaction required retry the request with the same resource interactively so that the user can
2:12 complete any challenges required. And we saw this with the consent framework during our token
2:18 acquisition process in previous modules. Temporarily unavailable.
2:22 Retry the request in this instance the client application might explain to the user that the response is delayed because of a temporary condition.
2:30 Some of these errors will be client specific whereas others will be api
2:35 And back end specific. In the case of our Azure Active directory secured FastAPI A client making a request will receive a response with either 401 or
2:44 403 http status code. If an authentication or authorization error occurs. So what do these errors really mean 401 unauthorized.
2:54 Although the HTTP standard specifies it as unauthorized semantically this response means unauthenticated.
3:01 That is the client must authenticate itself to get the requested response.
3:06 It could also mean that even though a client previously authenticated the access token in the
3:10 present request has expired and therefore the client needs to re authenticate. 403 forbidden
3:15 A 403 error means that the client does not have access rights to the content. That is it is unauthorized.
3:23 So the survey is refusing to give the requested resource. Unlike 401 unauthorized, the client's identity is known to the server.
3:31 Our library will look at the scope and role claims as well as the audience claim to confirm that the authenticated client,
3:37 either a user or an application has given consent to access the target resource and that the appropriate roles are present in the token.
3:45 The nice thing for us securing our FastAPI with Azure Active directory is that the
3:50 Microsoft library used while this courses designed to handle the authentication and authorization flow and
3:56 generate the appropriate error message. All we have to do in our API is to
4:01 send this back to the clients so that they can take the appropriate corrective action on their end.


Talk Python's Mastodon Michael Kennedy's Mastodon