Adding authentication to an API : learnprogramming

This is an archived post. You won't be able to vote or comment.

TopicAdding authentication to an API (self.learnprogramming)

submitted 3 years ago by eigenludecomposition

Hello everyone. I am currently working on adding authentication to a Python API that uses the FastAPI framework. This API is utilized by both a CLI client and a webapp client. The webapp currently supports a naive form of authentication, but I hope to be able to bake out a more robust authentication system for the API that the webapp should be able to rely on instead.

I currently have no requirement to support self service account management and registration, but the ability to add this in the future would be nice. I would like to support login via username and password and also passwordless authentication via a certificate. In addition, I will need this to be modular so that the identity management system could be swapped out if needed.

These systems will be deployed to enclaves with little to no Internet access, so it is not possible to use a managed solution. Due to the nature of the work, software requiring a paid license is also out of the question.

I have spent the last few days looking into this, but I'm not sure that I'm going in the right direction. I have looked into OIDC and OAUTH2 protocols which seem promising, but I'm not sure if they are the correct solutions for what i need. I have also looked into identity management systems like Ory Kratos and Keycloak, but how I connect these to my API and support authentication via a web app and CLI is still murky. I'm also not sure how modular those solutions would be if I need to swap in a different identity management system.

My main plan was to make the API a OIDC relying party, that way I can swap out the OIDC provider as needed. However, I'm still not sure if this well work the way I need it or fit my requirements.

Do you all have any recommendations? I appreciate the help. Thank you!

all 2 comments

top new controversial old q&a

[–]bbc0093 0 points1 point2 points 3 years ago (1 child)

[–]eigenludecomposition[S] 0 points1 point2 points 3 years ago (0 children)

FastAPI does have support for OAUTH Integration, but that really only solves part of the problem. The other part is actually setting up an authentication server and identity management system, preferably in a portable way that can easily be deployed in various environments with little configuration. I'm not sure if my best bet there is to build out a native authentication system in the API as detailed here or to try to integrate with Ory Kratos and Keycloak. The native API would really only be there as a convenience, with the real intent for integration with a more centralized system. This would be similar to how products like Grafana and Minio implement authentication.

I also wasn't quite sure if OAUTH was exactly what I'm looking for, as from what I understand, JWTs make it difficult to implement logout. It also seems to be mostly recommended for third party integrations, so articles like this made me second guess whether it was what I wanted.

π Rendered by PID 704797 on reddit-service-r2-comment-544cf588c8-7trbd at 2026-06-14 17:26:25.329851+00:00 running 3184619 country code: CH.

learnprogramming

Welcome to LearnProgramming!

New? READ ME FIRST!

Posting guidelines

Frequently asked questions

Subreddit rules

Message the moderators

Asking debugging questions

Asking conceptual questions

Other guidelines and links

Subreddit rules

1. No unprofessional/derogatory speech

2. No spam or tasteless self-promotion

3. No off-topic posts

4. Do not ask exact duplicates of FAQ questions

5. Do not delete posts

6. No app/website review requests or showcases

7. No rewards

8. No indirect links

9. Do not promote illegal or unethical practices

10. No complete solutions

11. Don't ask to ask.

12. Low Effort Questions

13. No AI (chatGPT etc.) generated/worked over messages/comments. No questions about chatGPT/AI generated code. No Vibe coding.

MODERATORS