Yordis Prieto
Yordis Prieto10mo ago

FastAPI OpenIdConnect

Hey folks, I am trying to make the following to work: 
from fastapi.security import OAuth2PasswordBearer,OpenIdConnect

oidc_scheme = OpenIdConnect(
    openIdConnectUrl=f"{os.getenv("ZITADEL_BASE_URL")}/.well-known/openid-configuration"
)

async def get_zitadel_principal(introspected_token: Annotated[dict, Depends(oidc_scheme)]):
    zitadel_id = introspected_token.get("sub")
    # other code
from fastapi.security import OAuth2PasswordBearer,OpenIdConnect

oidc_scheme = OpenIdConnect(
    openIdConnectUrl=f"{os.getenv("ZITADEL_BASE_URL")}/.well-known/openid-configuration"
)

async def get_zitadel_principal(introspected_token: Annotated[dict, Depends(oidc_scheme)]):
    zitadel_id = introspected_token.get("sub")
    # other code
Then I visit the docs and try to use "OpenIdConnect (OAuth2, implicit)" mode, but I keep getting the following issue: 
{
  "error": "unauthorized_client",
  "error_description": "The requested response type is missing in the client configuration. If you have any questions, you may contact the administrator of the application."
}
{
  "error": "unauthorized_client",
  "error_description": "The requested response type is missing in the client configuration. If you have any questions, you may contact the administrator of the application."
}
See the screenshots, I am not sure what else to try by now, I tried multiple combinations of response type, grant types (with implicit and not) ... I am just not sure what else to try by now and who is in fault here
No description
No description
44 Replies
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
Right now such class is from fastapi.security import OpenIdConnect which is doing the OIDC init and callback; but I am not sure why zitadel is failnig on me I also have a working version using introspect token https://discord.com/channels/927474939156643850/1238060845460623391/1306421754402439260 but isn't standard with the FastAPI Docs, so users can not authenticate in the Docs to interact with the API Reason why I am trying to make it work with the built-in OpenIdConnect class
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
FastAPI has its own swagger doc where you can sign in let me see if I can put an example project, FastAPI is important enough nowdays, even above flask I would say
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
that is there, I honestly not sure what else to change either FastAPI is broken, or I am doing something silly in Zitadel that I am just not seeing 😐 I am in Lobby, if you feel you have 10 mins to troubleshoot with me, otherwise, I am going in circles right now
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
copy+pasting!
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
checking the GUI, that would require me to pass client ID and Secret The idea is that users can use their zitadel account to authenticate in the API, without having to provision client ID and secret, no?
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
interesting, what is the point of OpenIdConnect? I know very little of python, if any, first time dealing with the ecosystem
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
what a cluster mess! It is probably worth adding it to the official docs; it seems that fast API is predominant nowadays
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
is there? ppfff I missed the docs then, let me try your setup in a few mins
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
swagger_ui_parameters={"deepLinking": False, },
swagger_ui_init_oauth={
        "clientId": os.getenv('ZITADEL_CLIENT_ID'),
        "usePkceWithAuthorizationCodeGrant": True,
        "scopeSeparator": " ",
        "scopes": "openid profile email",
        }
)
swagger_ui_parameters={"deepLinking": False, },
swagger_ui_init_oauth={
        "clientId": os.getenv('ZITADEL_CLIENT_ID'),
        "usePkceWithAuthorizationCodeGrant": True,
        "scopeSeparator": " ",
        "scopes": "openid profile email",
        }
)
would that work with OidcConnect? The werid thing is, I passed the client anyway for real ... I still dont know which pkg manager or wahtever thingy to use
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
and some dev absolute imports taht didnt work for me ...
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
that is what I see
No description
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
{"error":"invalid_request","error_description":"Errors.App.NotFound"}
{"error":"invalid_request","error_description":"Errors.App.NotFound"}
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
it didnt
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
nice I see the token now
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
so now I can call the introspect with it I am guessing? hopefully https://discord.com/channels/927474939156643850/1238060845460623391/1306421754402439260 it is correct, unless you have some nicer version
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
swagger_ui_init_oauth={
        "clientId": os.getenv('ZITADEL_DOCS_CLIENT_ID'),
        "usePkceWithAuthorizationCodeGrant": True,
swagger_ui_init_oauth={
        "clientId": os.getenv('ZITADEL_DOCS_CLIENT_ID'),
        "usePkceWithAuthorizationCodeGrant": True,
btw, the oidc connect just work fine, I think that was the missing piece or rather, the PKCE part :facepalm: IT WORKS! NICE! just one freaking config .... man, I feel some docs under Zitadel would be amazing, for my future self that will definitely forget this
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
casbin?
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
I am trying to use spicedb for authZ
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
spicypixel
spicypixel10mo ago
Introspection calls are cached now? From the official sdk?
Yordis Prieto
Yordis PrietoOP10mo ago
No clue, I am using my custom introspect token thingy with the pkce thingy so not using it
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
spicypixel
spicypixel10mo ago
neat! That's server side though, be nice to have a TTL cache on client side for the SDKs for heavy calls that can suffer a 60s or similar expiry window
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View
Yordis Prieto
Yordis PrietoOP10mo ago
I shared my code snippet, looking at that repo, it is doing osme fancy stuff with the key endpoint, maybe share your findings in the issue thread
Unknown User
Unknown User10mo ago
Message Not Public
Sign In & Join Server To View

Did you find this page helpful?