Authentication¶
Read this section in the Basic Usage chapter first for the basics on authentication support.
Basic concepts on the authentication support:
- APIFlask uses Flask-HTTPAuth to implement the authentication support.
- Use
apiflask.HTTPBasicAuth
for the HTTP Basic authentication. - Use
apiflask.HTTPTokenAuth
for the HTTP Bearer or API Keys authentication. - Read Flask-HTTPAuth's documentation for the implemention of each authentication types.
- Make sure to import
HTTPBasicAuth
andHTTPTokenAuth
from APIFlask and use theapp.auth_required
decorator to protect the views. auth.current_user
works just likeauth.current_user()
, but shorter.
Use external authentication library¶
Version >= 1.0.0
This feature was added in the version 1.0.0.
When using the HTTPBasicAuth
, HTTPTokenAuth
, and app.auth_required
to implement
the authentication, APIFlask can generate the OpenAPI security spec automatically. When
you use the external authentication library, APIFlask still offers the way to set the
OpenAPI spec.
You can use the SECURITY_SCHEMES
config or the app.security_schemes
attribute to
set the OpenAPI security schemes:
app = APIFlask(__name__)
app.security_schemes = { # equals to use config SECURITY_SCHEMES
'ApiKeyAuth': {
'type': 'apiKey',
'in': 'header',
'name': 'X-API-Key',
}
}
Then you can set the security scheme with the security
parameter in app.doc()
decorator:
@app.post('/pets')
@my_auth_lib.protect # protect the view with the decorator provided by external authentication library
@app.input(PetIn)
@app.output(PetOut, status_code=201)
@app.doc(security='ApiKeyAuth')
def create_pet(data):
pet_id = len(pets)
data['id'] = pet_id
pets.append(data)
return pets[pet_id]
With APIFlask 1.0.2, when using the built-in auth support and external auth library at the same time, the security schemes will be combined.
app.auth_required
will generate the operation security automatically, if you use the @doc(security=...)
with a view that already used app.auth_required
, then the value passed in @doc(security=...)
will be used.
Handle authentication errors¶
See this section in the Error Handling chapter for handling authentication errors.