Skip to content

8.x.x ➡️ 9.x.x

Version 9 revamps the authentication backends: we splitted the logic of a backend into two: the transport, which is how the token will be carried over the request and the strategy, which is how the token is generated and secured.

The benefit of this is that we'll soon be able to propose new strategies, like database session tokens, without having to repeat the transport logic which remains the same.

Convert the authentication backend

You now have to generate an authentication backend with a transport and a strategy.

I used JWTAuthentication

from fastapi_users.authentication import JWTAuthentication

jwt_authentication = JWTAuthentication(
    secret=SECRET, lifetime_seconds=3600, tokenUrl="auth/jwt/login"
)

from fastapi_users.authentication import AuthenticationBackend, BearerTransport, JWTStrategy

SECRET = "SECRET"

bearer_transport = BearerTransport(tokenUrl="auth/jwt/login")

def get_jwt_strategy() -> JWTStrategy:
    return JWTStrategy(secret=SECRET, lifetime_seconds=3600)

auth_backend = AuthenticationBackend(
    name="jwt",
    transport=bearer_transport,
    get_strategy=get_jwt_strategy,
)

Warning

There is no default name anymore: you need to provide it yourself for each of your backends.

I used CookieAuthentication

from fastapi_users.authentication import CookieAuthentication

cookie_authentication = CookieAuthentication(secret=SECRET, lifetime_seconds=3600)

from fastapi_users.authentication import AuthenticationBackend, CookieTransport, JWTStrategy

SECRET = "SECRET"

cookie_transport = CookieTransport(cookie_max_age=3600)

def get_jwt_strategy() -> JWTStrategy:
    return JWTStrategy(secret=SECRET, lifetime_seconds=3600)

auth_backend = AuthenticationBackend(
    name="cookie",
    transport=cookie_transport,
    get_strategy=get_jwt_strategy,
)

Warning

There is no default name anymore: you need to provide it yourself for each of your backends.

Tip

Notice that the strategy is the same for both authentication backends. That's the beauty of this approach: the token generation is decoupled from its transport.

OAuth: one router for each backend

Before, a single OAuth router was enough to login with any of your authentication backend. Now, you need to generate a router for each of your backends.

app.include_router(
    fastapi_users.get_oauth_router(google_oauth_client, "SECRET"),
    prefix="/auth/google",
    tags=["auth"],
)

app.include_router(
    fastapi_users.get_oauth_router(google_oauth_client, auth_backend, "SECRET"),
    prefix="/auth/google",
    tags=["auth"],
)

authentication_backend is not needed on /authorize

The consequence of this is that you don't need to specify the authentication backend when making a request to /authorize.

curl \
-H "Content-Type: application/json" \
-X GET \
http://localhost:8000/auth/google/authorize?authentication_backend=jwt

curl \
-H "Content-Type: application/json" \
-X GET \
http://localhost:8000/auth/google/authorize

Lost?

If you're unsure or a bit lost, make sure to check the full working examples.

Back to top