Add Google Login to a FastAPI app with EasyAuth

Joshua Jamison
Jun 14 · 4 min read

Creating APIs with FastAPI is easy! In my last article, I discuss how EasyAuth makes Authenticating / Authorizing a little easier.

EasyAuth also aims to make adding third-party authentication via providers like Google a easier as well.

Before we begin, lets create a very basic “Hello World” API. We will add authentication in a bit.

$ uvicorn --host 0.0.0.0 --port 8450 basic:app
INFO: Started server process [997908]
INFO: Waiting for application startup.
INFO: Application startup complete.
INFO: Uvicorn running on http://0.0.0.0:8450 (Press CTRL+C to quit)
INFO: 127.0.0.1:54704 - "GET / HTTP/1.1" 200 OK

Installing EasyAuth

pip install easy-auth[server]

Adding EasyAuth to our app

First create an JSON file containing the environment variables need by easyauth.

Next lets add easyauth to our basic application.

$ uvicorn --host 0.0.0.0 --port 8450 basic:app
.
...
06-12 00:33 EasyAuthServer ERROR detected new EasyAuth server, created admin user with password: hmhjdfvg
INFO: Application startup complete.
06-12 00:34 uvicorn.error INFO Application startup complete.
INFO: Uvicorn running on http://0.0.0.0:8450 (Press CTRL+C to quit)

Access the same endpoint, and notice the authentication required, input admin / pw to access.

Looking again at the /docs page to view the API, notice the new Lock icon, indicating authentication requirements.

Along with a login page at /login, a default endpoint also exists at /register, allowing creating of new users.

Admin GUI

An Admin GUI exists at /admin, providing basic user administrative tasks and allowing for additional configuration: email / google authentication.

Within Identity providers, google authentication can be configured along with default_groups(groups assigned to newly registered users).

Configuring Google Authentication

The google client_id should correspond with credentials configured at https://console.cloud.google.com/apis/credentials

For production use, the URIs should correspond with domain names owned and accessible by the outside world.

For Testing, a client can simply re-direct its local DNS in /etc/hosts to 127.0.0.1.

$ cat /etc/hosts
127.0.0.1 localhost easyauth.com

With a created credential and client_id, google can be configured

Naviate to http://easyauth.com:8320/login and observe the changes to Login Options

Try to sign-in with a google account now:

Notice that a new user was created matching the google account, and default_groups in identity providers.

Once logged in with Google Sign In, anytime a easyauth token is expired, the browser is re-directed to /login, and a new token will be created automatically ( while signed in). This behavior will occur until logged out:

To avoid prevent each new user becoming an administrator, create some new groups, roles, actions and adjust the default_groups in identity providers.

Geek Culture

Proud to geek out. Follow to join our 1M monthly readers.