Request for Keycloak Integration

[alexandre-meline]

Hi,

I hope you are all well. I am a regular user and supporter of your project, and I am immensely impressed with the functionality and capabilities it offers. I have an enhancement suggestion that I would like to put forward for your esteemed consideration.

My experience with your repository could be significantly improved with the integration of Keycloak. Keycloak is an open-source software product that offers identity and access management and could add much value to your project through its many features like Single-Sign-On, Identity Brokering, and Social Login, among others.

Adding Keycloak to the project would simplify the process of securing our applications and services, as well as provide a more streamlined, user-friendly authentication experience for users.

If integrating Keycloak into the current project is feasible, I believe many users, including myself, would benefit from this enhancement.

Please consider this request for the upcoming sprints. I am open to providing any more information or clarification if needed.

Best regards,

Alexandre

[arunrony]

I am also interested in this feature and ready to provide insight and contribute if this gets considered.

[JamesCodeing]

I think this is one very good suggestion

[itamar82]

Are you asking for Keycloak to be added into the environment, docker-compose, etc? Technically if you already have Keycloak somewhere then you’d need to download the public key and pass that into jwt_decode along with supported algorithms.

[FermiParadox]

Wouldn't Keycloak integration provide serious value to FastAPI?
Saving 2k-6k $ is critical especially for small projects.

• Login, permissions, password handling, email verification, 2FA, SSO, etc.
• avoiding dozens of vulnerabilities
• having it all tested

Please @tiangolo check it out https://www.keycloak.org/

[jakob1379]

Instead of focusing on keycloak, why not focusing on general OIDC integration such that you might use any identity broker/provider? Then it is just a matter of having the config pointing do the discovery link of your provider and it would "just work"

[nnWhisperer]

this is such an underrated comment; this project needs an OIDC support, as later one could easily add any provider AFAIU

Instead of focusing on keycloak, why not focusing on general OIDC integration such that you might use any identity broker/provider? Then it is just a matter of having the config pointing do the discovery link of your provider and it would "just work"

[FermiParadox]

Wouldn't Keycloak integration provide serious value to FastAPI? Saving 2k-6k $ is critical especially for small projects.

* Login, permissions, password handling, email verification, 2FA, SSO, etc.

* avoiding dozens of vulnerabilities

* having it all tested

Please @tiangolo check it out https://www.keycloak.org/

A few more arguments I should mention:

• used by:
  • Hitachi, CERN, Infosys (major Japanese pharmaceutical), etc. (link)
  • Accenture, Okta, Wayfair LLC, UnitedHealthcare, Hewlett-Packard Enterprise, Capgemini, etc. (Keycloak Community Survey) - check revenue :P
• Keycloak is a Cloud Native Computing Foundation incubation project
• 32k github stars
• project lead Stian Thorgersen (Red Hat Senior Principal Software Engineer)

“Hitachi is heavily using Keycloak because it is a critical part of API security,” said Yuichi Nakamura, Director, Hitachi, Ltd. “We also have long been contributing features for API security to Keycloak and are willing to help the Keycloak project to graduate the CNCF incubation process.” - 2023

When it comes to developers building their own auth system, it is so easy to get massive security holes.

[tiangolo]

Thanks for the interest and discussion. ☕

You are of course free to add any integration you want.

For this specific project, it's out of scope at least for now. It would add extra burden to maintain and manage. There are many options of extra things that could be added that could be useful for some projects or others, but I can't add everything. The idea is to have a good baseline so that you can build on top anything you want.

Given that, I'll pass on this request. ☕