8000 📝 Clarify that OpenIdConnect does not perform token validation by oxqnd · Pull Request #13765 · fastapi/fastapi · GitHub
[go: up one dir, main page]
Skip to content

📝 Clarify that OpenIdConnect does not perform token validation #13765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

📝 Clarify that OpenIdConnect does not perform token validation #13765

wants to merge 4 commits into from

Conversation

oxqnd
Copy link
@oxqnd oxqnd commented Jun 4, 2025

This PR updates the docstring of the OpenIdConnect class to clarify that:

  • It does not perform token validation or decoding.
  • It only extracts the Authorization header and integrates with OpenAPI docs.
  • Developers must implement actual authentication logic separately.

This change aims to prevent confusion and reduce the risk of unintentional misuse in production environments.

@YuriiMotov
Copy link
Contributor

Thanks for your interest in FastAPI!

If we decide that this clarification is useful we will need to add such clarifications to all similar classes (OAuth2PasswordBearer, OAuth2AuthorizationCodeBearer, APIKey**).

Also, I believe that after reading the documentation people will understand how these classes work

@oxqnd
Copy link
Author
oxqnd commented Jun 4, 2025

Thanks for the feedback @YuriiMotov !

Just to give some context — this started from a security report I sent by email a while ago. The suggestion at the time was to try adding a small clarification to the docstring, so I went ahead and opened a minimal PR based on that.

That said, I totally get that if this kind of clarification is added, it should probably be applied consistently to other classes like OAuth2PasswordBearer, OAuth2AuthorizationCodeBearer, and APIKey*.

If that’s something the team wants to move forward with, I’d be glad to help apply the same kind of update to the rest.

Either way, I really appreciate you taking the time to review this!

@YuriiMotov YuriiMotov added the docs Documentation about how to use FastAPI label Jun 4, 2025
@YuriiMotov

This comment was marked as resolved.

Sign in to view
@YuriiMotov YuriiMotov changed the title docs: clarify OpenIdConnect does not perform token validation 📝 Clarify that OpenIdConnect does not perform token validation Jun 5, 2025
@oxqnd

This comment was marked as resolved.

Sign in to view
@YuriiMotov

This comment was marked as resolved.

Sign in to view
@oxqnd
Copy link
Author
oxqnd commented Jun 5, 2025

Just updated this PR to include the clarification across all relevant security scheme classes (OAuth2*, APIKey*). Let me know if you'd like anything tweaked!

@oxqnd
Copy link
Author
oxqnd commented Jun 16, 2025

Hi @YuriiMotov , just checking in in case this PR was missed.
Happy to update anything if needed. Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
docs Documentation about how to use FastAPI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@oxqnd @YuriiMotov
0