{"id":2947,"library":"fastapi-sso","title":"FastAPI SSO Integration","description":"fastapi-sso is a FastAPI plugin designed to simplify integration of Single Sign-On (SSO) with common providers like Google, Facebook, Microsoft, and many others. It streamlines the OAuth2/OpenID Connect flow for authentication. The library is actively maintained with frequent minor and patch releases, currently at version 0.21.0.","status":"active","version":"0.21.0","language":"en","source_language":"en","source_url":"https://github.com/tomasvotava/fastapi-sso","tags":["fastapi","sso","oauth","openid-connect","authentication","google","facebook","microsoft"],"install":[{"cmd":"pip install fastapi-sso","lang":"bash","label":"Install core library"},{"cmd":"pip install 'fastapi-sso[google]' # for Google provider","lang":"bash","label":"Install with specific provider dependencies"}],"dependencies":[{"reason":"Required for FastAPI form data handling, often used in callback routes.","package":"python-multipart","optional":true},{"reason":"Underlying HTTP client used by SSO providers.","package":"httpx","optional":false},{"reason":"Used for JWT handling, especially in OpenID Connect flows.","package":"python-jose","optional":true}],"imports":[{"symbol":"GoogleSSO","correct":"from fastapi_sso.sso.google import GoogleSSO"},{"symbol":"FacebookSSO","correct":"from fastapi_sso.sso.facebook import FacebookSSO"},{"note":"The OpenID class is directly under `fastapi_sso.sso` for generic OpenID Connect.","wrong":"from fastapi_sso.openid import OpenID","symbol":"OpenID","correct":"from fastapi_sso.sso import OpenID"}],"quickstart":{"code":"import os\nfrom fastapi import FastAPI\nfrom fastapi_sso.sso.google import GoogleSSO\n\napp = FastAPI()\n\nGOOGLE_CLIENT_ID = os.environ.get('GOOGLE_CLIENT_ID', 'YOUR_GOOGLE_CLIENT_ID')\nGOOGLE_CLIENT_SECRET = os.environ.get('GOOGLE_CLIENT_SECRET', 'YOUR_GOOGLE_CLIENT_SECRET')\nREDIRECT_URI = os.environ.get('GOOGLE_REDIRECT_URI', 'http://localhost:8000/auth/google/callback')\n\ngoogle_sso = GoogleSSO(\n    GOOGLE_CLIENT_ID,\n    GOOGLE_CLIENT_SECRET,\n    REDIRECT_URI,\n    allow_insecure_http=True # For localhost development\n)\n\n@app.get(\"/auth/google/login\")\nasync def google_login():\n    return await google_sso.get_login_redirect()\n\n@app.get(\"/auth/google/callback\")\nasync def google_callback():\n    try:\n        user = await google_sso.verify_and_process_token(request=app.request)\n        return {\"email\": user.email, \"display_name\": user.display_name, \"provider\": user.provider}\n    except Exception as e:\n        return {\"error\": str(e)}\n\n# To run:\n# 1. Set GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, GOOGLE_REDIRECT_URI in your environment\n# 2. Configure Google OAuth credentials with Redirect URI: http://localhost:8000/auth/google/callback\n# 3. uvicorn your_module:app --reload\n# 4. Access http://localhost:8000/auth/google/login in your browser","lang":"python","description":"This quickstart demonstrates setting up Google SSO. Ensure you register your application with Google Cloud Console to obtain a client ID and secret, and configure the authorized redirect URI to match `http://localhost:8000/auth/google/callback`. For production, ensure `allow_insecure_http` is `False` and `REDIRECT_URI` uses HTTPS. Environment variables are the recommended way to manage credentials."},"warnings":[{"fix":"Ensure your project uses Python 3.10 or higher. For version 0.21.0+, Python 3.10+ is required.","message":"Python 3.9 support was removed in version 0.21.0. Python 3.8 support was removed in version 0.18.0.","severity":"breaking","affected_versions":">=0.18.0, >=0.21.0"},{"fix":"Upgrade to `fastapi-sso==0.19.0` or higher immediately. Note that future `1.0.0` versions plan to use a server-side state store.","message":"A critical OAuth login CSRF vulnerability due to missing `state` validation was fixed in version 0.19.0. This is a security-critical update.","severity":"breaking","affected_versions":"<0.19.0"},{"fix":"Double-check that the `REDIRECT_URI` passed to the SSO provider object (e.g., `GoogleSSO`) precisely matches the URI registered with the third-party OAuth provider, including scheme (http/https), host, port, and path.","message":"The `redirect_uri` configured in your FastAPI-SSO instance MUST exactly match the authorized redirect URI set in your OAuth provider's developer console (e.g., Google Cloud Console). Mismatches will cause authentication failures.","severity":"gotcha","affected_versions":"all"},{"fix":"Toggle `allow_insecure_http` based on your environment. Use HTTPS for all production deployments.","message":"When developing locally, ensure `allow_insecure_http=True` is set for providers if you are using `http://localhost`. Remember to set this to `False` in production environments for security.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}