Metadata-Version: 2.4
Name: mpt-fastapi-oauth
Version: 0.1.0
Summary: Generic OAuth2 authorization-code login for FastAPI, with pluggable user storage and JWT sessions
Requires-Python: >=3.10
Description-Content-Type: text/markdown
Requires-Dist: fastapi>=0.110
Requires-Dist: httpx>=0.27
Requires-Dist: python-jose[cryptography]>=3.3

# mpt-fastapi-oauth

`mptauth` - generic OAuth2 (authorization-code) login for FastAPI.

Works against any spec-compliant OAuth2/OIDC provider (Google, GitHub,
Keycloak, Auth0, or a custom in-house IdP) by configuring its endpoints
explicitly. After the provider redirect completes, mptauth hands the user's
profile to a host-supplied `resolve_user` hook (so you control how/where users
are stored) and issues its own short-lived session JWT.

## Usage

```python
from fastapi import Depends, FastAPI
from mptauth import (
    OAuth2Client,
    OAuth2ProviderConfig,
    TokenIssuer,
    build_current_user_dependency,
    build_oauth_router,
)

provider = OAuth2ProviderConfig(
    client_id="...",
    client_secret="...",
    base_url="https://provider.example.com",
    redirect_uri="https://myapp.example.com/auth/callback",
    scopes=("openid", "profile", "email"),
    # authorize_path / token_path / userinfo_path default to the
    # Django OAuth Toolkit-style "/o/authorize", "/o/token/",
    # "/api/v1/account/me/" - override them if your provider differs
)
client = OAuth2Client(provider)
issuer = TokenIssuer(secret_key="change-me", expire_minutes=60 * 24)


def resolve_user(profile: dict) -> dict:
    # Map the provider profile to local user claims. Look the user up (or
    # create it) in your own storage here; mptauth doesn't dictate storage.
    return {"sub": profile["email"], "name": profile.get("name")}


app = FastAPI()
app.include_router(build_oauth_router(client=client, issuer=issuer, resolve_user=resolve_user))

get_current_user = build_current_user_dependency(issuer)


@app.get("/me")
def me(user: dict = Depends(get_current_user)):
    return user
```

This exposes:

- `GET /auth/login` - redirects the browser to the provider's authorize endpoint
- `GET /auth/callback` - exchanges the code, resolves the user, and returns `{"access_token", "token_type"}`
- `Depends(get_current_user)` - verifies the session JWT on protected routes
