We actively support the following versions of fastapi-oidc with security updates:

If you discover a security vulnerability in fastapi-oidc, please report it privately. Do not open a public GitHub issue for security vulnerabilities.

1. Email the maintainer: harrymcwinters@gmail.com
2. Include the following information:
   • Description of the vulnerability
   • Steps to reproduce the issue
   • Potential impact and severity
   • Suggested fix (if any)
   • Your contact information (optional)

• Acknowledgment: Within 48 hours of your report
• Updates: Regular status updates as we investigate and address the issue
• Resolution Timeline: We aim to address critical vulnerabilities within 7 days
• Credit: Recognition in the security advisory (if you wish)

When using fastapi-oidc in production, follow these security best practices:

# Good - HTTPS
base_authorization_server_uri="https://auth.example.com"

# Bad - HTTP (insecure)
base_authorization_server_uri="http://auth.example.com"  # DON'T DO THIS

HTTPS prevents token interception and man-in-the-middle attacks.

Always specify and validate the expected token issuer:

authenticate_user = get_auth(
    client_id="your-client-id",
    issuer="auth.example.com",  # Must match token's 'iss' claim
    base_authorization_server_uri="https://auth.example.com",
    signature_cache_ttl=3600,
)

This prevents token substitution attacks from malicious issuers.

Set signature cache TTL to balance security and performance:

# Recommended: 1 hour (3600 seconds)
signature_cache_ttl=3600

# Acceptable: 30 minutes to 2 hours
signature_cache_ttl=1800  # 30 minutes
signature_cache_ttl=7200  # 2 hours

# Not recommended: Too long (security risk) or too short (performance impact)
signature_cache_ttl=86400  # 24 hours - keys may rotate before cache expires
signature_cache_ttl=60     # 1 minute - excessive OIDC server requests

Use Dependabot (now configured) to stay current with security patches:

# Regularly update dependencies
poetry update

# Check for security vulnerabilities
poetry run bandit -r fastapi_oidc

Never hard-code credentials or secrets:

# Bad - Hard-coded secrets
client_id = "abc123"  # DON'T DO THIS

# Good - Environment variables
import os
client_id = os.getenv("OIDC_CLIENT_ID")

Implement logging and monitoring for authentication events:

import logging

logger = logging.getLogger(__name__)

@app.get("/protected")
def protected(token: IDToken = Depends(authenticate_user)):
    logger.info(f"User {token.sub} accessed protected endpoint")
    return {"message": "Success"}

Work with your authentication provider to:

• Rotate signing keys regularly (recommended: every 90 days)
• Use strong key sizes (RSA 2048-bit minimum, 4096-bit preferred)
• Implement key rollover procedures

This library validates:

• ✅ JWT signature using provider's public keys
• ✅ Token expiration (exp claim)
• ✅ Token issuer (iss claim)
• ✅ Token audience (aud claim)

This library does not validate:

• ❌ Token revocation (use short expiration times)
• ❌ User session state (implement separately if needed)
• ❌ Rate limiting (implement in your application)

fastapi-oidc does not support token revocation checking. To mitigate this:

• Use short token expiration times (5-15 minutes recommended)
• Implement refresh token rotation
• Add application-level session management if needed

• Signing keys are cached for the configured TTL
• OIDC configuration is cached for the same TTL
• Cache is per-process (not shared across instances)
• Cache does not persist across restarts

The library makes network requests to:

• OIDC discovery endpoint (/.well-known/openid-configuration)
• JWKS endpoint (for public signing keys)

These requests:

• Have a 15-second timeout
• Are made during token validation
• Are cached according to signature_cache_ttl
• May fail if network connectivity is lost

No formal security audits have been conducted yet. We welcome community security reviews.

This library relies on:

• python-jose[cryptography] - JWT handling and verification
• cryptography - Cryptographic primitives

These are well-established, actively maintained libraries with strong security track records.

We follow responsible disclosure practices:

1. Security issues are handled privately
2. Fixes are developed and tested
3. Releases are coordinated with reporters
4. Public disclosure after fixes are available
5. Credit given to reporters (if desired)

For security-related questions or concerns:

• Email: harrymcwinters@gmail.com
• GitHub Issues: For non-sensitive security discussions only

Thank you for helping keep fastapi-oidc secure!