Showing results for 
Search instead for 
Did you mean: 

How to use XSUAA in FastAPI Python app

Product and Topic Expert
Product and Topic Expert
0 Kudos

Hi there, 

I have a fastapi app with 2 routes, one for rendering an html page and one for serving a request. I am using Jinja2 for templating.

Example of one of the route:

@router.get("/", response_class=HTMLResponse)
async def read_root(request: Request):
    return templates.TemplateResponse("index.html", {"request": request})

My manifest.yaml for deploying it to cloud foundry:

- name: fastapi-app
  disk_quota: 2048M
  memory: 256M
  path: ./
    -   route:
  - python_buildpack
  command: uvicorn --host --port $PORT
    - app-xsuaa
    - app-logging-service
    level: error
    xsuaa_connectivity_instance_name: "app-xsuaa"
    xsuaa_destination_instance_name: "app-xsuaa"

How do I protect these fastapi routes directly using XSUAA, without having to create one more webapp then use app-router and then forwarding the request to fastapi app?

Also I want the fastapi to use the sub-account's default authentication which we do by using redirect-url of xs-security.json

	"xsappname": "fastapi-app",
	"tenant-mode": "dedicated",
	"scopes": [{
		"name": "$XSAPPNAME.fastapi_scope"
	"role-templates": [{
		"name": "FastAPIRoleTemplate",
		"default-role-name": "FastAPIRole",
		"description": "Role template for app users",
		"scope-references": ["$XSAPPNAME.fastapi_scope"]
	"oauth2-configuration": {
		"redirect-uris": [

Any help on achieving this will be really appreciated, we can also have a blog post on the same topic

SAP BTP, Cloud Foundry runtime and environment Python SAP BTP Security 

View Entire Topic
Product and Topic Expert
Product and Topic Expert

I did not find any straight forward solution to this, so I took a little turn around. Since we don't have `@sap/approuter` as a plugin for python/java applications yet. We will need to use Node for using the approuter.

Steps taken to achieve my goal:

1. Create a new node app for sap-approuter, check the below manifest.yaml 

- name: router
    - route:
    destinations: >
          "forwardAuthToken": true,
          "timeout": 600000
  disk_quota: 256M
  timeout: 600
  memory: 256M
  path: web
    - a-xsuaa
    - a-logging-service

If you need more information on creating the node app, refer to this tutorial.

This destination will be used later to hit the FastAPI app through app-router app after authentication

2. Simple example xs-security.json for creating the xsuaa instance, where I will use our default IdP of the sub-account for authentication.

	"xsappname": "fastapi-app",
	"tenant-mode": "dedicated",
	"oauth2-configuration": {
		"redirect-uris": [

 3. The magic of redirect resides in the xs-app.json, where i will redirect all incoming requests after authentication to FastAPI App. Whenever the user hits app-router app url ``, which in my case gives an impression of FastAPI app url, I will simply redirect them to FastAPI's route which in turns returns the landing page for the user.

  "routes": [
      "source": "/(.*)",
      "target": "$1",
      "destination": "fastapi-app",
      "httpMethods": ["GET"],
      "csrfProtection": false
  "errorPage": [
      "status": [403],
      "file": "resources/forbidden.html"
      "status": [404],
      "file": "resources/404.html"

Here the destination should match the destination's name environment variable that we created in manifest.yaml that's how it know which server to call with the generated oauth token after authentication.

4. Example of the FastAPI route to return the landing page after authorization check

router = APIRouter()
templates = Jinja2Templates(directory="com/crack/snap/make/templates")

@router.get("/", response_class=HTMLResponse)
async def read_root(request: Request, security_context: Optional[SecurityContextXSUAA] = Depends(require_auth)):
	return templates.TemplateResponse("index.html", {"request": request})

5. I have skipped the role creation and role check for simplicity