fastapi Architecture Docs
Home / Class/ OAuth2PasswordRequestFormStrict Class — fastapi Architecture

OAuth2PasswordRequestFormStrict Class — fastapi Architecture

Architecture documentation for the OAuth2PasswordRequestFormStrict class in oauth2.py from the fastapi codebase.

Class python Security

Entity Profile

Dependency Diagram

graph TD
  a1727aae_3e60_0278_6db3_bc96c7817236["OAuth2PasswordRequestFormStrict"]
  297a8eb4_9aae_431a_a0de_a9802a8c776d["OAuth2PasswordRequestForm"]
  a1727aae_3e60_0278_6db3_bc96c7817236 -->|extends| 297a8eb4_9aae_431a_a0de_a9802a8c776d
  efdd0530_d49f_83d3_f1d5_e8884b1b9602["oauth2.py"]
  a1727aae_3e60_0278_6db3_bc96c7817236 -->|defined in| efdd0530_d49f_83d3_f1d5_e8884b1b9602
  0e2b21da_a895_fba5_b0c3_8d2dd223a34a["__init__()"]
  a1727aae_3e60_0278_6db3_bc96c7817236 -->|method| 0e2b21da_a895_fba5_b0c3_8d2dd223a34a

Relationship Graph

Source Code

fastapi/security/oauth2.py lines 162–327

class OAuth2PasswordRequestFormStrict(OAuth2PasswordRequestForm):
    """
    This is a dependency class to collect the `username` and `password` as form data
    for an OAuth2 password flow.

    The OAuth2 specification dictates that for a password flow the data should be
    collected using form data (instead of JSON) and that it should have the specific
    fields `username` and `password`.

    All the initialization parameters are extracted from the request.

    The only difference between `OAuth2PasswordRequestFormStrict` and
    `OAuth2PasswordRequestForm` is that `OAuth2PasswordRequestFormStrict` requires the
    client to send the form field `grant_type` with the value `"password"`, which
    is required in the OAuth2 specification (it seems that for no particular reason),
    while for `OAuth2PasswordRequestForm` `grant_type` is optional.

    Read more about it in the
    [FastAPI docs for Simple OAuth2 with Password and Bearer](https://fastapi.tiangolo.com/tutorial/security/simple-oauth2/).

    ## Example

    ```python
    from typing import Annotated

    from fastapi import Depends, FastAPI
    from fastapi.security import OAuth2PasswordRequestForm

    app = FastAPI()


    @app.post("/login")
    def login(form_data: Annotated[OAuth2PasswordRequestFormStrict, Depends()]):
        data = {}
        data["scopes"] = []
        for scope in form_data.scopes:
            data["scopes"].append(scope)
        if form_data.client_id:
            data["client_id"] = form_data.client_id
        if form_data.client_secret:
            data["client_secret"] = form_data.client_secret
        return data
    ```

    Note that for OAuth2 the scope `items:read` is a single scope in an opaque string.
    You could have custom internal logic to separate it by colon characters (`:`) or
    similar, and get the two parts `items` and `read`. Many applications do that to
    group and organize permissions, you could do it as well in your application, just
    know that that it is application specific, it's not part of the specification.


    grant_type: the OAuth2 spec says it is required and MUST be the fixed string "password".
        This dependency is strict about it. If you want to be permissive, use instead the
        OAuth2PasswordRequestForm dependency class.
    username: username string. The OAuth2 spec requires the exact field name "username".
    password: password string. The OAuth2 spec requires the exact field name "password".
    scope: Optional string. Several scopes (each one a string) separated by spaces. E.g.
        "items:read items:write users:read profile openid"
    client_id: optional string. OAuth2 recommends sending the client_id and client_secret (if any)
        using HTTP Basic auth, as: client_id:client_secret
    client_secret: optional string. OAuth2 recommends sending the client_id and client_secret (if any)
        using HTTP Basic auth, as: client_id:client_secret
    """

    def __init__(
        self,
        grant_type: Annotated[
            str,
            Form(pattern="^password$"),
            Doc(
                """
                The OAuth2 spec says it is required and MUST be the fixed string
                "password". This dependency is strict about it. If you want to be
                permissive, use instead the `OAuth2PasswordRequestForm` dependency
                class.

                Read more about it in the
                [FastAPI docs for Simple OAuth2 with Password and Bearer](https://fastapi.tiangolo.com/tutorial/security/simple-oauth2/).
                """
            ),
        ],

Domain

Defined In

Extends

Source

Frequently Asked Questions

What is the OAuth2PasswordRequestFormStrict class?
OAuth2PasswordRequestFormStrict is a class in the fastapi codebase, defined in fastapi/security/oauth2.py.
Where is OAuth2PasswordRequestFormStrict defined?
OAuth2PasswordRequestFormStrict is defined in fastapi/security/oauth2.py at line 162.
What does OAuth2PasswordRequestFormStrict extend?
OAuth2PasswordRequestFormStrict extends OAuth2PasswordRequestForm.

Analyze Your Own Codebase

Get architecture documentation, dependency graphs, and domain analysis for your codebase in minutes.

Try Supermodel Free