====================== Authorization Facility ====================== About ----- Provides a backend agnostic and easy to extend Security facility that will validate an API key is provided (following the OpenAPI specs) and provides mechanisms to load additional validation functions. Configuration ------------- To use, enable the ``omni.services.security.auth.apikey`` extension and when registering an endpoint, the extension needs to be registered as a dependency: .. note:: If no functions are defined, no validation will be performed. This will be the equivalent of not having any API key validation, and the API will be open for anyone to use. .. code-block:: python :linenos: :caption: extension.py :name: security/extension.py :emphasize-lines: 12 import omni.ext from omni.services.core import main from omni.services.security.auth import apikey from .services.sample import router class SampleAuthorizationFacilityExtension(omni.ext.IExt): """Sample Extension illustrating usage of the Authorization Facility.""" def on_startup(self) -> None: main.register_router(router, prefix="/sample-auth", tags=["sample"], dependencies=[apikey.OmniApiKeyHeader()]) def on_shutdown(self) -> None: main.deregister_router(router=router, prefix="/sample-auth") By default this will just check for the presence of ``X-API-KEY`` in the headers, but ``OmniApiKeyHeader`` can be further customized with functions: .. code-block:: python :linenos: :caption: custom_auth.py :name: security/custom_auth.py :emphasize-lines: 9 async def validate(api_key: str) -> None: if api_key != "foo": raise Exception("Invalid API key.") main.register_endpoint( router, prefix="/sample-auth", tags=["sample"], dependencies=[apikey.OmniApiKeyHeader(check_functions=[validate])], ) It can also be configured via settings. These can go into either in the `extensions.toml`, an application's `.kit` file or via the command-line: .. code-block:: toml :linenos: :caption: extension.toml :name: security/extension.toml [settings] exts."omni.services.security.auth.apikey".auth_function=["omni.services.security.auth.apikey.auth_functions.validate_from_settings_list"] Multiple functions can be provided and functions to validate do not need to live within the same project. They will be imported when set in the settings. This will allow flexibility to developers and teams running the service in production to provide infrastructure for authentication and authorization A default function is provided that will take a list of valid keys via the Omniverse settings mechanism.