Authorization Facility

About

Provides a backend agnostic and easy to extend Security facility that will validate an APIKey is provided (following the OpenAPI specs) and provides mechanisms to load additional validation functions.

Configuration

To use, enable the omni.services.security.auth.apikey extension and when registering an endpoint, the extension needs to be registered as a dependency:

Note

If no functions are defined no validation will be done. This will be the equivalent of not having any API Key validation and the API will be open for anyone to use.

extension.py
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
import omni.ext

from omni.services.core import main
from omni.services.security.auth import apikey

from .services.sample import router

class SampleAuthorizationFacilityExtension(omni.ext.IExt):
    """Sample Extension illustrating usage of the Authorization Facility."""

    def on_startup(self) -> None:
        main.register_router(router, prefix="/sample-auth" tags=["sample"], dependencies=[apikey.OmniApiKeyHeader()])

    def on_shutdown(self) -> None:
        main.deregister_router(router=router, prefix="/sample-auth")

By default this will just check for the presence of X-API-KEY in the headers but OmniApiKeyHeader can be further customized with functions:

custom_auth.py
1
2
3
4
5
async def validate(api_key:str):
  if api_key != "foo":
    raise Exception("Invalid key")

main.register_endpoint(router, prefix="/sample-auth" tags=["sample"], dependencies=[apikey.OmniApiKeyHeader(check_functions=[validate])])

It can also be configured via settings. These can go into the extensions.toml, an app .kit file or via the command-line

extension.toml
1
2
[settings]
exts."omni.services.security.auth.apikey".auth_function=["omni.services.security.auth.apikey.auth_functions.validate_from_settings_list"]

Multiple functions can be provided and functions to validate do not need to live within the same project. They will be imported when set in the settings. This will allow flexibility to developers and teams running the service in production to provide infrastructure for authentication and authorization

A default function is provided that will take a list of valid keys via the Omniverse settings mechanism.