Authorization Facility#

About#

Provides a backend agnostic and easy to extend Security facility that will validate an API key is provided (following the OpenAPI specs) and provides mechanisms to load additional validation functions.

Configuration#

To use, enable the omni.services.security.auth.apikey extension and when registering an endpoint, the extension needs to be registered as a dependency:

Note

If no functions are defined, no validation will be performed. This will be the equivalent of not having any API key validation, and the API will be open for anyone to use.

extension.py#
 1import omni.ext
 2
 3from omni.services.core import main
 4from omni.services.security.auth import apikey
 5
 6from .services.sample import router
 7
 8class SampleAuthorizationFacilityExtension(omni.ext.IExt):
 9    """Sample Extension illustrating usage of the Authorization Facility."""
10
11    def on_startup(self) -> None:
12        main.register_router(router, prefix="/sample-auth", tags=["sample"], dependencies=[apikey.OmniApiKeyHeader()])
13
14    def on_shutdown(self) -> None:
15        main.deregister_router(router=router, prefix="/sample-auth")

By default this will just check for the presence of X-API-KEY in the headers, but OmniApiKeyHeader can be further customized with functions:

custom_auth.py#
 1async def validate(api_key: str) -> None:
 2    if api_key != "foo":
 3        raise Exception("Invalid API key.")
 4
 5main.register_endpoint(
 6    router,
 7    prefix="/sample-auth",
 8    tags=["sample"],
 9    dependencies=[apikey.OmniApiKeyHeader(check_functions=[validate])],
10)

It can also be configured via settings. These can go into either in the extensions.toml, an application’s .kit file or via the command-line:

extension.toml#
1[settings]
2exts."omni.services.security.auth.apikey".auth_function=["omni.services.security.auth.apikey.auth_functions.validate_from_settings_list"]

Multiple functions can be provided and functions to validate do not need to live within the same project. They will be imported when set in the settings. This will allow flexibility to developers and teams running the service in production to provide infrastructure for authentication and authorization

A default function is provided that will take a list of valid keys via the Omniverse settings mechanism.