fastapi-factory-utilities 0.3.6__py3-none-any.whl → 0.9.1__py3-none-any.whl

fastapi_factory_utilities/core/security/jwt/services.py

@@ -0,0 +1,176 @@
+"""Provides the JWT bearer authentication service."""
+
+from http import HTTPStatus
+from typing import Generic, TypeVar
+
+from fastapi import HTTPException, Request
+
+from fastapi_factory_utilities.core.security.abstracts import AuthenticationAbstract
+
+from .configs import JWTBearerAuthenticationConfig
+from .decoders import JWTBearerTokenDecoder, JWTBearerTokenDecoderAbstract
+from .exceptions import InvalidJWTError, InvalidJWTPayploadError, MissingJWTCredentialsError, NotVerifiedJWTError
+from .objects import JWTPayload
+from .stores import JWKStoreAbstract
+from .types import JWTToken
+from .verifiers import JWTNoneVerifier, JWTVerifierAbstract
+
+JWTBearerPayloadGeneric = TypeVar("JWTBearerPayloadGeneric", bound=JWTPayload)
+
+
+class JWTAuthenticationServiceAbstract(AuthenticationAbstract, Generic[JWTBearerPayloadGeneric]):
+    """JWT authentication service.
+
+    This service is the orchestrator for the JWT bearer authentication.
+    """
+
+    def __init__(
+        self,
+        jwt_bearer_authentication_config: JWTBearerAuthenticationConfig,
+        jwt_verifier: JWTVerifierAbstract[JWTBearerPayloadGeneric],
+        jwt_decoder: JWTBearerTokenDecoderAbstract[JWTBearerPayloadGeneric],
+        raise_exception: bool = True,
+    ) -> None:
+        """Initialize the JWT bearer authentication service.
+
+        Args:
+            jwt_bearer_authentication_config (JWTBearerAuthenticationConfig): The JWT bearer authentication
+            configuration.
+            jwt_verifier (JWTVerifierAbstract): The JWT bearer token verifier.
+            jwt_decoder (JWTBearerTokenDecoderAbstract[JWTBearerPayloadGeneric]): The JWT bearer token decoder.
+            raise_exception (bool, optional): Whether to raise an exception or return None. Defaults to True.
+        """
+        # Configuration and Behavior
+        self._jwt_bearer_authentication_config: JWTBearerAuthenticationConfig = jwt_bearer_authentication_config
+        self._jwt_verifier: JWTVerifierAbstract[JWTBearerPayloadGeneric] = jwt_verifier
+        self._jwt_decoder: JWTBearerTokenDecoderAbstract[JWTBearerPayloadGeneric] = jwt_decoder
+        # Runtime variables
+        self._jwt: JWTToken | None = None
+        self._jwt_payload: JWTBearerPayloadGeneric | None = None
+        super().__init__(raise_exception=raise_exception)
+
+    @property
+    def verifier(self) -> JWTVerifierAbstract[JWTBearerPayloadGeneric]:
+        """Get the JWT bearer token verifier.
+
+        Returns:
+            JWTVerifierAbstract[JWTBearerPayloadGeneric]: The JWT bearer token verifier.
+        """
+        return self._jwt_verifier
+
+    @property
+    def decoder(self) -> JWTBearerTokenDecoderAbstract[JWTBearerPayloadGeneric]:
+        """Get the JWT bearer token decoder.
+
+        Returns:
+            JWTBearerTokenDecoderAbstract[JWTBearerPayloadGeneric]: The JWT bearer token decoder.
+        """
+        return self._jwt_decoder
+
+    @classmethod
+    def extract_authorization_header_from_request(cls, request: Request) -> str:
+        """Extract the authorization header from the request.
+
+        Args:
+            request (Request): The request object.
+
+        Returns:
+            str: The authorization header.
+
+        Raises:
+            MissingJWTCredentialsError: If the authorization header is missing.
+        """
+        authorization_header: str | None = request.headers.get("Authorization", None)
+        if not authorization_header:
+            raise MissingJWTCredentialsError(message="Missing Credentials")
+        return authorization_header
+
+    @classmethod
+    def extract_bearer_token_from_authorization_header(cls, authorization_header: str) -> JWTToken:
+        """Extract the bearer token from the authorization header.
+
+        Args:
+            authorization_header (str): The authorization header.
+
+        Returns:
+            JWTToken: The bearer token.
+
+        Raises:
+            InvalidJWTError: If the authorization header is invalid.
+        """
+        if not authorization_header.startswith("Bearer "):
+            raise InvalidJWTError(message="Invalid Credentials")
+        return JWTToken(authorization_header.split(sep=" ")[1])
+
+    @property
+    def payload(self) -> JWTBearerPayloadGeneric | None:
+        """Get the JWT bearer payload.
+
+        Returns:
+            JWTBearerPayloadGeneric | None: The JWT bearer payload, or None if not authenticated yet.
+        """
+        return self._jwt_payload
+
+    async def authenticate(self, request: Request) -> None:
+        """Authenticate the JWT bearer token.
+
+        Args:
+            request (Request): The request object.
+
+        Returns:
+            None: If the authentication is successful or not raise_exception is False.
+
+        Raises:
+            MissingJWTCredentialsError: If the authorization header is missing.
+            InvalidJWTError: If the authorization header is invalid.
+            InvalidJWTPayploadError: If the JWT bearer token payload is invalid.
+            NotVerifiedJWTError: If the JWT bearer token is not verified.
+        """
+        authorization_header: str
+        try:
+            authorization_header = self.extract_authorization_header_from_request(request=request)
+            self._jwt = self.extract_bearer_token_from_authorization_header(authorization_header=authorization_header)
+        except (MissingJWTCredentialsError, InvalidJWTError) as e:
+            return self.raise_exception(HTTPException(status_code=HTTPStatus.UNAUTHORIZED, detail=str(e)))
+
+        try:
+            self._jwt_payload = await self._jwt_decoder.decode_payload(jwt_token=self._jwt)
+        except (InvalidJWTError, InvalidJWTPayploadError) as e:
+            return self.raise_exception(HTTPException(status_code=HTTPStatus.FORBIDDEN, detail=str(e)))
+
+        try:
+            await self._jwt_verifier.verify(jwt_token=self._jwt, jwt_payload=self._jwt_payload)
+        except NotVerifiedJWTError as e:
+            return self.raise_exception(HTTPException(status_code=HTTPStatus.FORBIDDEN, detail=str(e)))
+
+        return
+
+
+class JWTAuthenticationService(JWTAuthenticationServiceAbstract[JWTPayload]):
+    """JWT bearer authentication service."""
+
+    def __init__(
+        self,
+        jwt_bearer_authentication_config: JWTBearerAuthenticationConfig,
+        jwks_store: JWKStoreAbstract,
+        raise_exception: bool = True,
+    ) -> None:
+        """Initialize the JWT bearer authentication service.
+
+        Don't enforce the public_key from configuration, for the developper to
+        provide it through the dependency injection freely from any source.
+
+        Args:
+            jwt_bearer_authentication_config (JWTBearerAuthenticationConfig): The JWT bearer authentication
+            configuration.
+            jwks_store (JWKStoreAbstract): The JWKS store.
+            raise_exception (bool, optional): Whether to raise an exception or return None. Defaults to True.
+        """
+        super().__init__(
+            jwt_bearer_authentication_config=jwt_bearer_authentication_config,
+            jwt_verifier=JWTNoneVerifier(),
+            jwt_decoder=JWTBearerTokenDecoder(
+                jwt_bearer_authentication_config=jwt_bearer_authentication_config, jwks_store=jwks_store
+            ),
+            raise_exception=raise_exception,
+        )

fastapi_factory_utilities/core/security/jwt/stores.py

@@ -0,0 +1,43 @@
+"""Provides the JWK stores."""
+
+from abc import ABC, abstractmethod
+from asyncio import Lock
+
+from jwt.api_jwk import PyJWK, PyJWKSet
+
+
+class JWKStoreAbstract(ABC):
+    """JWK store abstract class."""
+
+    async def get_jwk(self, kid: str) -> PyJWK:
+        """Get the JWK from the store."""
+        return (await self.get_jwks())[kid]
+
+    @abstractmethod
+    async def get_jwks(self) -> PyJWKSet:
+        """Get the JWKS from the store."""
+        raise NotImplementedError()
+
+    @abstractmethod
+    async def store_jwks(self, jwks: PyJWKSet) -> None:
+        """Store the JWKS in the store."""
+        raise NotImplementedError()
+
+
+class JWKStoreMemory(JWKStoreAbstract):
+    """JWK store in memory. Concurrent safe."""
+
+    def __init__(self) -> None:
+        """Initialize the JWK store in memory."""
+        self._jwks: PyJWKSet = PyJWKSet([])
+        self._lock: Lock = Lock()
+
+    async def get_jwks(self) -> PyJWKSet:
+        """Get the JWKS from the store."""
+        async with self._lock:
+            return self._jwks
+
+    async def store_jwks(self, jwks: PyJWKSet) -> None:
+        """Store the JWKS in the store."""
+        async with self._lock:
+            self._jwks = jwks

fastapi_factory_utilities/core/security/jwt/types.py

@@ -0,0 +1,9 @@
+"""Provides the JWT bearer token types."""
+
+from typing import NewType
+
+JWTToken = NewType("JWTToken", str)
+OAuth2Scope = NewType("OAuth2Scope", str)
+OAuth2Audience = NewType("OAuth2Audience", str)
+OAuth2Issuer = NewType("OAuth2Issuer", str)
+OAuth2Subject = NewType("OAuth2Subject", str)

fastapi_factory_utilities/core/security/jwt/verifiers.py

@@ -0,0 +1,46 @@
+"""Provides the JWT bearer token validator."""
+
+from abc import ABC, abstractmethod
+from typing import Generic, TypeVar
+
+from .objects import JWTPayload
+from .types import JWTToken
+
+JWTBearerPayloadGeneric = TypeVar("JWTBearerPayloadGeneric", bound=JWTPayload)
+
+
+class JWTVerifierAbstract(ABC, Generic[JWTBearerPayloadGeneric]):
+    """JWT verifier."""
+
+    @abstractmethod
+    async def verify(
+        self,
+        jwt_token: JWTToken,
+        jwt_payload: JWTBearerPayloadGeneric,
+    ) -> None:
+        """Verify the JWT bearer token.
+
+        Args:
+            jwt_token (JWTToken): The JWT bearer token.
+            jwt_payload (JWTBearerPayloadGeneric): The JWT bearer payload.
+
+        Raises:
+            NotVerifiedJWTError: If the JWT bearer token is not verified.
+        """
+        raise NotImplementedError()
+
+
+class JWTNoneVerifier(JWTVerifierAbstract[JWTPayload]):
+    """JWT none verifier."""
+
+    async def verify(self, jwt_token: JWTToken, jwt_payload: JWTPayload) -> None:
+        """Verify the JWT bearer token.
+
+        Args:
+            jwt_token (JWTToken): The JWT bearer token.
+            jwt_payload (JWTBearerPayload): The JWT bearer payload.
+
+        Raises:
+            NotVerifiedJWTError: If the JWT bearer token is not verified.
+        """
+        return

fastapi_factory_utilities/core/security/kratos.py

@@ -1,41 +1,37 @@
 """Provide Kratos Session and Identity classes."""
 
-from enum import StrEnum
-from typing import Annotated
+from http import HTTPStatus
 
-from fastapi import Depends, HTTPException, Request
+from fastapi import HTTPException, Request
 
+from fastapi_factory_utilities.core.security.abstracts import AuthenticationAbstract
 from fastapi_factory_utilities.core.services.kratos import (
     KratosOperationError,
     KratosService,
     KratosSessionInvalidError,
     KratosSessionObject,
-    depends_kratos_service,
 )
 
 
-class KratosSessionAuthenticationErrors(StrEnum):
-    """Kratos Session Authentication Errors."""
-
-    MISSING_CREDENTIALS = "Missing Credentials"
-    INVALID_CREDENTIALS = "Invalid Credentials"
-    INTERNAL_SERVER_ERROR = "Internal Server Error"
-
-
-class KratosSessionAuthentication:
+class KratosSessionAuthenticationService(AuthenticationAbstract):
     """Kratos Session class."""
 
     DEFAULT_COOKIE_NAME: str = "ory_kratos_session"
 
-    def __init__(self, cookie_name: str = DEFAULT_COOKIE_NAME, raise_exception: bool = True) -> None:
+    def __init__(
+        self, kratos_service: KratosService, cookie_name: str = DEFAULT_COOKIE_NAME, raise_exception: bool = True
+    ) -> None:
         """Initialize the KratosSessionAuthentication class.
 
         Args:
-            cookie_name (str): Name of the cookie to extract the session
-            raise_exception (bool): Whether to raise an exception or return None
+            kratos_service (KratosService): Kratos service object.
+            cookie_name (str): Name of the cookie to extract the session.
+            raise_exception (bool): Whether to raise an exception or return None.
         """
+        self._kratos_service: KratosService = kratos_service
         self._cookie_name: str = cookie_name
-        self._raise_exception: bool = raise_exception
+        self._session: KratosSessionObject
+        super().__init__(raise_exception=raise_exception)
 
     def _extract_cookie(self, request: Request) -> str | None:
         """Extract the cookie from the request.
@@ -51,9 +47,16 @@ class KratosSessionAuthentication:
         """
         return request.cookies.get(self._cookie_name, None)
 
-    async def __call__(
-        self, request: Request, kratos_service: Annotated[KratosService, Depends(depends_kratos_service)]
-    ) -> KratosSessionObject | KratosSessionAuthenticationErrors:
+    @property
+    def session(self) -> KratosSessionObject:
+        """Get the Kratos session.
+
+        Returns:
+            KratosSessionObject: Kratos session object.
+        """
+        return self._session
+
+    async def authenticate(self, request: Request) -> None:
         """Extract the Kratos session from the request.
 
         Args:
@@ -61,38 +64,35 @@ class KratosSessionAuthentication:
             kratos_service (KratosService): Kratos service object.
 
         Returns:
-            KratosSessionObject | KratosSessionAuthenticationErrors: Kratos session object or error.
+            None: If the authentication is successful or not raise_exception is False.
 
         Raises:
             HTTPException: If the session is invalid and raise_exception is True.
         """
         cookie: str | None = self._extract_cookie(request)
         if not cookie:
-            if self._raise_exception:
-                raise HTTPException(
-                    status_code=401,
-                    detail=KratosSessionAuthenticationErrors.MISSING_CREDENTIALS,
+            return self.raise_exception(
+                HTTPException(
+                    status_code=HTTPStatus.UNAUTHORIZED,
+                    detail="Missing Credentials",
                 )
-            else:
-                return KratosSessionAuthenticationErrors.MISSING_CREDENTIALS
+            )
 
         try:
-            session: KratosSessionObject = await kratos_service.whoami(cookie_value=cookie)
-        except KratosSessionInvalidError as e:
-            if self._raise_exception:
-                raise HTTPException(
-                    status_code=401,
+            self._session = await self._kratos_service.whoami(cookie_value=cookie)
+        except KratosSessionInvalidError:
+            return self.raise_exception(
+                HTTPException(
+                    status_code=HTTPStatus.UNAUTHORIZED,
                     detail="Invalid Credentials",
-                ) from e
-            else:
-                return KratosSessionAuthenticationErrors.INVALID_CREDENTIALS
-        except KratosOperationError as e:
-            if self._raise_exception:
-                raise HTTPException(
-                    status_code=500,
+                )
+            )
+        except KratosOperationError:
+            return self.raise_exception(
+                HTTPException(
+                    status_code=HTTPStatus.INTERNAL_SERVER_ERROR,
                     detail="Internal Server Error",
-                ) from e
-            else:
-                return KratosSessionAuthenticationErrors.INTERNAL_SERVER_ERROR
+                )
+            )
 
-        return session
+        return

fastapi_factory_utilities/core/services/hydra/__init__.py

@@ -0,0 +1,20 @@
+"""Hydra service module."""
+
+from .exceptions import HydraOperationError, HydraTokenInvalidError
+from .objects import HydraTokenIntrospectObject
+from .services import (
+    HydraIntrospectService,
+    HydraOAuth2ClientCredentialsService,
+    depends_hydra_introspect_service,
+    depends_hydra_oauth2_client_credentials_service,
+)
+
+__all__: list[str] = [
+    "HydraIntrospectService",
+    "HydraOAuth2ClientCredentialsService",
+    "HydraOperationError",
+    "HydraTokenIntrospectObject",
+    "HydraTokenInvalidError",
+    "depends_hydra_introspect_service",
+    "depends_hydra_oauth2_client_credentials_service",
+]

fastapi_factory_utilities/core/services/hydra/exceptions.py

@@ -0,0 +1,15 @@
+"""Python exceptions for the Hydra service."""
+
+from fastapi_factory_utilities.core.exceptions import FastAPIFactoryUtilitiesError
+
+
+class HydraError(FastAPIFactoryUtilitiesError):
+    """Base class for all exceptions raised by the Hydra service."""
+
+
+class HydraOperationError(HydraError):
+    """Exception raised when a Hydra operation fails."""
+
+
+class HydraTokenInvalidError(HydraError):
+    """Exception raised when a Hydra token is invalid."""

fastapi_factory_utilities/core/services/hydra/objects.py

@@ -0,0 +1,26 @@
+"""Provides the objects for the Hydra service."""
+
+from typing import ClassVar
+
+from pydantic import BaseModel, ConfigDict
+
+
+class HydraTokenIntrospectObject(BaseModel):
+    """Represents the object returned by the Hydra token introspection."""
+
+    model_config: ClassVar[ConfigDict] = ConfigDict(extra="ignore")
+
+    active: bool
+    aud: list[str]
+    client_id: str
+    exp: int
+    ext: dict[str, str] | None = None
+    iat: int
+    iss: str
+    nbf: int
+    obfuscated_subject: str | None = None
+    scope: str
+    sub: str
+    token_type: str
+    token_use: str
+    username: str | None = None

fastapi_factory_utilities/core/services/hydra/services.py

@@ -0,0 +1,200 @@
+"""Provides a service to interact with the Hydra service."""
+
+import json
+from base64 import b64encode
+from http import HTTPStatus
+from typing import Annotated, Any, Generic, TypeVar, get_args
+
+import aiohttp
+import jwt
+from fastapi import Depends
+from pydantic import ValidationError
+
+from fastapi_factory_utilities.core.app import (
+    DependencyConfig,
+    HttpServiceDependencyConfig,
+    depends_dependency_config,
+)
+
+from .exceptions import HydraOperationError
+from .objects import HydraTokenIntrospectObject
+
+HydraIntrospectObjectGeneric = TypeVar("HydraIntrospectObjectGeneric", bound=HydraTokenIntrospectObject)
+
+
+class HydraIntrospectGenericService(Generic[HydraIntrospectObjectGeneric]):
+    """Service to interact with the Hydra introspect service with a generic introspect object."""
+
+    INTROSPECT_ENDPOINT: str = "/admin/oauth2/introspect"
+    WELLKNOWN_JWKS_ENDPOINT: str = "/.well-known/jwks.json"
+
+    def __init__(
+        self,
+        hydra_admin_http_config: HttpServiceDependencyConfig,
+        hydra_public_http_config: HttpServiceDependencyConfig,
+    ) -> None:
+        """Instanciate the Hydra introspect service.
+
+        Args:
+            hydra_admin_http_config (HttpServiceDependencyConfig): The Hydra admin HTTP configuration.
+            hydra_public_http_config (HttpServiceDependencyConfig): The Hydra public HTTP configuration.
+        """
+        self._hydra_admin_http_config: HttpServiceDependencyConfig = hydra_admin_http_config
+        self._hydra_public_http_config: HttpServiceDependencyConfig = hydra_public_http_config
+        # Retrieve the concrete introspect object class
+        generic_args: tuple[Any, ...] = get_args(self.__orig_bases__[0])  # type: ignore
+        self._concreate_introspect_object_class: type[HydraIntrospectObjectGeneric] = generic_args[0]
+
+    async def introspect(self, token: str) -> HydraIntrospectObjectGeneric:
+        """Introspects a token using the Hydra introspect service.
+
+        Args:
+            token (str): The token to introspect.
+        """
+        try:
+            async with aiohttp.ClientSession(
+                base_url=str(self._hydra_admin_http_config.url),
+            ) as session:
+                async with session.post(
+                    url=self.INTROSPECT_ENDPOINT,
+                    data={"token": token},
+                ) as response:
+                    response.raise_for_status()
+                    instrospect: HydraIntrospectObjectGeneric = self._concreate_introspect_object_class.model_validate(
+                        await response.json()
+                    )
+        except aiohttp.ClientResponseError as error:
+            raise HydraOperationError("Failed to introspect the token", status_code=error.status) from error
+        except json.JSONDecodeError as error:
+            raise HydraOperationError("Failed to decode the introspect response") from error
+        except ValidationError as error:
+            raise HydraOperationError("Failed to validate the introspect response") from error
+
+        return instrospect
+
+    async def get_wellknown_jwks(self) -> jwt.PyJWKSet:
+        """Get the JWKS from the Hydra service."""
+        try:
+            async with aiohttp.ClientSession(
+                base_url=str(self._hydra_public_http_config.url),
+            ) as session:
+                async with session.get(
+                    url=self.WELLKNOWN_JWKS_ENDPOINT,
+                ) as response:
+                    response.raise_for_status()
+                    jwks_data: dict[str, Any] = await response.json()
+                    jwks: jwt.PyJWKSet = jwt.PyJWKSet.from_dict(jwks_data)
+                    return jwks
+        except aiohttp.ClientResponseError as error:
+            raise HydraOperationError(
+                "Failed to get the JWKS from the Hydra service", status_code=error.status
+            ) from error
+        except json.JSONDecodeError as error:
+            raise HydraOperationError("Failed to decode the JWKS from the Hydra service") from error
+        except ValidationError as error:
+            raise HydraOperationError("Failed to validate the JWKS from the Hydra service") from error
+
+
+class HydraIntrospectService(HydraIntrospectGenericService[HydraTokenIntrospectObject]):
+    """Service to interact with the Hydra introspect service with the default HydraTokenIntrospectObject."""
+
+
+class HydraOAuth2ClientCredentialsService:
+    """Service to interact with the Hydra service."""
+
+    INTROSPECT_ENDPOINT: str = "/admin/oauth2/introspect"
+    CLIENT_CREDENTIALS_ENDPOINT: str = "/oauth2/token"
+
+    def __init__(
+        self,
+        hydra_public_http_config: HttpServiceDependencyConfig,
+    ) -> None:
+        """Instanciate the Hydra service.
+
+        Args:
+            hydra_admin_http_config (HttpServiceDependencyConfig): The Hydra admin HTTP configuration.
+            hydra_public_http_config (HttpServiceDependencyConfig): The Hydra public HTTP configuration.
+        """
+        self._hydra_public_http_config: HttpServiceDependencyConfig = hydra_public_http_config
+
+    async def oauth2_client_credentials(self, client_id: str, client_secret: str, scope: str) -> str:
+        """Get the OAuth2 client credentials.
+
+        Args:
+            client_id (str): The client ID.
+            client_secret (str): The client secret.
+            scope (str): The scope.
+
+        Returns:
+            str: The access token.
+
+        Raises:
+            HydraOperationError: If the client credentials request fails.
+        """
+        # Create base64 encoded Basic Auth header
+        auth_string = f"{client_id}:{client_secret}"
+        auth_bytes = auth_string.encode("utf-8")
+        auth_b64 = b64encode(auth_bytes).decode("utf-8")
+
+        async with aiohttp.ClientSession(
+            base_url=str(self._hydra_public_http_config.url),
+        ) as session:
+            async with session.post(
+                url=self.CLIENT_CREDENTIALS_ENDPOINT,
+                headers={"Authorization": f"Basic {auth_b64}"},
+                data={"grant_type": "client_credentials", "scope": scope},
+            ) as response:
+                response_data = await response.json()
+                if response.status != HTTPStatus.OK:
+                    raise HydraOperationError(f"Failed to get client credentials: {response_data}")
+
+                return response_data["access_token"]
+
+
+def depends_hydra_oauth2_client_credentials_service(
+    dependency_config: Annotated[DependencyConfig, Depends(depends_dependency_config)],
+) -> HydraOAuth2ClientCredentialsService:
+    """Dependency injection for the Hydra OAuth2 client credentials service.
+
+    Args:
+        dependency_config (DependencyConfig): The dependency configuration.
+
+    Returns:
+        HydraOAuth2ClientCredentialsService: The Hydra OAuth2 client credentials service instance.
+
+    Raises:
+        HydraOperationError: If the Hydra public dependency is not configured.
+    """
+    if dependency_config.hydra_public is None:
+        raise HydraOperationError(message="Hydra public dependency not configured")
+
+    return HydraOAuth2ClientCredentialsService(
+        hydra_public_http_config=dependency_config.hydra_public,
+    )
+
+
+def depends_hydra_introspect_service(
+    dependency_config: Annotated[DependencyConfig, Depends(depends_dependency_config)],
+) -> HydraIntrospectService:
+    """Dependency injection for the Hydra introspect service.
+
+    Args:
+        dependency_config (DependencyConfig): The dependency configuration.
+
+    Returns:
+        HydraIntrospectService: The Hydra introspect service instance.
+
+    Raises:
+        HydraOperationError: If the Hydra admin dependency is not configured.
+    """
+    if getattr(dependency_config, "hydra_admin", None) is None:
+        raise HydraOperationError(message="Hydra admin dependency not configured")
+    assert dependency_config.hydra_admin is not None
+    if getattr(dependency_config, "hydra_public", None) is None:
+        raise HydraOperationError(message="Hydra public dependency not configured")
+    assert dependency_config.hydra_public is not None
+
+    return HydraIntrospectService(
+        hydra_admin_http_config=dependency_config.hydra_admin,
+        hydra_public_http_config=dependency_config.hydra_public,
+    )