Verify OIDC JWT identity tokens using OIDC discovery

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rjw57 from gravatar.com rjw57

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Rich Wareham
  • Requires: Python <4.0, >=3.10
Classifiers
Report project as malware

Project description

Python library to verify id tokens using OIDC discovery

PyPI - Version PyPI - Python Version GitHub Release Test suite status

OpenID connect identity tokens are a popular choice for federating identity between different systems without the need to share secrets. For example Trusted publishing on PyPI allows use of OIDC tokens created by GitHub or GitLab CI jobs to be used to authenticate when uploading new Python packages. Similarly, OIDC tokens can be used to authenticate to Google Cloud, AWS and Azure from any OIDC identity provider.

The jwt.io and jwt.ms tools allow validating OIDC id tokens without first configuring public keys by means of the OpenID connect discovery protocol.

This library implements the OpenID Connect discovery standard in Python to allow verification of OpenID Connect id tokens without previous configuration of public keys, etc.

Both synchronous and asynchronous (asyncio) implementations are provided.

Example

Suppose you created a GitLab OIDC token as part of a CI job to make an authenticated HTTP GET request to some service:

# .gitlab-ci.yml within https://gitlab.com/my-group/my-project

job_with_id_token:
  id_tokens:
    ID_TOKEN:
      aud: https://my-service.example.com
  script:
    - curl -X GET -H "Authorization: Bearer $ID_TOKEN" https://my-service.example.com

The following example shows how to verify the OIDC token came from a specific project within a backend implementation:

from typing import Any
from federatedidentity import Issuer, verifiers, verify_id_token

# Use OIDC discovery to fetch public keys for verifying GitLab tokens.
GITLAB_ISSUER = Issuer.from_discovery("https://gitlab.com")

# Expected project path for id token
EXPECTED_PROJECT_PATH = "my-group/my-project"

# Expected audience claim for id token.
EXPECTED_AUDIENCE_CLAIM = "https://my-service.example.com"

def verify_gitlab_token(token: str) -> dict[str, Any]:
    """
    Verify an OIDC token from GitLab and return the dictionary of claims. Raises
    federatedidentity.exceptions.FederatedIdentityError if the token failed verification.
    """
    return verify_id_token(
        token,
        valid_issuers=[GITLAB_ISSUER],
        valid_audiences=[EXPECTED_AUDIENCE_CLAIM],
        required_claims=[
            # The "project_path" claim must match the expected project.
            {"project_path": EXPECTED_PROJECT_PATH},
        ],
    )

See the full documentation for more examples.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rjw57 from gravatar.com rjw57

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Rich Wareham
  • Requires: Python <4.0, >=3.10
Classifiers

Release history Release notifications | RSS feed

This version

0.4.38

0.4.37

0.4.36

0.4.35

0.4.34

0.4.33

0.4.32

0.4.31

0.4.30

0.4.29

0.4.28

0.4.27

0.4.26

0.4.25

0.4.24

0.4.23

0.4.22

0.4.21

0.4.20

0.4.19

0.4.18

0.4.17

0.4.16

0.4.15

0.4.14

0.4.13

0.4.12

0.4.11

0.4.10

0.4.9

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.8

0.3.7

0.3.6

0.3.5

0.3.4

0.3.0

0.2.0

0.1.0

0.0.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

verify_oidc_identity-0.4.38.tar.gz (7.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

verify_oidc_identity-0.4.38-py3-none-any.whl (10.6 kB view details)

Uploaded Python 3

File details

Details for the file verify_oidc_identity-0.4.38.tar.gz.

File metadata

  • Download URL: verify_oidc_identity-0.4.38.tar.gz
  • Upload date:
  • Size: 7.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for verify_oidc_identity-0.4.38.tar.gz
Algorithm Hash digest
SHA256 303b31f0535ed6ecea71ede1f3fd33e5dea3907c83fed4b9e5e558856397d472
MD5 d1d73817b9da868375d791ffa139b335
BLAKE2b-256 5d6e74c8d50f4eaf788e271e6017ea40c6ad4c6e3d45bae10858159c0a6765f1

See more details on using hashes here.

Provenance

The following attestation bundles were made for verify_oidc_identity-0.4.38.tar.gz:

Publisher: main.yml on rjw57/verify-oidc-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file verify_oidc_identity-0.4.38-py3-none-any.whl.

File metadata

File hashes

Hashes for verify_oidc_identity-0.4.38-py3-none-any.whl
Algorithm Hash digest
SHA256 adb7522982c5e90830b8083c510b0c035cbb2b3760f985c0e696ee127f3e0739
MD5 fe43f391b91610874694b24d64aa368b
BLAKE2b-256 ace94e08b760a0f56e968c829f6767016fe675eba85d0cb02decf406bfe5687d

See more details on using hashes here.

Provenance

The following attestation bundles were made for verify_oidc_identity-0.4.38-py3-none-any.whl:

Publisher: main.yml on rjw57/verify-oidc-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page