Verify OIDC JWT identity tokens using OIDC discovery

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rjw57 from gravatar.com rjw57

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Rich Wareham
  • Requires: Python <4.0, >=3.10
Classifiers
Report project as malware

Project description

Python library to verify id tokens using OIDC discovery

PyPI - Version PyPI - Python Version GitHub Release Test suite status

OpenID connect identity tokens are a popular choice for federating identity between different systems without the need to share secrets. For example Trusted publishing on PyPI allows use of OIDC tokens created by GitHub or GitLab CI jobs to be used to authenticate when uploading new Python packages. Similarly, OIDC tokens can be used to authenticate to Google Cloud, AWS and Azure from any OIDC identity provider.

The jwt.io and jwt.ms tools allow validating OIDC id tokens without first configuring public keys by means of the OpenID connect discovery protocol.

This library implements the OpenID Connect discovery standard in Python to allow verification of OpenID Connect id tokens without previous configuration of public keys, etc.

Both synchronous and asynchronous (asyncio) implementations are provided.

Example

Suppose you created a GitLab OIDC token as part of a CI job to make an authenticated HTTP GET request to some service:

# .gitlab-ci.yml within https://gitlab.com/my-group/my-project

job_with_id_token:
  id_tokens:
    ID_TOKEN:
      aud: https://my-service.example.com
  script:
    - curl -X GET -H "Authorization: Bearer $ID_TOKEN" https://my-service.example.com

The following example shows how to verify the OIDC token came from a specific project within a backend implementation:

from typing import Any
from federatedidentity import Issuer, verifiers, verify_id_token

# Use OIDC discovery to fetch public keys for verifying GitLab tokens.
GITLAB_ISSUER = Issuer.from_discovery("https://gitlab.com")

# Expected project path for id token
EXPECTED_PROJECT_PATH = "my-group/my-project"

# Expected audience claim for id token.
EXPECTED_AUDIENCE_CLAIM = "https://my-service.example.com"

def verify_gitlab_token(token: str) -> dict[str, Any]:
    """
    Verify an OIDC token from GitLab and return the dictionary of claims. Raises
    federatedidentity.exceptions.FederatedIdentityError if the token failed verification.
    """
    return verify_id_token(
        token,
        valid_issuers=[GITLAB_ISSUER],
        valid_audiences=[EXPECTED_AUDIENCE_CLAIM],
        required_claims=[
            # The "project_path" claim must match the expected project.
            {"project_path": EXPECTED_PROJECT_PATH},
        ],
    )

See the full documentation for more examples.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rjw57 from gravatar.com rjw57

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Rich Wareham
  • Requires: Python <4.0, >=3.10
Classifiers

Release history Release notifications | RSS feed

This version

0.4.34

0.4.33

0.4.32

0.4.31

0.4.30

0.4.29

0.4.28

0.4.27

0.4.26

0.4.25

0.4.24

0.4.23

0.4.22

0.4.21

0.4.20

0.4.19

0.4.18

0.4.17

0.4.16

0.4.15

0.4.14

0.4.13

0.4.12

0.4.11

0.4.10

0.4.9

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.8

0.3.7

0.3.6

0.3.5

0.3.4

0.3.0

0.2.0

0.1.0

0.0.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

verify_oidc_identity-0.4.34.tar.gz (7.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

verify_oidc_identity-0.4.34-py3-none-any.whl (10.5 kB view details)

Uploaded Python 3

File details

Details for the file verify_oidc_identity-0.4.34.tar.gz.

File metadata

  • Download URL: verify_oidc_identity-0.4.34.tar.gz
  • Upload date:
  • Size: 7.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for verify_oidc_identity-0.4.34.tar.gz
Algorithm Hash digest
SHA256 a20ca6456f8d14bda59f641ef526c0c48eb975865665029a4408593b76ed7a5e
MD5 1e1117e40db37119825c3065bb9d5197
BLAKE2b-256 1b63a3d39e7bc611d107fe43651321350dd005cb935671a7706e7978a89cee7d

See more details on using hashes here.

Provenance

The following attestation bundles were made for verify_oidc_identity-0.4.34.tar.gz:

Publisher: main.yml on rjw57/verify-oidc-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file verify_oidc_identity-0.4.34-py3-none-any.whl.

File metadata

File hashes

Hashes for verify_oidc_identity-0.4.34-py3-none-any.whl
Algorithm Hash digest
SHA256 98b8e2144058b81530b2f9e01e2afff776c41c6b087dcb36114d240debe114c8
MD5 154227dd50aa7251b27bd2bd5d312553
BLAKE2b-256 f4923a273bdea5846fc01d41d4caf81d7cdd7896d3ca87a8c841bdf221accebc

See more details on using hashes here.

Provenance

The following attestation bundles were made for verify_oidc_identity-0.4.34-py3-none-any.whl:

Publisher: main.yml on rjw57/verify-oidc-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page