Verify OIDC JWT identity tokens using OIDC discovery

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rjw57 from gravatar.com rjw57

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Rich Wareham
  • Requires: Python <4.0, >=3.10
Classifiers
Report project as malware

Project description

Python library to verify id tokens using OIDC discovery

PyPI - Version PyPI - Python Version GitHub Release Test suite status

OpenID connect identity tokens are a popular choice for federating identity between different systems without the need to share secrets. For example Trusted publishing on PyPI allows use of OIDC tokens created by GitHub or GitLab CI jobs to be used to authenticate when uploading new Python packages. Similarly, OIDC tokens can be used to authenticate to Google Cloud, AWS and Azure from any OIDC identity provider.

The jwt.io and jwt.ms tools allow validating OIDC id tokens without first configuring public keys by means of the OpenID connect discovery protocol.

This library implements the OpenID Connect discovery standard in Python to allow verification of OpenID Connect id tokens without previous configuration of public keys, etc.

Both synchronous and asynchronous (asyncio) implementations are provided.

Example

Suppose you created a GitLab OIDC token as part of a CI job to make an authenticated HTTP GET request to some service:

# .gitlab-ci.yml within https://gitlab.com/my-group/my-project

job_with_id_token:
  id_tokens:
    ID_TOKEN:
      aud: https://my-service.example.com
  script:
    - curl -X GET -H "Authorization: Bearer $ID_TOKEN" https://my-service.example.com

The following example shows how to verify the OIDC token came from a specific project within a backend implementation:

from typing import Any
from federatedidentity import Issuer, verifiers, verify_id_token

# Use OIDC discovery to fetch public keys for verifying GitLab tokens.
GITLAB_ISSUER = Issuer.from_discovery("https://gitlab.com")

# Expected project path for id token
EXPECTED_PROJECT_PATH = "my-group/my-project"

# Expected audience claim for id token.
EXPECTED_AUDIENCE_CLAIM = "https://my-service.example.com"

def verify_gitlab_token(token: str) -> dict[str, Any]:
    """
    Verify an OIDC token from GitLab and return the dictionary of claims. Raises
    federatedidentity.exceptions.FederatedIdentityError if the token failed verification.
    """
    return verify_id_token(
        token,
        valid_issuers=[GITLAB_ISSUER],
        valid_audiences=[EXPECTED_AUDIENCE_CLAIM],
        required_claims=[
            # The "project_path" claim must match the expected project.
            {"project_path": EXPECTED_PROJECT_PATH},
        ],
    )

See the full documentation for more examples.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rjw57 from gravatar.com rjw57

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Rich Wareham
  • Requires: Python <4.0, >=3.10
Classifiers

Release history Release notifications | RSS feed

This version

0.4.30

0.4.29

0.4.28

0.4.27

0.4.26

0.4.25

0.4.24

0.4.23

0.4.22

0.4.21

0.4.20

0.4.19

0.4.18

0.4.17

0.4.16

0.4.15

0.4.14

0.4.13

0.4.12

0.4.11

0.4.10

0.4.9

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.8

0.3.7

0.3.6

0.3.5

0.3.4

0.3.0

0.2.0

0.1.0

0.0.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

verify_oidc_identity-0.4.30.tar.gz (7.9 kB view details)

Uploaded Source

Built Distribution

verify_oidc_identity-0.4.30-py3-none-any.whl (10.5 kB view details)

Uploaded Python 3

File details

Details for the file verify_oidc_identity-0.4.30.tar.gz.

File metadata

  • Download URL: verify_oidc_identity-0.4.30.tar.gz
  • Upload date:
  • Size: 7.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.12.9

File hashes

Hashes for verify_oidc_identity-0.4.30.tar.gz
Algorithm Hash digest
SHA256 c937f352ce74e942e8eb26722625942c1a3fbc599f448edf38dd4077c6f1b404
MD5 a0c5b065f23c8d96df047a99f5f015cd
BLAKE2b-256 5ac1d08b3a688d941990353ce9463337abcfcf1dc3549f4f8e74e067357a92b4

See more details on using hashes here.

Provenance

The following attestation bundles were made for verify_oidc_identity-0.4.30.tar.gz:

Publisher: main.yml on rjw57/verify-oidc-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file verify_oidc_identity-0.4.30-py3-none-any.whl.

File metadata

File hashes

Hashes for verify_oidc_identity-0.4.30-py3-none-any.whl
Algorithm Hash digest
SHA256 57330d46d145aa20d77a91b3671a7297e18fa28ec05b6869e30199c004e6c545
MD5 afd6a072fdb35c87d1b536b9a3a6c64a
BLAKE2b-256 96b0df3a2ab0444952e43b42a3f235f0a38e207bc3755bcaa4f7b03b5ffc6c36

See more details on using hashes here.

Provenance

The following attestation bundles were made for verify_oidc_identity-0.4.30-py3-none-any.whl:

Publisher: main.yml on rjw57/verify-oidc-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page