Core JWT authentication and authorization logic for Axioms packages

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for axioms from gravatar.com axioms

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Abhishek Tiwari
  • Tags oauth2 , oidc , jwt , authentication , authorization , axioms , security , jwks
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

axioms-core-py

Core JWT authentication and authorization library for Python web frameworks.

Overview

axioms-core-py provides framework-agnostic JWT token validation, JWKS management with background refresh, and claim-based authorization. This is the foundation for framework-specific integrations:

Note: For most use cases, use one of the framework integrations above instead of using this package directly.

Supports

  • JWT token validation with automatic JWKS retrieval
  • Background JWKS refresh with thread-safe caching
  • Algorithm validation (only secure asymmetric algorithms allowed)
  • Token type validation (typ header)
  • Issuer validation (iss claim)
  • Claim-based authorization (scopes, roles, permissions)
  • Custom claim name support for different authorization servers
  • Comprehensive logging with JWT ID (jti) tracking

Prerequisite

  • Python 3.10+

Installation

pip install axioms-core-py

Quick Start

Configuration

from axioms_core import AxiomsConfig

config = AxiomsConfig(
    AXIOMS_AUDIENCE="your-api-audience",
    AXIOMS_ISS_URL="https://auth.example.com",  # Recommended
    # Or use AXIOMS_DOMAIN for simpler setup:
    # AXIOMS_DOMAIN="auth.example.com",
)

Initialize JWKS Manager (Optional)

For production, initialize at startup to enable background refresh:

from axioms_core import initialize_jwks_manager, shutdown_jwks_manager

# At startup
initialize_jwks_manager(
    config=config,
    refresh_interval=3600,  # Refresh every hour
    cache_ttl=7200,         # Cache for 2 hours
    prefetch=True           # Fetch JWKS immediately
)

# At shutdown (optional - auto-cleanup on exit)
shutdown_jwks_manager()

Token Validation

from axioms_core import get_key_from_jwks_json, check_token_validity
import jwt

# Extract token header
header = jwt.get_unverified_header(token)
kid = header.get("kid")
alg = header.get("alg")

# Get public key from JWKS
key = get_key_from_jwks_json(kid, config)

# Validate token
payload = check_token_validity(
    token=token,
    key=key,
    alg=alg,
    audience=config.AXIOMS_AUDIENCE,
    issuer=config.AXIOMS_ISS_URL,
)

if payload:
    print(f"Valid token for user: {payload.sub}")

Authorization Checks

from axioms_core import check_scopes, check_roles, check_permissions

# Check scopes (space-separated or list)
has_scope = check_scopes(payload.scope, ["read:data"])

# Check roles (list)
has_role = check_roles(payload.roles, ["admin"])

# Check permissions (list)
has_perm = check_permissions(payload.permissions, ["users:read"])

Configuration Options

See AxiomsConfig class for all options:

config = AxiomsConfig(
    # Required
    AXIOMS_AUDIENCE="your-api-audience",

    # Recommended (choose one)
    AXIOMS_ISS_URL="https://auth.example.com",
    # AXIOMS_DOMAIN="auth.example.com",
    # AXIOMS_JWKS_URL="https://auth.example.com/.well-known/jwks.json",

    # Optional
    AXIOMS_TOKEN_TYPS=["JWT", "at+jwt"],  # Allowed token types
    AXIOMS_SAFE_METHODS=["OPTIONS"],       # HTTP methods to bypass auth

    # JWKS settings
    AXIOMS_JWKS_REFRESH_INTERVAL=3600,     # 1 hour
    AXIOMS_JWKS_CACHE_TTL=7200,            # 2 hours
    AXIOMS_JWKS_PREFETCH=True,

    # Custom claim names (for different auth servers)
    AXIOMS_SCOPE_CLAIMS=["scope", "scp"],
    AXIOMS_ROLES_CLAIMS=["roles", "cognito:groups"],
    AXIOMS_PERMISSIONS_CLAIMS=["permissions"],
)

Configuration Hierarchy

  1. AXIOMS_ISS_URL → constructs → AXIOMS_JWKS_URL (if not set)
  2. AXIOMS_DOMAIN → constructs → AXIOMS_ISS_URLAXIOMS_JWKS_URL (if not set)

Security

  • Allowed algorithms: RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512
  • Token type validation: Validates typ header against allowed types
  • Issuer validation: Validates iss claim to prevent token substitution
  • Expiration validation: Validates exp claim exists and is valid
  • Comprehensive logging: All validation failures logged with jti (if available)

License

MIT License - see LICENSE file for details.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for axioms from gravatar.com axioms

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Abhishek Tiwari
  • Tags oauth2 , oidc , jwt , authentication , authorization , axioms , security , jwks
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

This version

0.0.5

0.0.4

0.0.4rc31763950567 pre-release

0.0.3

0.0.3rc21763943817 pre-release

0.0.2rc11763934375 pre-release

0.0.2rc11763934136 pre-release

0.0.2rc11763933648 pre-release

0.0.2rc11763933202 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

axioms_core_py-0.0.5.tar.gz (35.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

axioms_core_py-0.0.5-py3-none-any.whl (18.2 kB view details)

Uploaded Python 3

File details

Details for the file axioms_core_py-0.0.5.tar.gz.

File metadata

  • Download URL: axioms_core_py-0.0.5.tar.gz
  • Upload date:
  • Size: 35.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for axioms_core_py-0.0.5.tar.gz
Algorithm Hash digest
SHA256 d9803b2bc6ae983d081a1fb1de9ded539bf816d0f808b9db308a075b4f18a2e3
MD5 dcd9b4ac73b81b7c3cb6c15e13635b67
BLAKE2b-256 5159e39288df6d9c08cdf8321e4b2a4de57b2325a34db24cf5c7c4657920aab5

See more details on using hashes here.

Provenance

The following attestation bundles were made for axioms_core_py-0.0.5.tar.gz:

Publisher: release.yml on abhishektiwari/axioms-core-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file axioms_core_py-0.0.5-py3-none-any.whl.

File metadata

  • Download URL: axioms_core_py-0.0.5-py3-none-any.whl
  • Upload date:
  • Size: 18.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for axioms_core_py-0.0.5-py3-none-any.whl
Algorithm Hash digest
SHA256 65a2bff5f9211428932909dde4da6d389b04ea156732bea2b26fe2b6e0cfd40c
MD5 9a9e4152d4d5a9c79a39994a695527f0
BLAKE2b-256 91d3f8103340a569ffc6bf622b89467a7ad663e34ec790567cd91f72344216bf

See more details on using hashes here.

Provenance

The following attestation bundles were made for axioms_core_py-0.0.5-py3-none-any.whl:

Publisher: release.yml on abhishektiwari/axioms-core-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page