Core JWT authentication and authorization logic for Axioms packages

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for axioms from gravatar.com axioms

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Abhishek Tiwari
  • Tags oauth2 , oidc , jwt , authentication , authorization , axioms , security , jwks
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

axioms-core-py

Core JWT authentication and authorization library for Python web frameworks.

Overview

axioms-core-py provides framework-agnostic JWT token validation, JWKS management with background refresh, and claim-based authorization. This is the foundation for framework-specific integrations:

Note: For most use cases, use one of the framework integrations above instead of using this package directly.

Supports

  • JWT token validation with automatic JWKS retrieval
  • Background JWKS refresh with thread-safe caching
  • Algorithm validation (only secure asymmetric algorithms allowed)
  • Token type validation (typ header)
  • Issuer validation (iss claim)
  • Claim-based authorization (scopes, roles, permissions)
  • Custom claim name support for different authorization servers
  • Comprehensive logging with JWT ID (jti) tracking

Prerequisite

  • Python 3.10+

Installation

pip install axioms-core-py

Quick Start

Configuration

from axioms_core import AxiomsConfig

config = AxiomsConfig(
    AXIOMS_AUDIENCE="your-api-audience",
    AXIOMS_ISS_URL="https://auth.example.com",  # Recommended
    # Or use AXIOMS_DOMAIN for simpler setup:
    # AXIOMS_DOMAIN="auth.example.com",
)

Initialize JWKS Manager (Optional)

For production, initialize at startup to enable background refresh:

from axioms_core import initialize_jwks_manager, shutdown_jwks_manager

# At startup
initialize_jwks_manager(
    config=config,
    refresh_interval=3600,  # Refresh every hour
    cache_ttl=7200,         # Cache for 2 hours
    prefetch=True           # Fetch JWKS immediately
)

# At shutdown (optional - auto-cleanup on exit)
shutdown_jwks_manager()

Token Validation

from axioms_core import get_key_from_jwks_json, check_token_validity
import jwt

# Extract token header
header = jwt.get_unverified_header(token)
kid = header.get("kid")
alg = header.get("alg")

# Get public key from JWKS
key = get_key_from_jwks_json(kid, config)

# Validate token
payload = check_token_validity(
    token=token,
    key=key,
    alg=alg,
    audience=config.AXIOMS_AUDIENCE,
    issuer=config.AXIOMS_ISS_URL,
)

if payload:
    print(f"Valid token for user: {payload.sub}")

Authorization Checks

from axioms_core import check_scopes, check_roles, check_permissions

# Check scopes (space-separated or list)
has_scope = check_scopes(payload.scope, ["read:data"])

# Check roles (list)
has_role = check_roles(payload.roles, ["admin"])

# Check permissions (list)
has_perm = check_permissions(payload.permissions, ["users:read"])

Configuration Options

See AxiomsConfig class for all options:

config = AxiomsConfig(
    # Required
    AXIOMS_AUDIENCE="your-api-audience",

    # Recommended (choose one)
    AXIOMS_ISS_URL="https://auth.example.com",
    # AXIOMS_DOMAIN="auth.example.com",
    # AXIOMS_JWKS_URL="https://auth.example.com/.well-known/jwks.json",

    # Optional
    AXIOMS_TOKEN_TYPS=["JWT", "at+jwt"],  # Allowed token types
    AXIOMS_SAFE_METHODS=["OPTIONS"],       # HTTP methods to bypass auth

    # JWKS settings
    AXIOMS_JWKS_REFRESH_INTERVAL=3600,     # 1 hour
    AXIOMS_JWKS_CACHE_TTL=7200,            # 2 hours
    AXIOMS_JWKS_PREFETCH=True,

    # Custom claim names (for different auth servers)
    AXIOMS_SCOPE_CLAIMS=["scope", "scp"],
    AXIOMS_ROLES_CLAIMS=["roles", "cognito:groups"],
    AXIOMS_PERMISSIONS_CLAIMS=["permissions"],
)

Configuration Hierarchy

  1. AXIOMS_ISS_URL → constructs → AXIOMS_JWKS_URL (if not set)
  2. AXIOMS_DOMAIN → constructs → AXIOMS_ISS_URLAXIOMS_JWKS_URL (if not set)

Security

  • Allowed algorithms: RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512
  • Token type validation: Validates typ header against allowed types
  • Issuer validation: Validates iss claim to prevent token substitution
  • Expiration validation: Validates exp claim exists and is valid
  • Comprehensive logging: All validation failures logged with jti (if available)

License

MIT License - see LICENSE file for details.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for axioms from gravatar.com axioms

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Abhishek Tiwari
  • Tags oauth2 , oidc , jwt , authentication , authorization , axioms , security , jwks
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.0.5

0.0.4

0.0.4rc31763950567 pre-release

This version

0.0.3

0.0.3rc21763943817 pre-release

0.0.2rc11763934375 pre-release

0.0.2rc11763934136 pre-release

0.0.2rc11763933648 pre-release

0.0.2rc11763933202 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

axioms_core_py-0.0.3.tar.gz (33.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

axioms_core_py-0.0.3-py3-none-any.whl (17.5 kB view details)

Uploaded Python 3

File details

Details for the file axioms_core_py-0.0.3.tar.gz.

File metadata

  • Download URL: axioms_core_py-0.0.3.tar.gz
  • Upload date:
  • Size: 33.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for axioms_core_py-0.0.3.tar.gz
Algorithm Hash digest
SHA256 835aa0db9e4fdda1079f711d8b13df82f946a643c9c33def6e1527145c851b5f
MD5 4ac42d8e065d3b32c7eae57fb4e45373
BLAKE2b-256 f83c58661386aaab1e4a9081246f8c30bc30be7a431693587c14e02bd687f460

See more details on using hashes here.

Provenance

The following attestation bundles were made for axioms_core_py-0.0.3.tar.gz:

Publisher: release.yml on abhishektiwari/axioms-core-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file axioms_core_py-0.0.3-py3-none-any.whl.

File metadata

  • Download URL: axioms_core_py-0.0.3-py3-none-any.whl
  • Upload date:
  • Size: 17.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for axioms_core_py-0.0.3-py3-none-any.whl
Algorithm Hash digest
SHA256 6d1df04e5f16ce572365899b6b0abb3e80f5f3d2f9e0d37db298d218487ef35d
MD5 a8efe17d857faa64172bf912778318fb
BLAKE2b-256 b03fe452d1c6bb22a7612cd1b292b9eec49499d8166d73bff6ac3fa3cba6fa51

See more details on using hashes here.

Provenance

The following attestation bundles were made for axioms_core_py-0.0.3-py3-none-any.whl:

Publisher: release.yml on abhishektiwari/axioms-core-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page