Core JWT authentication and authorization logic for Axioms packages

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for axioms from gravatar.com axioms

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Abhishek Tiwari
  • Tags oauth2 , oidc , jwt , authentication , authorization , axioms , security , jwks
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

axioms-core-py

Core JWT authentication and authorization library for Python web frameworks.

Overview

axioms-core-py provides framework-agnostic JWT token validation, JWKS management with background refresh, and claim-based authorization. This is the foundation for framework-specific integrations:

Note: For most use cases, use one of the framework integrations above instead of using this package directly.

Supports

  • JWT token validation with automatic JWKS retrieval
  • Background JWKS refresh with thread-safe caching
  • Algorithm validation (only secure asymmetric algorithms allowed)
  • Token type validation (typ header)
  • Issuer validation (iss claim)
  • Claim-based authorization (scopes, roles, permissions)
  • Custom claim name support for different authorization servers
  • Comprehensive logging with JWT ID (jti) tracking

Prerequisite

  • Python 3.10+

Installation

pip install axioms-core-py

Quick Start

Configuration

from axioms_core import AxiomsConfig

config = AxiomsConfig(
    AXIOMS_AUDIENCE="your-api-audience",
    AXIOMS_ISS_URL="https://auth.example.com",  # Recommended
    # Or use AXIOMS_DOMAIN for simpler setup:
    # AXIOMS_DOMAIN="auth.example.com",
)

Initialize JWKS Manager (Optional)

For production, initialize at startup to enable background refresh:

from axioms_core import initialize_jwks_manager, shutdown_jwks_manager

# At startup
initialize_jwks_manager(
    config=config,
    refresh_interval=3600,  # Refresh every hour
    cache_ttl=7200,         # Cache for 2 hours
    prefetch=True           # Fetch JWKS immediately
)

# At shutdown (optional - auto-cleanup on exit)
shutdown_jwks_manager()

Token Validation

from axioms_core import get_key_from_jwks_json, check_token_validity
import jwt

# Extract token header
header = jwt.get_unverified_header(token)
kid = header.get("kid")
alg = header.get("alg")

# Get public key from JWKS
key = get_key_from_jwks_json(kid, config)

# Validate token
payload = check_token_validity(
    token=token,
    key=key,
    alg=alg,
    audience=config.AXIOMS_AUDIENCE,
    issuer=config.AXIOMS_ISS_URL,
)

if payload:
    print(f"Valid token for user: {payload.sub}")

Authorization Checks

from axioms_core import check_scopes, check_roles, check_permissions

# Check scopes (space-separated or list)
has_scope = check_scopes(payload.scope, ["read:data"])

# Check roles (list)
has_role = check_roles(payload.roles, ["admin"])

# Check permissions (list)
has_perm = check_permissions(payload.permissions, ["users:read"])

Configuration Options

See AxiomsConfig class for all options:

config = AxiomsConfig(
    # Required
    AXIOMS_AUDIENCE="your-api-audience",

    # Recommended (choose one)
    AXIOMS_ISS_URL="https://auth.example.com",
    # AXIOMS_DOMAIN="auth.example.com",
    # AXIOMS_JWKS_URL="https://auth.example.com/.well-known/jwks.json",

    # Optional
    AXIOMS_TOKEN_TYPS=["JWT", "at+jwt"],  # Allowed token types
    AXIOMS_SAFE_METHODS=["OPTIONS"],       # HTTP methods to bypass auth

    # JWKS settings
    AXIOMS_JWKS_REFRESH_INTERVAL=3600,     # 1 hour
    AXIOMS_JWKS_CACHE_TTL=7200,            # 2 hours
    AXIOMS_JWKS_PREFETCH=True,

    # Custom claim names (for different auth servers)
    AXIOMS_SCOPE_CLAIMS=["scope", "scp"],
    AXIOMS_ROLES_CLAIMS=["roles", "cognito:groups"],
    AXIOMS_PERMISSIONS_CLAIMS=["permissions"],
)

Configuration Hierarchy

  1. AXIOMS_ISS_URL → constructs → AXIOMS_JWKS_URL (if not set)
  2. AXIOMS_DOMAIN → constructs → AXIOMS_ISS_URLAXIOMS_JWKS_URL (if not set)

Security

  • Allowed algorithms: RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512
  • Token type validation: Validates typ header against allowed types
  • Issuer validation: Validates iss claim to prevent token substitution
  • Expiration validation: Validates exp claim exists and is valid
  • Comprehensive logging: All validation failures logged with jti (if available)

License

MIT License - see LICENSE file for details.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for axioms from gravatar.com axioms

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Abhishek Tiwari
  • Tags oauth2 , oidc , jwt , authentication , authorization , axioms , security , jwks
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.0.5

This version

0.0.4

0.0.4rc31763950567 pre-release

0.0.3

0.0.3rc21763943817 pre-release

0.0.2rc11763934375 pre-release

0.0.2rc11763934136 pre-release

0.0.2rc11763933648 pre-release

0.0.2rc11763933202 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

axioms_core_py-0.0.4.tar.gz (33.6 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

axioms_core_py-0.0.4-py3-none-any.whl (17.7 kB view details)

Uploaded Python 3

File details

Details for the file axioms_core_py-0.0.4.tar.gz.

File metadata

  • Download URL: axioms_core_py-0.0.4.tar.gz
  • Upload date:
  • Size: 33.6 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for axioms_core_py-0.0.4.tar.gz
Algorithm Hash digest
SHA256 cfbf326e7aae898741e0e30cc904a1b9bdd3b018eed147b99844bb5af011cd6d
MD5 55ebb38cfb37f9859339170722eb92f2
BLAKE2b-256 6151f31fd297a9f13e5c4a3c49e15622abe5808900c1aaef1662773018b9597f

See more details on using hashes here.

Provenance

The following attestation bundles were made for axioms_core_py-0.0.4.tar.gz:

Publisher: release.yml on abhishektiwari/axioms-core-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file axioms_core_py-0.0.4-py3-none-any.whl.

File metadata

  • Download URL: axioms_core_py-0.0.4-py3-none-any.whl
  • Upload date:
  • Size: 17.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for axioms_core_py-0.0.4-py3-none-any.whl
Algorithm Hash digest
SHA256 4d9e3e5a093824db811ec0a4511f22bdff22c284aac037a237db56690fb181df
MD5 6e61216513087da77ac0d99d949dee20
BLAKE2b-256 4b462b7a8656f939dd87a3e233058b011e0c7b2b925c4f676073db56d4e96600

See more details on using hashes here.

Provenance

The following attestation bundles were made for axioms_core_py-0.0.4-py3-none-any.whl:

Publisher: release.yml on abhishektiwari/axioms-core-py

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page