Skip to main content

The missing certificate infrastructure for web APIs.

Project description

CI Docs Coverage

Certified

An idiomatic framework for using certificates and cookies (macaroons/biscuits) within python web API-s.

We make the following design choices:

  • mTLS - mutual transport layer certificates (x509) authenticate client and server to one another

  • scopes - clients can "prove" they have access to a scope (e.g. admin) by including it within their 'certificatePolicies' at the handshake phase

  • tokens/cookies - we rely on the datalog model of biscuits to exchange cookies that carry authorization proofs. Tokens, not certificates are used to delegate authorization.

  • symmetry - symmetric ideas are used for setting up mutual identity verification (authentication) between client and server. This allows servers to act as clients in complex workflows, and clients to act as servers to run callbacks.

  • key management - we prescribe a file layout for these. Key file-names serve as a short-hand for referencing a given client/server. See docs/keys.


How do I know who originated an API request -- what organization they come from, and what kinds of organizational policies they have been asked to follow?

How can I consistently apply my own site's security policy to API actions?

And -- the big question -- how can I, as a client using an API, obtain, manage, and send these credentials to servers I interact with?

The certified package has you covered.

See documentation for explanations and howto-s.

License

Certified is available under a 3-clause BSD-style license, available in the file LICENSE.

Portions of certified (as marked in the code) are derived from python-trio/trustme, and are made available under the MIT license -- as reproduced within those files.

Installation

As a user, install with

pip install .

For development

As a developer, install with:

make install

Add new dependencies using, e.g.:

uv add pydantic          # run-time dependency
uv add --optional docs mkdocs-material # documentation-generation dep.
uv add --dev mypy        # development dependency

Run tests with:

uv run mypy .
uv run pytest

Preview the documentation with:

uv run mkdocs serve &

Docs

Documentation was built using this guide -- which comes highly recommended.

Roadmap

  • v0.8.1

    • use base64-encoded DER for storing keys in yaml files.

    • select certificate chain to send to server based on server name (test server configs.)

  • v0.9.0

    • better logging

    • simpler introduction methodology

    • readthedocs integration

    • biscuit examples

  • v0.10.0

    • more feature-ful 'message' function

    • add docs on how to use openssl to decode certificate contents

    • configurable biscuit_sec.Authorizor-based biscuit auth

    • better user experience with add-intro (now adds services)

    • better user experience with add-service (will look for json with ca_cert)

    • better user experience setting up org-level microservice certified set-org

  • v1.0.0

    • replace httpx with aiohttp (has better test client/server support).

    • change servers to services where appropriate

  • v1.1.0

    • fix biscuit_auth dependency version and change to uv packaging
  • v1.2.0

    • CI and better test coverage

    • better documentation, esp. for known_services

    • support for --key_type secp256r1

  • v1.2.1

    • interface for showing configuration contents

    • throw warning if id.crt does not contain the server's hostname in SAN (since this will usually result in a connection error from SSL)

  • v 1.3.0

    • more helpful error messages

    • Demo presentations and lessons learned

    • CLI interface for biscuit creation / validation

  • v1.4.0

  • v1.5.0

    • key rotation features and docs

Technology to watch

  • hardware certificate implementations (plug-ins?)

  • OAuth2 integrations / biscuit adoption

List of Useful Microservices

References

[openssl]: https://x509errors.org/guides/openssl "OpenSSL: TLS Guide" -- building a custom validator in C

Use of TLS/certs in services

more on custom attributes using openssl command

More on JWT/cookies/macaroons/biscuits

o

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

certified-1.3.0.tar.gz (51.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

certified-1.3.0-py3-none-any.whl (48.8 kB view details)

Uploaded Python 3

File details

Details for the file certified-1.3.0.tar.gz.

File metadata

  • Download URL: certified-1.3.0.tar.gz
  • Upload date:
  • Size: 51.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.8.15

File hashes

Hashes for certified-1.3.0.tar.gz
Algorithm Hash digest
SHA256 fd9fee1c60d11d43143322145f73d635092f6ca7351c1c02840d09bc92fb87c2
MD5 d738512943f5c47169a6836d72a7bd07
BLAKE2b-256 0f98707dfd692a70c98bb91c5dd024ddac750fbf41fe99612cc6d89d7c4ad061

See more details on using hashes here.

File details

Details for the file certified-1.3.0-py3-none-any.whl.

File metadata

  • Download URL: certified-1.3.0-py3-none-any.whl
  • Upload date:
  • Size: 48.8 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.8.15

File hashes

Hashes for certified-1.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 7fc46da1af0c40a6e19793403003b2adb643c980dc67ebfd6779d3005a7046dc
MD5 7c2464d95e074e9c50885a4a0792efb8
BLAKE2b-256 892abc4fa536acf2cf7c2e6d606a7b8ade70f85f83bd375e93246f59cc119684

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page