Python SDK for IDaaS (Identity as a Service) M2M product

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for cloud-idaas from gravatar.com cloud-idaas

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: AlibabaCloud IDaaS Team
  • Tags IDaaS , IDaaS SDK
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

cloud-idaas-core

Python Version License Development Status

Python SDK for IDaaS (Identity as a Service) M2M product, providing developers with convenient machine-to-machine authentication capabilities.

Features

  • Multiple Authentication Methods: Supports JWT Client Secret, JWT Private Key, OIDC Token, PKCS7 Attested Document, and other M2M authentication methods
  • Intelligent Caching Mechanism: Built-in credential caching strategy with prefetch and stale value handling to reduce unnecessary network requests
  • Flexible Configuration: Supports configuration files, environment variables, and programmatic configuration
  • Plugin Extensions: Supports custom credential providers for special scenarios
  • Cloud-Native Support: Built-in attested document support for Alibaba Cloud ECS and Alibaba cloud ACK

Requirements

  • Python >= 3.9
  • Dependencies:
    • requests >= 2.31.0
    • cryptography >= 44.0.0
    • PyJWT >= 2.8.0
    • urllib3 >= 2.5.0

Installation

pip install cloud-idaas-core

Quick Start

Important: Before using any SDK features, you must call IDaaSCredentialProviderFactory.init() to initialize the SDK. This step is required and should be done once at application startup.

1. Configuration File

Create a configuration file ~/.cloud_idaas/client_config.json:

{
    "idaasInstanceId": "your-idaas-instance-id",
    "clientId": "your-client-id",
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "jwkEndpoint": "your-idaas-jwks-endpoint",
    "scope": "your-requested-scope",
    "developerApiEndpoint": "your-developer-api-endpoint",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "CLIENT_SECRET_POST",
        "clientSecretEnvVarName": "IDAAS_CLIENT_SECRET"
    }
}

2. Environment Variables

Set environment variables:

export IDAAS_CLIENT_SECRET="your-client-secret"

3. Use in code

from cloud_idaas.core import IDaaSCredentialProviderFactory

# Initialize (automatically loads configuration file)
IDaaSCredentialProviderFactory.init()

# Get credential provider
credential_provider = IDaaSCredentialProviderFactory.get_idaas_credential_provider()

# Get access token
access_token = credential_provider.get_bearer_token()
print(f"Access Token: {access_token}")

Configuration Details

Configuration File Paths

The SDK searches for configuration files in the following order:

  1. Pass path during initialization: IDaaSCredentialProviderFactory.init("/.../client-config.json")
  2. Environment variable path: CLOUD_IDAAS_CONFIG_PATH=/.../client-config.json
  3. Default path: ~/.cloud_idaas/client-config.json

Complete Configuration Example

{
    "idaasInstanceId": "idaas_xxx",      
    "clientId": "app_xxx",               
    "issuer":"https://xxx/api/v2/iauths_system/oauth2",               
    "tokenEndpoint": "https://xxx/api/v2/iauths_system/oauth2/token",
    "scope": "api.example.com|read:file",
    "openApiEndpoint":"eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint":"eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "CLIENT_SECRET_POST",
        "clientSecretEnvVarName": "IDAAS_CLIENT_SECRET"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

Configuration Items

Configuration Item Type Required Description
idaasInstanceId string Yes IDaaS instance ID
clientId string Yes Client ID for authentication
issuer string Yes OAuth2 issuer URL
tokenEndpoint string Yes OAuth2 token endpoint URL
scope string No Requested scope
openApiEndpoint string No OpenAPI endpoint
developerApiEndpoint string No Developer API endpoint
authnConfiguration object Yes Authentication configuration
httpConfiguration object No HTTP client configuration

Scope Format

The SDK uses a specific scope format with audience and scope values separated by |:

audience|scope_value

Examples:

  • api.example.com|read:file
  • api.example.com|write:file
  • resource.server|admin

Multiple scope values for the same audience can be requested:

api.example.com|read:file api.example.com|write:file

Note: Multiple audiences in a single request are not supported.

Authentication Methods

Client Secret Authentication

Use Client Secret for authentication. Supports CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, and CLIENT_SECRET_JWT methods.

{
    "idaasInstanceId": "idaas_xxx",
    "clientId": "app_xxx",
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "CLIENT_SECRET_POST",
        "clientSecretEnvVarName": "IDAAS_CLIENT_SECRET"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

Private Key Authentication

Use private key for authentication, offering higher security.

{
    "idaasInstanceId": "idaas_xxx",
    "clientId": "app_xxx",
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "PRIVATE_KEY_JWT",
        "privateKeyEnvVarName": "IDAAS_PRIVATE_KEY"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

PKCS7 Federated Authentication

Use PKCS7 attested document for authentication in cloud environments.

{
    "idaasInstanceId": "idaas_xxx",
    "clientId": "app_xxx",
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "PKCS7",
        "applicationFederatedCredentialName": "your-pkcs7-credential-name",
        "clientDeployEnvironment": "ALIBABA_CLOUD_ECS"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

OIDC Federated Authentication

Use OIDC token for authentication.

{
    "idaasInstanceId": "idaas_xxx",
    "clientId": "app_xxx",
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "OIDC",
        "applicationFederatedCredentialName": "your-oidc-credential-name",
        "clientDeployEnvironment": "KUBERNETES"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

PCA (X.509 Certificate) Authentication

Use X.509 certificate for authentication.

{
    "idaasInstanceId": "idaas_xxx",
    "clientId": "app_xxx",
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "PCA",
        "clientX509Certificate": "-----BEGIN CERTIFICATE-----\nxxx\n-----END CERTIFICATE-----",
        "x509CertChains": "-----BEGIN CERTIFICATE-----\nxxx\n-----END CERTIFICATE-----",
        "privateKeyEnvVarName": "IDAAS_PRIVATE_KEY"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

Plugin Authentication

Use plugin-based credential provider for authentication.

{
    "idaasInstanceId": "idaas_xxx",
    "clientId": "app_xxx",
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "PLUGIN",
        "pluginName": "alibabacloudPluginCredentialProvider"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

Support and Feedback

License

This project is licensed under the Apache License 2.0.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for cloud-idaas from gravatar.com cloud-idaas

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: AlibabaCloud IDaaS Team
  • Tags IDaaS , IDaaS SDK
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.0.5b0 pre-release

0.0.4b0 pre-release

0.0.3b3 pre-release

0.0.3b2 pre-release

0.0.3b1 pre-release

0.0.3b0 pre-release

This version

0.0.2b1 pre-release

0.0.2b0 pre-release

0.0.1b0 pre-release

0.0.1a0 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cloud_idaas_core-0.0.2b1.tar.gz (48.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cloud_idaas_core-0.0.2b1-py3-none-any.whl (73.6 kB view details)

Uploaded Python 3

File details

Details for the file cloud_idaas_core-0.0.2b1.tar.gz.

File metadata

  • Download URL: cloud_idaas_core-0.0.2b1.tar.gz
  • Upload date:
  • Size: 48.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for cloud_idaas_core-0.0.2b1.tar.gz
Algorithm Hash digest
SHA256 4c68135eaba54fc002e0617b33da66e9a81cf87a576637fd6a0186317d336639
MD5 3d516fc3afe39cd2aae4c595d49d8da7
BLAKE2b-256 a38ed092ccd708544e43f326992cb8d9f5483cd1301a3d0f5317b91013ce76fa

See more details on using hashes here.

Provenance

The following attestation bundles were made for cloud_idaas_core-0.0.2b1.tar.gz:

Publisher: publish.yml on cloud-idaas/idaas-python-core-sdk

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cloud_idaas_core-0.0.2b1-py3-none-any.whl.

File metadata

File hashes

Hashes for cloud_idaas_core-0.0.2b1-py3-none-any.whl
Algorithm Hash digest
SHA256 8045d2adf70213d3024cfe62a34d08cc5fe34274ce7e2cd262464dacddb259a5
MD5 4c94287e4b01224cc6e7fede9e57eeb8
BLAKE2b-256 25a14e229522154706bdca02016437ed9bf1d1020d58d5cc1c292ee9c46352b3

See more details on using hashes here.

Provenance

The following attestation bundles were made for cloud_idaas_core-0.0.2b1-py3-none-any.whl:

Publisher: publish.yml on cloud-idaas/idaas-python-core-sdk

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page