Python SDK for IDaaS (Identity as a Service) M2M product

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for cloud-idaas from gravatar.com cloud-idaas

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: AlibabaCloud IDaaS Team
  • Tags IDaaS , IDaaS SDK
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

cloud-idaas-core

Python Version License Development Status

简体中文

Python SDK for IDaaS (Identity as a Service) M2M product, providing developers with convenient machine-to-machine authentication capabilities.

Features

  • Multiple Authentication Methods: Supports JWT Client Secret, JWT Private Key, OIDC Token, PKCS7 Attested Document, and other M2M authentication methods
  • Intelligent Caching Mechanism: Built-in credential caching strategy with prefetch and stale value handling to reduce unnecessary network requests
  • Flexible Configuration: Supports configuration files, environment variables, and programmatic configuration
  • Plugin Extensions: Supports custom credential providers for special scenarios
  • Cloud-Native Support: Built-in attested document support for Alibaba Cloud ECS and Alibaba cloud ACK
  • Token Exchange (RFC 8693): Exchange tokens for different scopes or audiences, supporting token downscoping and service-to-service access scenarios

Requirements

  • Python >= 3.9
  • Dependencies:
    • requests >= 2.31.0
    • cryptography >= 44.0.0
    • PyJWT >= 2.8.0
    • urllib3 >= 2.5.0

Installation

pip install cloud-idaas-core

Quick Start

Important: Before using any SDK features, you must call IDaaSCredentialProviderFactory.init() to initialize the SDK. This step is required and should be done once at application startup.

1. Configuration File

Create a configuration file ~/.cloud_idaas/client_config.json:

{
    "idaasInstanceId": "your-idaas-instance-id",
    "clientId": "your-client-id",
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "developerApiEndpoint": "your-developer-api-endpoint",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "CLIENT_SECRET_POST",
        "clientSecretEnvVarName": "IDAAS_CLIENT_SECRET"
    }
}

2. Environment Variables

Set environment variables:

export IDAAS_CLIENT_SECRET="your-client-secret"

3. Use in code

from cloud_idaas.core import IDaaSCredentialProviderFactory

# Initialize (automatically loads configuration file)
IDaaSCredentialProviderFactory.init()

# Get credential provider
credential_provider = IDaaSCredentialProviderFactory.get_idaas_credential_provider()

# Get access token
access_token = credential_provider.get_bearer_token()
print(f"Access Token: {access_token}")

Configuration Details

Configuration File Paths

The SDK searches for configuration files in the following order:

  1. Pass path during initialization: IDaaSCredentialProviderFactory.init("/.../client-config.json")
  2. Environment variable path: CLOUD_IDAAS_CONFIG_PATH=/.../client-config.json
  3. Default path: ~/.cloud_idaas/client-config.json

Complete Configuration Example

{
    "idaasInstanceId": "idaas_ue2jvisn35ea5lmthk267xxxxx"
    "clientId": "app_mkv7rgt4d7i4u7zqtzev2mxxxx"
    "issuer":"https://xxx/api/v2/iauths_system/oauth2",               
    "tokenEndpoint": "https://xxx/api/v2/iauths_system/oauth2/token",
    "scope": "api.example.com|read:file",
    "openApiEndpoint":"eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint":"eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "CLIENT_SECRET_POST",
        "clientSecretEnvVarName": "IDAAS_CLIENT_SECRET"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

Configuration Items

Configuration Item Type Required Description
idaasInstanceId string Yes IDaaS instance ID
clientId string Yes Client ID for authentication
issuer string Yes OAuth2 issuer URL
tokenEndpoint string Yes OAuth2 token endpoint URL
scope string No Requested scope
openApiEndpoint string No OpenAPI endpoint
developerApiEndpoint string No Developer API endpoint
authnConfiguration object Yes Authentication configuration
httpConfiguration object No HTTP client configuration

Scope Format

The SDK uses a specific scope format with audience and scope values separated by |:

audience|scope_value

Examples:

  • api.example.com|read:file
  • api.example.com|write:file
  • resource.server|admin

Multiple scope values for the same audience can be requested:

api.example.com|read:file api.example.com|write:file

Note: Multiple audiences in a single request are not supported.

Authentication Methods

Client Secret Authentication

Use Client Secret for authentication. Supports CLIENT_SECRET_BASIC, CLIENT_SECRET_POST, and CLIENT_SECRET_JWT methods.

{
    "idaasInstanceId": "idaas_ue2jvisn35ea5lmthk267xxxxx"
    "clientId": "app_mkv7rgt4d7i4u7zqtzev2mxxxx"
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "CLIENT_SECRET_POST",
        "clientSecretEnvVarName": "IDAAS_CLIENT_SECRET"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

Private Key Authentication

Use private key for authentication, offering higher security.

{
    "idaasInstanceId": "idaas_ue2jvisn35ea5lmthk267xxxxx"
    "clientId": "app_mkv7rgt4d7i4u7zqtzev2mxxxx"
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "PRIVATE_KEY_JWT",
        "privateKeyEnvVarName": "IDAAS_PRIVATE_KEY"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

PKCS7 Federated Authentication

Use PKCS7 attested document for authentication in cloud environments.

{
    "idaasInstanceId": "idaas_ue2jvisn35ea5lmthk267xxxxx"
    "clientId": "app_mkv7rgt4d7i4u7zqtzev2mxxxx"
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "PKCS7",
        "applicationFederatedCredentialName": "your-pkcs7-credential-name",
        "clientDeployEnvironment": "ALIBABA_CLOUD_ECS"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

OIDC Federated Authentication

Use OIDC token for authentication.

{
    "idaasInstanceId": "idaas_ue2jvisn35ea5lmthk267xxxxx"
    "clientId": "app_mkv7rgt4d7i4u7zqtzev2mxxxx"
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "OIDC",
        "applicationFederatedCredentialName": "your-oidc-credential-name",
        "clientDeployEnvironment": "KUBERNETES"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

PCA (X.509 Certificate) Authentication

Use X.509 certificate for authentication.

{
    "idaasInstanceId": "idaas_ue2jvisn35ea5lmthk267xxxxx"
    "clientId": "app_mkv7rgt4d7i4u7zqtzev2mxxxx"
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "PCA",
        "clientX509Certificate": "-----BEGIN CERTIFICATE-----\nxxx\n-----END CERTIFICATE-----",
        "x509CertChains": "-----BEGIN CERTIFICATE-----\nxxx\n-----END CERTIFICATE-----",
        "privateKeyEnvVarName": "IDAAS_PRIVATE_KEY"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

Plugin Authentication

Use plugin-based credential provider for authentication.

{
    "idaasInstanceId": "idaas_ue2jvisn35ea5lmthk267xxxxx"
    "clientId": "app_mkv7rgt4d7i4u7zqtzev2mxxxx"
    "issuer": "your-idaas-issuer-url",
    "tokenEndpoint": "your-idaas-token-endpoint",
    "scope": "your-requested-scope",
    "openApiEndpoint": "eiam.[region_id].aliyuncs.com",
    "developerApiEndpoint": "eiam-developerapi.[region_id].aliyuncs.com",
    "authnConfiguration": {
        "authenticationSubject": "CLIENT",
        "authnMethod": "PLUGIN",
        "pluginName": "alibabacloudPluginCredentialProvider"
    },
    "httpConfiguration": {
        "connectTimeout": 5000,
        "readTimeout": 10000
    }
}

Token Exchange

Token Exchange (RFC 8693) allows you to exchange a subject token for a new access token with different scope or audience. This is useful for token downscoping and service-to-service access scenarios.

Basic Token Exchange

For working examples, see the samples/ directory:

  • samples/token_exchange_with_client_secret_authentication.py - Token Exchange with client secret authentication
from cloud_idaas.core import IDaaSCredentialProviderFactory, OAuth2Constants

# Initialize the factory
IDaaSCredentialProviderFactory.init()

# Get Token Exchange credential provider (scope from config file)
token_exchange_provider = IDaaSCredentialProviderFactory.get_token_exchange_credential_provider()

# Or get with specific scope
# token_exchange_provider = IDaaSCredentialProviderFactory.get_token_exchange_credential_provider_by_scope("api://target-service|read api://target-service|write")

# Exchange subject token for access token
access_token = token_exchange_provider.get_issued_token(
    subject_token="your_subject_token",
    subject_token_type=OAuth2Constants.ACCESS_TOKEN_TYPE_VALUE,
)

Token Exchange Parameters

Parameter Type Required Description
subject_token string Yes The token to be exchanged
subject_token_type string Yes Type of the subject token (e.g., urn:ietf:params:oauth:token-type:access_token)
requested_token_type string No Type of token requested (defaults to access token)

Use Cases

  1. Token Downscoping: Exchange a token with broader permissions for one with limited scope
  2. Service-to-Service Access: Transfer the same user identity across services to obtain the required access token

Support and Feedback

License

This project is licensed under the Apache License 2.0.

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for cloud-idaas from gravatar.com cloud-idaas

Unverified details

These details have not been verified by PyPI
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: AlibabaCloud IDaaS Team
  • Tags IDaaS , IDaaS SDK
  • Requires: Python >=3.9
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.0.5b0 pre-release

0.0.4b0 pre-release

0.0.3b3 pre-release

0.0.3b2 pre-release

0.0.3b1 pre-release

This version

0.0.3b0 pre-release

0.0.2b1 pre-release

0.0.2b0 pre-release

0.0.1b0 pre-release

0.0.1a0 pre-release

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

cloud_idaas_core-0.0.3b0.tar.gz (51.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

cloud_idaas_core-0.0.3b0-py3-none-any.whl (77.8 kB view details)

Uploaded Python 3

File details

Details for the file cloud_idaas_core-0.0.3b0.tar.gz.

File metadata

  • Download URL: cloud_idaas_core-0.0.3b0.tar.gz
  • Upload date:
  • Size: 51.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for cloud_idaas_core-0.0.3b0.tar.gz
Algorithm Hash digest
SHA256 6095ff8dc28b10e35ab685829aade4d0c3a235c2cdddcfd649b6c12691de1b59
MD5 5618f2978d0a511962ac1cf176d28b9e
BLAKE2b-256 a31e3028da9fb1bcbd2094ff9821b4b7f62f40c7c306b3a442e9171520d154e6

See more details on using hashes here.

Provenance

The following attestation bundles were made for cloud_idaas_core-0.0.3b0.tar.gz:

Publisher: publish.yml on cloud-idaas/idaas-python-core-sdk

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file cloud_idaas_core-0.0.3b0-py3-none-any.whl.

File metadata

File hashes

Hashes for cloud_idaas_core-0.0.3b0-py3-none-any.whl
Algorithm Hash digest
SHA256 89d3e67a1d772ed26a71105143765aa5cf7df22ad0240da48d47c08f8f434af5
MD5 2145fd87566dcda1c6d198b927d280df
BLAKE2b-256 2b91b2b0d17685d923e4909b8c4265517726ce85b7a03d30ef0912dc9e4d50ed

See more details on using hashes here.

Provenance

The following attestation bundles were made for cloud_idaas_core-0.0.3b0-py3-none-any.whl:

Publisher: publish.yml on cloud-idaas/idaas-python-core-sdk

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page