Decoupled authentication middleware, abstracting OIDC and OAuth2 protocols from the main application.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for gowthamrao from gravatar.com gowthamrao

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Other/Proprietary License (Prosperity-3.0)
  • Author: Gowtham A Rao
  • Requires: Python <3.15, >=3.11
Classifiers
Report project as malware

Project description

coreason-identity

Decoupled authentication middleware, abstracting OIDC and OAuth2 protocols from the main application.

Organization License Build Status Code Style: Ruff Documentation

Overview

coreason-identity ("The Bouncer") handles all Authentication (AuthN) and Role-Based Access Control (AuthZ) for the CoReason platform. It enforces a strict "Bouncer" philosophy: it checks IDs and checks lists but does not issue IDs.

The package standardizes:

  • Protocol: OIDC (OpenID Connect).
  • Identity Provider: Auth0 or Keycloak.
  • Library: Authlib.

Features

Based on the Product Requirements:

  • OIDCProvider: Fetches and caches JWKS from the OIDC Discovery URL (LRU Cache).
  • TokenValidator: Validates JWT signatures, standard claims (exp, iss, aud), and enforces strict audience checks to prevent "Confused Deputy" attacks.
  • IdentityMapper: Maps IdP claims to a standardized UserContext model, handling project context extraction and group-to-permission mapping.
  • DeviceFlowClient: Implements RFC 8628 OAuth 2.0 Device Authorization Grant for headless CLI authentication.
  • Observability: Emits OpenTelemetry spans and secure logs (PII hashed).
  • Security: DNS-based SSRF protection for OIDC discovery URLs (configurable bypass for development).

Installation

pip install coreason-identity

Usage

from coreason_identity import IdentityManager, CoreasonIdentityConfig, InvalidTokenError

# 1. Initialize (The Borrowing)
config = CoreasonIdentityConfig(domain="auth.coreason.com", audience="api://coreason")
identity = IdentityManager(config)

# 2. Validate (The Bouncer)
try:
    # Validate a raw Bearer token
    user_context = identity.validate_token(auth_header="Bearer eyJ...")

    # Access canonical Identity Passport fields
    print(f"User {user_context.user_id} ({user_context.email}) is active.")

    # Check groups for Row-Level Security
    if "admin" in user_context.groups:
        print("Admin access granted.")

    # Access extended attributes
    project = user_context.claims.get("project_context")
    print(f"Authorized for project: {project}")

except InvalidTokenError:
    # Handle invalid tokens (expired, bad signature, wrong audience, etc.)
    print("Access denied.")

# 3. CLI Login (The Device Flow)
# Initiate the flow
flow = identity.start_device_login()
print(f"Go to {flow.verification_uri} and enter {flow.user_code}")

# Poll for tokens
try:
    tokens = identity.await_device_token(flow)
    print("Login successful!")
    print(f"Access Token: {tokens['access_token']}")
except Exception as e:
    print(f"Login failed: {e}")

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for gowthamrao from gravatar.com gowthamrao

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Other/Proprietary License (Prosperity-3.0)
  • Author: Gowtham A Rao
  • Requires: Python <3.15, >=3.11
Classifiers

Release history Release notifications | RSS feed

0.9.0

0.8.0

This version

0.6.0

0.5.0

0.4.3

0.4.2

0.4.1

0.4.0

0.3.0

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

coreason_identity-0.6.0.tar.gz (19.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

coreason_identity-0.6.0-py3-none-any.whl (27.8 kB view details)

Uploaded Python 3

File details

Details for the file coreason_identity-0.6.0.tar.gz.

File metadata

  • Download URL: coreason_identity-0.6.0.tar.gz
  • Upload date:
  • Size: 19.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for coreason_identity-0.6.0.tar.gz
Algorithm Hash digest
SHA256 aa80d145831ccec08d2e3d236f40d13910d6f0f45308727912c3de9d6ed07d65
MD5 e76a304e620519c675756f5e298f0961
BLAKE2b-256 1726b4fb07249cd0d953adc8d555a50a2c274472a1620f83e7d803e0c0e3d075

See more details on using hashes here.

Provenance

The following attestation bundles were made for coreason_identity-0.6.0.tar.gz:

Publisher: publish.yml on CoReason-AI/coreason-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file coreason_identity-0.6.0-py3-none-any.whl.

File metadata

File hashes

Hashes for coreason_identity-0.6.0-py3-none-any.whl
Algorithm Hash digest
SHA256 e97b902a1d00d5873ce5b19834eff93353b3531e7382342966de470929c6ab71
MD5 bcc3da3bd9293ab223288e2fcfb6a615
BLAKE2b-256 fd32420218eab129f1974abd16166c4ac92ec89bcae6c7d38907709bef6b714d

See more details on using hashes here.

Provenance

The following attestation bundles were made for coreason_identity-0.6.0-py3-none-any.whl:

Publisher: publish.yml on CoReason-AI/coreason-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page