exonware-xwauth 0.0.1.8

OAuth 2.0 / OIDC authorization-server core: tokens, sessions, federation, OAuth client helpers (login/IdP as separate HTTP services)

xwauth

OAuth 2.0 / OIDC authorization server — tokens, sessions, federation core, storage contracts, and OAuth client helpers under exonware.xwauth.clients (any standards-compliant authorization server over HTTP). Login, IdP catalogs, WebAuthn persistence, and first-party authenticator implementations are not pip dependencies of this package: treat them as separate services or add-ons that speak OAuth 2.0, OIDC, WebAuthn, or your chosen HTTP APIs. Optional XW libraries (entity, storage, action, …) wire in via extras where you need them. Docs in docs/; competitive notes in .references/.

Integration: exonware.xwauth.connectors.login_bridge documents attaching to a remote login or IdP deployment via LoginRemoteConfig (HTTPS). Use httpx or any HTTP client for calls to your login base URL. load_login_package is not supported (no in-process coupling to a login product).

Company: eXonware.com · Author: eXonware Backend Team · Email: connect@exonware.com

---

📦 Install

pip install exonware-xwauth
pip install exonware-xwauth[lazy]
pip install exonware-xwauth[full]
pip install exonware-xwauth[xw]      # optional first-party XW stack pieces (see pyproject.toml)
pip install exonware-xwauth[dev]      # tests + full extra

Extras evolve with pyproject.toml — see docs/REF_39_EDITION_AND_SKUS.md for edition/SKU language. Third-party and first-party package versions are not pinned in this README; use your lockfile or release process.

SKUs and extras: docs/REF_39_EDITION_AND_SKUS.md.

Optional: xwauth-server for OAuth endpoints; see docs/ when present.

---

🚀 Quick start

from exonware.xwauth import *

# OAuth 2.0 flows, grant types, provider integration; entity-aware user/role persistence
# See docs/ and REF_* for full API and server setup

See docs/ for usage, REF_*, and GUIDE_01_USAGE when present.

---

✨ What you get

Area	What's in it
Backend	OAuth 2.0 / OpenID Connect; authorization code, client credentials, refresh; custom providers.
Integration	xwentity (user/role), xwstorage, xwaction.
Server	xwauth-server - OAuth endpoints, multi-tenant.
Security	Token encryption, sessions, CSRF, rate limiting.

---

🌐 Exonware ecosystem advantage

XW-Auth is not only a standalone auth package. It is backed by the broader XW stack, so security, transport, storage, and API behavior stay consistent across services. You can still use xwauth standalone with its core install and your existing stack. Adopting more XW libraries is optional and primarily valuable when you need enterprise and mission-critical patterns with self-managed infrastructure control.

XW library behind XW-Auth	Exact added value	Competitive edge vs typical auth stacks
XWSystem	Shared security contracts, principal normalization, OAuth error payload/status mapping, and codec/serialization plumbing.	You avoid framework-locked auth glue and inconsistent claim/error handling across services.
XWStorage	Pluggable auth persistence through one provider model (file/local today, extensible backends).	You can switch storage strategy without rewriting auth logic around a single ORM or IdP store.
XWJSON	Native structured serialization used with XWStorage-backed auth state.	Safer, more consistent state handling than ad-hoc JSON blobs spread across handlers.
XWAction	Declarative action/route integration for auth handlers and API endpoints.	Cleaner endpoint composition than scattering manual route wiring in each framework module.
XWSchema	Schema-level validation for security and authorization rule shapes.	Stronger policy correctness than relying only on runtime checks and hand-written guards.
XWAPI	Error-envelope parity between auth endpoints and the rest of your APIs.	Clients get one predictable failure contract instead of separate auth-vs-app error formats.
XWEntity	Domain-aligned user/role integration point for identity and authorization models.	Your auth layer matches your business entity model instead of living in an isolated user silo.

This ecosystem alignment is the core differentiator: XW-Auth gives OAuth 2.0 features plus platform-level consistency from security primitives to storage and API contracts.

---

📖 Docs and tests

• Security: docs/SECURITY.md (report vulnerabilities); docs/SECURITY_ADVISORIES.md (advisory process); docs/REF_26_INTEGRATOR_SECURITY_CHECKLIST.md (integrator checklist); MFA/WebAuthn: docs/REF_MFA_WEBAUTHN_THREAT_MODEL.md.
• Competitive backlog: docs/REF_25_COMPETITIVE_ADVANCE_BACKLOG.md (20 extended ideas + TCO appendix).
• Microbench (REF_25 #6): python -m exonware.xwauth.bench --iterations 2000 (after install or PYTHONPATH=src); see benchmarks/README.md.
• Score improvement roadmap: .references/ROADMAP_SCORE_20.md (20 competitive-rubric work items).
• HA / upgrade runbook (starter): docs/GUIDE_03_HA_UPGRADE_RUNBOOK.md (ROADMAP #12).
• Partner / edge matrix: docs/REF_33_PARTNER_INTEGRATION_MATRIX.md (ROADMAP #19).
• RFC / design process: docs/rfc/README.md (ROADMAP #18).
• Multi-tenant reference story: docs/REF_37_MULTI_TENANT_REFERENCE_STACK.md (ROADMAP #13).
• Observability (ROADMAP #14 — done): REF_63 landing; metrics/audit + event catalog §8: REF_61; SLI registry + CI parity: REF_62 · xwauth-api workflow core-tests (test_sli_registry_parity.py).
• Architecture diagrams: docs/GUIDE_04_REFERENCE_ARCHITECTURE_DIAGRAMS.md (ROADMAP #20).
• Edition / pip SKUs: docs/REF_39_EDITION_AND_SKUS.md (ROADMAP #2).
• Migration playbooks (ROADMAP #4): GUIDE_05 Keycloak · GUIDE_06 Auth0 · GUIDE_07 Supabase; client registry mapping: REF_64.
• Reference SaaS outline (ROADMAP #3): GUIDE_08; Terraform stub: xwauth-api/deploy/terraform/stub/.
• Thin OIDC client patterns (ROADMAP #16): GUIDE_09 (PKCE, refresh §5).
• Start: docs/INDEX.md or docs/.
• Ops program: docs/REF_24_OPS_PERFECT_SCORE_EXECUTION_PLAN.md and REF_60+ contracts.
• Protocol rigor (ROADMAP #5): REF_53, REF_54, REF_55; CI: xwauth-api .github/workflows/protocol-conformance.yml (A/B/C); local deviation checks via scripts/protocol_governance_check.py.
• Federation / IdP quirks (Entra, Okta, Google): docs/REF_27_IDP_OIDC_QUIRKS.md, module exonware.xwauth.federation.idp_quirks.
• SAML enterprise kit (ROADMAP #6): GUIDE_10 (install SAML-related optional dependencies per pyproject.toml / your lockfile).
• SCIM hardening (ROADMAP #7): GUIDE_11 (/v1/scim/v2/*, pagination, errors, ETags).
• Federation interop lab (ROADMAP #8): GUIDE_12; matrix: docs/federation/INTEROP_MATRIX.md.
• Email / magic-link ops (SPF/DKIM/DMARC): docs/REF_28_EMAIL_MAGIC_LINK_OPS.md, exonware.xwauth.ops.
• Interop disclosure & fuzzing (draft): docs/REF_29_INTEROP_BOUNTY_AND_FUZZING.md, exonware.xwauth.ops.research_program.
• Air-gapped / offline deploy: docs/REF_30_AIRGAP_DEPLOYMENT.md, exonware.xwauth.ops.airgap_deployment.
• Data residency: docs/REF_31_DATA_RESIDENCY.md, exonware.xwauth.ops.data_residency.
• Multi-region AS: docs/REF_32_MULTI_REGION_AUTH.md, exonware.xwauth.ops.multi_region_auth.
• Abuse resistance: docs/REF_33_ABUSE_RESISTANCE.md, exonware.xwauth.ops.abuse_resistance.
• B2B delegated admin: docs/REF_34_B2B_DELEGATED_ADMIN.md, exonware.xwauth.ops.b2b_delegated_admin.
• Compliance pack (ROPA / DPA / subprocessors): docs/REF_35_COMPLIANCE_PACK.md, exonware.xwauth.ops.compliance_pack.
• Login UI accessibility (WCAG-oriented checklist): docs/REF_36_LOGIN_UI_ACCESSIBILITY.md, exonware.xwauth.ops.login_ui_accessibility.
• TCO benchmark evidence: docs/REF_37_TCO_BENCHMARK_EVIDENCE.md, exonware.xwauth.ops.tco_evidence (validate_microbench_output, publish checklist).
• Pen test engagement (executive summary path): docs/REF_38_PENETRATION_TEST_ENGAGEMENT.md, exonware.xwauth.ops.pen_test_engagement.
• OIDC self-cert readiness: docs/REF_39_OIDC_SELF_CERT_READINESS.md, exonware.xwauth.ops.oidc_self_cert_readiness.
• IaC (Terraform/Pulumi) for tenants & clients: docs/REF_40_INFRA_AS_CODE_TENANTS.md, exonware.xwauth.ops.infra_as_code_tenants.
• Kubernetes operator readiness: docs/REF_41_KUBERNETES_OPERATOR_READINESS.md, exonware.xwauth.ops.kubernetes_operator_readiness.
• Admin API + OpenAPI parity: docs/REF_42_ADMIN_API_OPENAPI_PARITY.md, exonware.xwauth.ops.admin_api_openapi_parity.
• Extension model readiness: docs/REF_43_EXTENSION_MODEL_READINESS.md, exonware.xwauth.ops.extension_model_readiness.
• Session / device reference UI: docs/REF_44_SESSION_DEVICE_REFERENCE_UI.md, exonware.xwauth.ops.session_device_reference_ui; HTTP mixins: exonware.xwauth.handlers.mixins.sessions (GET /auth/sessions JSON + Bearer revoke; GET /auth/sessions/view HTML — Bearer or documented cookie xwauth_reference_access_token).
• Tests: From repo root, follow the project's test layout.

---

📜 License and links

Apache-2.0 - see LICENSE. Homepage: https://exonware.com · Repository: https://github.com/exonware/xwauth

⏱️ Async Support

• xwauth includes asynchronous execution paths in production code.
• Source validation: 560 async def definitions and 643 await usages under src/.
• Use async APIs for I/O-heavy or concurrent workloads to improve throughput and responsiveness.

Version: 0.0.1.8 | Updated: 11-Apr-2026

Built with ❤️ by eXonware.com - Revolutionizing Python Development Since 2025