nexusid 1.0.0

NexusID Python SDK — OIDC token validation, app_roles authorization, and Flask + Django integrations for the NexusID identity broker

NexusID Python SDK

Python client for applications protected by a NexusID identity broker. Validates OIDC ID tokens, exposes app_roles claims as idiomatic role checks, and ships drop-in middleware/decorators for Flask and Django.

Install

pip install nexusid              # core: client + roles
pip install "nexusid[flask]"     # + Flask decorators
pip install "nexusid[django]"    # + Django middleware + decorators
pip install "nexusid[jwt]"       # + RS256 JWT verification (PyJWT, cryptography)
pip install "nexusid[all]"       # everything

Quick start — plain Python

from nexusid import NexusIDClient, NexusRole

client = NexusIDClient(
    issuer="https://idp.example.com",
    client_id="my-app",
    client_secret="...",          # omit for PKCE public clients
)

claims = client.verify_token(id_token)
role   = NexusRole(claims.get("app_roles", []))

if role.has("Admin"):
    ...

Flask

from flask import Flask
from nexusid.flask.decorators import require_role

app = Flask(__name__)

@app.route("/admin")
@require_role("Admin")
def admin():
    return "ok"

Django

# settings.py
MIDDLEWARE = [
    ...,
    "nexusid.django.middleware.NexusIDMiddleware",
]

NEXUSID = {
    "ISSUER": "https://idp.example.com",
    "CLIENT_ID": "my-django-app",
}

# views.py
from nexusid.django.decorators import require_role

@require_role("Admin")
def admin_view(request):
    ...

API surface

• NexusIDClient(issuer, client_id, client_secret=None)
• client.verify_token(id_token) -> dict
• NexusRole(roles: list[str])
• role.has(name), role.has_any([names]), role.has_all([names]), role.list()
• nexusid.flask.decorators.require_role(name)
• nexusid.django.middleware.NexusIDMiddleware
• nexusid.django.decorators.require_role(name)

Status

v1.x — stable surface. Breaking changes will follow semver.

License

MIT