Python SDK for OAuth Identity Chaining (draft-oauth-identity-chaining) with actor provenance
Project description
OAuth Identity Chaining SDK (oauth-identity-chaining-sdk)
A Python client library implementing cross-application authentication, dynamic permission downscoping, and call chain tracking conforming to draft-ietf-oauth-identity-chaining (OAuth Identity and Authorization Chaining Across Domains) and RFC 8693 (Token Exchange).
This SDK allows autonomous AI agents and microservices to pass credentials downstream under the Principle of Least Privilege, preserving tamper-proof actor provenance (Principal ──> Agent A ──> Agent B) via nested JWT act (actor) claims.
⚡ Installation
Install the library using pip:
pip install oauth-identity-chaining-sdk
🚀 Key Features
- 🔄 RFC 8693 Token Exchange: Exchange a broad subject token for a narrow downstream token using
exchange_token. - 🛡️ Permission Narrowing: Intersection check ensures delegated tokens hold a strict subset of delegator rights.
- 🔍 Multi-Hop Actor Provenance: Parse and traverse nested
actclaims to verify call chain lineages. - 🛑 Least Privilege Guards: Enforce audience matches, expiration timestamps, and strict delegation depth limits.
- 💡 Mock Mode Fallback: Bypasses external server requests during local development or offline simulations.
📖 Quick Start
1. Fetching a Root Delegation Token
import os
from oauth_identity_chaining import ChainingClient, ChainingConfig
# Setup client. Automatically falls back to mock mode if env variables are missing.
client = ChainingClient()
# Get the initial delegation token for Agent A
root_token = client.get_root_token()
print(f"Root Token: {root_token[:30]}...")
2. Performing a Scoped Token Exchange (Delegation Chain)
Agent A delegates users:read authority to Agent B (AGENT_B_CLIENT_ID):
agent_b_id = "c7f3a2b1-5d4e-4f8a-9c6b-2e1d0f7a8b3c"
exchange_res = client.exchange_token(
subject_token=root_token,
target_client_id=agent_b_id,
permissions=["users:read"],
ttl=300,
audience=["authsec-secure-vault"]
)
chained_token = exchange_res["token"]
print(f"Chained Token: {chained_token[:30]}...")
3. Parsing and Rendering Actor Provenance
Upstream services or resource servers can verify the token's lineage and print the visual actor tree:
from oauth_identity_chaining import verify_token_provenance
# Verify claims and extract provenance chain
chain = verify_token_provenance(
chained_token,
expected_audience="authsec-secure-vault",
max_depth=1,
verify_signature=False # Set to True and provide jwks_client in production
)
# Print visual chain tree
print("Actor Call Chain Lineage:")
print(chain.render_tree())
# Output:
# [Principal User]
# └── spiffe://localhost/ns/default/sa/crewai (Client ID: 6656be3a-b687-4f2e-9e83-11abe5eaec26)
# └── spiffe://localhost/ns/default/sa/agent-b (Client ID: c7f3a2b1-5d4e-4f8a-9c6b-2e1d0f7a8b3c) <-- ACTIVE BEARER
print(f"Delegation Depth: {chain.depth}")
print(f"Active Bearer: {chain.active_bearer.sub}")
print(f"Root Delegator: {chain.root_subject.sub}")
4. Downstream API Call
Agent B calls the Secure Vault using the chained token:
vault_response = client.request_secure_api(
endpoint="http://localhost:7469/secure-vault/metrics",
token=chained_token,
method="GET"
)
print(vault_response)
🛠️ Offline Mock Fallback
If AUTHSEC_BASE_URL or AUTHSEC_AGENT_CLIENT_ID are not configured:
- The client runs in offline simulation mode automatically.
- Token endpoints return locally-generated HS256 tokens carrying valid
actclaims. - Downstream endpoints (
secure-vault/metricsandsecure-vault/records) return pre-defined mock JSON structures.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file oauth_identity_chaining_sdk-0.1.0.tar.gz.
File metadata
- Download URL: oauth_identity_chaining_sdk-0.1.0.tar.gz
- Upload date:
- Size: 12.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
f619c7865cf38a7fb67bc211152a6413e36422d442c3f898dd60a15e1f2ebb8e
|
|
| MD5 |
873b1fa8b47b29bd1a6f40507384a231
|
|
| BLAKE2b-256 |
c3a26f96f54f942f9ff763a8c4074452f924a02ce7cb689773b3c20d15a65ed4
|
File details
Details for the file oauth_identity_chaining_sdk-0.1.0-py3-none-any.whl.
File metadata
- Download URL: oauth_identity_chaining_sdk-0.1.0-py3-none-any.whl
- Upload date:
- Size: 10.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.10
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
09371e78f6696ac4b90ed7ed944fbb3589630f065686d7d2ecf4e42ff93d53f2
|
|
| MD5 |
fcf1859a358163f0c2255ce4c336fb98
|
|
| BLAKE2b-256 |
68aed4992ba6f53c28caa1801bc17965804977acdf6ade1e1850ab452e08c6de
|