Credential→identity adapters for semql: bearer-token verifiers (HMAC, JWKS, introspection) and mappers (dict, mTLS x509) that produce a semql AuthContext.
Project description
semql-auth
Credential→identity adapters for semql.
semql threads an AuthContext (identity + roles) through
Catalog.compile(viewer=...) to enforce required_roles cube/field
visibility and security_sql row-level scoping. This package turns a
transport credential into that AuthContext:
TokenVerifier— verify a bearer token and return its claims.HMACVerifier— symmetric HS256/384/512.JWKSVerifier— asymmetric RS/ES, fetching keys from a JWKS URL (needs thejwksextra:pip install semql-auth[jwks]).
TokenMapper— map a verified credential to anAuthContext.DictMapper— static, in-memorytoken → AuthContexttable.IntrospectMapper— OAuth2 token introspection (introspectextra).X509Mapper— derive identity from an mTLS client cert subject / SAN (the reference cryptography decoder needs thex509extra).
AuthContext itself lives in semql.model — the compiler depends on it,
so it stays in the pure core. This package holds only the adapters, which
carry optional third-party dependencies (PyJWT, httpx, cryptography) that
the core shouldn't.
Install
pip install semql-auth
pip install semql-auth[jwks] # JWKS verifier (httpx)
pip install semql-auth[introspect] # OAuth2 introspection
pip install semql-auth[x509] # mTLS client cert decoder
Quick start
from semql import Catalog
from semql_auth import HMACVerifier, DictMapper
verifier = HMACVerifier(secret="...")
mapper = DictMapper({"tok-abc": ...})
# In your transport: verify the token, map to AuthContext, then
# catalog.compile(query, viewer=auth_context)
See API reference for the full adapter surface.
License
BSD-3-Clause.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file semql_auth-0.4.0.tar.gz.
File metadata
- Download URL: semql_auth-0.4.0.tar.gz
- Upload date:
- Size: 11.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.19 {"installer":{"name":"uv","version":"0.11.19","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
de1b7e02e0fceda323deafe4c02ea76653e949ecb146f02886520c4c5acfd8a1
|
|
| MD5 |
61b5e5e9cbe0928f2b3ba3fa9b3ee89f
|
|
| BLAKE2b-256 |
360cc1b3ea0debeb6f6e3f48bff953d1d26155f21be17ca93b3299859863e887
|
File details
Details for the file semql_auth-0.4.0-py3-none-any.whl.
File metadata
- Download URL: semql_auth-0.4.0-py3-none-any.whl
- Upload date:
- Size: 12.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.11.19 {"installer":{"name":"uv","version":"0.11.19","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"macOS","version":null,"id":null,"libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":null}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fed491ff68aba685918ef9c0e29b4c56ca701e2d15742de5d83571aa27118442
|
|
| MD5 |
84ff584d8e5787cfc27ebae0d80fccf8
|
|
| BLAKE2b-256 |
64c27b21b7d5223435176026ed56a98e31c7c5ad635a2660231111ea4d86dae2
|
