Skip to main content

JWT/JWKS authentication and Cedar authorization for sonnet-server applications

Project description

Sonnet Auth

JWT/JWKS authentication and Cedar authorization for sonnet-server applications. No FastMCP dependency -- MCP auth wiring lives in each domain service.

What it provides

  • JWT/JWKS validation -- JwtCredentialValidator implements sonnet-server's CredentialValidator protocol. RS256/ES256 with TTL-based JWKS key refresh and graceful degradation on IdP outages.
  • Claim mapping -- configurable dot-path extraction from JWT claims to AuthContext fields and Cedar principal attributes. auto_map_claims mode passes all non-plumbing claims automatically.
  • Cedar policy evaluation (optional [cedar] extra) -- PolicyEngine wraps cedarpy for in-process RBAC/ABAC. check_authz() and filter_authz() are one-liner authorization for REST and MCP handlers.
  • Pluggable resource resolution -- ResourceAttributeResolver protocol for domain-specific Cedar resource attributes.
  • Settings model -- AuthSettings.resolve(env_prefix, seed) with per-field env var overrides and optional DB seeding. No global state.

Install

# JWT authentication only
pip install sonnet-auth

# JWT + Cedar authorization
pip install sonnet-auth[cedar]

Prerequisites

  • Python 3.14+
  • sonnet-server >= 0.1.9

Usage

With extensions (recommended)

Register AuthnExtension and AuthzExtension in your app factory:

from sonnet_auth import AuthnExtension, AuthzExtension

registry = create_extension_registry(
    DatabaseExtension(),
    AuthnExtension(env_prefix="MY_APP_"),
    AuthzExtension(loader=my_policy_loader),
    McpExtension(),
    RestExtension(),
)

The extensions handle all wiring: settings resolution, JWT validator registration, Cedar engine creation, DI registration.

Configuration via env vars:

MY_APP_AUTHN_ENABLED=true
MY_APP_AUTHN_JWKS_URI=https://idp.example.com/.well-known/jwks.json
MY_APP_AUTHN_ISSUER=https://idp.example.com
MY_APP_AUTHN_AUDIENCE=my-app
MY_APP_AUTHZ_ENABLED=true

Policy loading

AuthzExtension takes a PolicyLoader callable that returns (policies_text, schema_text). The consumer decides how to load:

# From files
def load_from_files():
    return (
        Path("cedar/policies.cedar").read_text(),
        Path("cedar/schema.cedarschema").read_text(),
    )

# From DB (coco-rag pattern)
def load_from_db():
    svc = get_settings_service()
    return (
        svc.get_text("authz_cedar_policies"),
        svc.get_text("authz_cedar_schema"),
    )

# Multiple policy files
def load_from_dir():
    policies = "\n".join(p.read_text() for p in Path("cedar/").glob("*.cedar"))
    schema = Path("cedar/schema.cedarschema").read_text()
    return (policies, schema)

AuthzExtension(loader=load_from_files)

DB-seeded authn (services with a settings table)

def load_seed():
    svc = get_settings_service()
    return {
        "authn_enabled": svc.get("authn_enabled"),
        "authn_config": svc.get("authn_config"),
        "authz_enabled": svc.get("authz_enabled"),
    }

AuthnExtension(env_prefix="COCO_RAG_", seed_fn=load_seed)

Authorization in handlers

from sonnet_auth import check_authz, filter_authz

# In any REST handler or MCP tool
check_authz("search", "Source", source_name)  # raises AuthzDeniedError on deny

# For list operations
permitted = filter_authz("list", "Source", source_names)

Package structure

src/sonnet_auth/
    __init__.py          # public API with lazy Cedar imports
    settings.py          # AuthSettings, AuthnConfig
    context.py           # JWT claim -> AuthContext mapping
    jwt_validator.py     # JwtCredentialValidator (JWKS)
    policy_engine.py     # Cedar PolicyEngine [cedar extra]
    authz.py             # check_authz, filter_authz [cedar extra]

License

Apache License 2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sonnet_auth-0.1.2.tar.gz (28.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sonnet_auth-0.1.2-py3-none-any.whl (21.5 kB view details)

Uploaded Python 3

File details

Details for the file sonnet_auth-0.1.2.tar.gz.

File metadata

  • Download URL: sonnet_auth-0.1.2.tar.gz
  • Upload date:
  • Size: 28.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sonnet_auth-0.1.2.tar.gz
Algorithm Hash digest
SHA256 43809ef76a0debe3c9996cc787543d31521a86da99106f0fa115f9c291d244dd
MD5 892040d2b69c701c3e4426d41dd6a615
BLAKE2b-256 26011063c1d81a2bcb99ab1c62205b924018f5b6ba89f78f8de80d52ce624b90

See more details on using hashes here.

Provenance

The following attestation bundles were made for sonnet_auth-0.1.2.tar.gz:

Publisher: publish.yml on petrarca/sonnet-server

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sonnet_auth-0.1.2-py3-none-any.whl.

File metadata

  • Download URL: sonnet_auth-0.1.2-py3-none-any.whl
  • Upload date:
  • Size: 21.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sonnet_auth-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 90687c8397e2fc68c324915c0243c530ddd13defd26b65e10a8487297b73a60e
MD5 fa489948ad60a39fc7d66776e0b48a14
BLAKE2b-256 a9078019f60a3d0b2015a242390003ed49eec74dded1d25c54fc2677caa74dfd

See more details on using hashes here.

Provenance

The following attestation bundles were made for sonnet_auth-0.1.2-py3-none-any.whl:

Publisher: publish.yml on petrarca/sonnet-server

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page