JWT/JWKS authentication and Cedar authorization for sonnet-server applications

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for petrarca from gravatar.com petrarca

Unverified details

These details have not been verified by PyPI
Meta
Classifiers
Report project as malware

Project description

Sonnet Auth

JWT/JWKS authentication and Cedar authorization for sonnet-server applications. No FastMCP dependency -- MCP auth wiring lives in each domain service.

What it provides

  • JWT/JWKS validation -- JwtCredentialValidator implements sonnet-server's CredentialValidator protocol. RS256/ES256 with TTL-based JWKS key refresh and graceful degradation on IdP outages.
  • Claim mapping -- configurable dot-path extraction from JWT claims to AuthContext fields and Cedar principal attributes. auto_map_claims mode passes all non-plumbing claims automatically.
  • Cedar policy evaluation (optional [cedar] extra) -- PolicyEngine wraps cedarpy for in-process RBAC/ABAC. check_authz() and filter_authz() are one-liner authorization for REST and MCP handlers.
  • Pluggable resource resolution -- ResourceAttributeResolver protocol for domain-specific Cedar resource attributes.
  • Settings model -- AuthSettings.resolve(env_prefix, seed) with per-field env var overrides and optional DB seeding. No global state.

Install

# JWT authentication only
pip install sonnet-auth

# JWT + Cedar authorization
pip install sonnet-auth[cedar]

Prerequisites

  • Python 3.14+
  • sonnet-server >= 0.1.9

Usage

AuthN only (JWT/JWKS)

from sonnet_auth import AuthSettings, JwtCredentialValidator
from sonnet_server.guards import set_credential_validator

auth = AuthSettings.resolve(env_prefix="MY_APP_")
if auth.enabled:
    set_credential_validator(JwtCredentialValidator(auth.config))

Configuration via env vars:

MY_APP_AUTHN_ENABLED=true
MY_APP_AUTHN_JWKS_URI=https://idp.example.com/.well-known/jwks.json
MY_APP_AUTHN_ISSUER=https://idp.example.com
MY_APP_AUTHN_AUDIENCE=my-app

Or with DB seeding (coco-rag pattern):

seed = {
    "authn_enabled": svc.get("authn_enabled"),
    "authn_config": svc.get("authn_config"),
    "authz_enabled": svc.get("authz_enabled"),
}
auth = AuthSettings.resolve(env_prefix="COCO_RAG_", seed=seed)

AuthZ (Cedar policies)

from sonnet_auth import check_authz, filter_authz, set_resource_attribute_resolver

# Register domain-specific resource resolver
set_resource_attribute_resolver(MyResolver())

# In any REST handler or MCP tool
check_authz("search", "Source", source_name)  # raises AuthzDeniedError on deny

# For list operations
permitted = filter_authz("list", "Source", source_names)

Package structure

src/sonnet_auth/
    __init__.py          # public API with lazy Cedar imports
    settings.py          # AuthSettings, AuthnConfig
    context.py           # JWT claim -> AuthContext mapping
    jwt_validator.py     # JwtCredentialValidator (JWKS)
    policy_engine.py     # Cedar PolicyEngine [cedar extra]
    authz.py             # check_authz, filter_authz [cedar extra]

License

Apache License 2.0

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for petrarca from gravatar.com petrarca

Unverified details

These details have not been verified by PyPI
Meta
Classifiers

Release history Release notifications | RSS feed

0.1.1

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sonnet_auth-0.1.0.tar.gz (24.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sonnet_auth-0.1.0-py3-none-any.whl (17.4 kB view details)

Uploaded Python 3

File details

Details for the file sonnet_auth-0.1.0.tar.gz.

File metadata

  • Download URL: sonnet_auth-0.1.0.tar.gz
  • Upload date:
  • Size: 24.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sonnet_auth-0.1.0.tar.gz
Algorithm Hash digest
SHA256 5e676ab00b416602bc23fadb4bfaca1d17831e7bd64a85345d5d1e9bc0e1e6c2
MD5 5d162e13e51a4936f84f80b10a609e7b
BLAKE2b-256 1649464df19d66a5904c817ebe3cf106cf2b63dcef2c4272317b5f69fa17b4db

See more details on using hashes here.

Provenance

The following attestation bundles were made for sonnet_auth-0.1.0.tar.gz:

Publisher: publish.yml on petrarca/sonnet-server

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sonnet_auth-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: sonnet_auth-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 17.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sonnet_auth-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 87b68aa9123da8cd35788e5a71a807979009dd0d67010b7b2ad3e0a4456d1a96
MD5 b5548b1f9785bcd9029afa4c8ac00913
BLAKE2b-256 7b22b0a7a95b173c7e4f21a3d53854fd49b1abf4006a4d6de96b34f586bbbfc2

See more details on using hashes here.

Provenance

The following attestation bundles were made for sonnet_auth-0.1.0-py3-none-any.whl:

Publisher: publish.yml on petrarca/sonnet-server

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page