OIDC bearer authentication provider plugin for Spakky framework
Project description
spakky-oidc
spakky-oidc는 OIDC/OAuth bearer JWT credential을 검증하는 인증 provider 플러그인입니다. 검증된 claim을spakky.auth.AuthContext로 매핑하고 bearer authentication capability를 제공합니다.
이 플러그인은 spakky.contributions.spakky.auth entry point로
AuthCapability.AUTHENTICATION을 제공합니다. Browser login, callback, session,
refresh, logout route는 포함하지 않습니다. FastAPI, gRPC, Typer 같은 inbound adapter가
경계에서 bearer credential을 읽고 provider-neutral IAuthenticationProvider port로
전달합니다.
제공 기능
issuer/.well-known/openid-configuration또는 명시적 discovery URL 기반 OIDC discoverykid기반 JWKS key 선택과 RS256 signature 검증issuer,audience,azp,exp,nbf,iat, clock skew 검증sub, 표시 이름, tenant, role, scope, 선택된 safe claim의AuthContext매핑- raw bearer token을
AuthContext.claims,metadata,credential_carrier에 남기지 않음
설치
pip install spakky-auth spakky-oidc spakky-fastapi
사용법
from fastapi import FastAPI
from spakky.auth import protected, require_scope
from spakky.core.application.application import SpakkyApplication
from spakky.core.application.application_context import ApplicationContext
from spakky.plugins.fastapi.routes import get
from spakky.plugins.fastapi.stereotypes.api_controller import ApiController
import spakky.auth
import spakky.plugins.fastapi
import spakky.plugins.oidc
@ApiController("/documents")
class DocumentController:
@get("/{document_id}")
@require_scope("documents:read")
@protected
def read(self, document_id: str) -> dict[str, str]:
return {"id": document_id}
app = (
SpakkyApplication(ApplicationContext())
.load_plugins(
include={
spakky.auth.PLUGIN_NAME,
spakky.plugins.fastapi.PLUGIN_NAME,
spakky.plugins.oidc.PLUGIN_NAME,
}
)
.add(DocumentController)
.start()
)
api = app.container.get(FastAPI)
OidcProviderConfig는 Spakky @Configuration Pod입니다.
SPAKKY_OIDC_ISSUER, SPAKKY_OIDC_AUDIENCE, SPAKKY_OIDC_CLIENT_ID와
SPAKKY_OIDC_ROLES_CLAIM, SPAKKY_OIDC_SCOPES_CLAIM,
SPAKKY_OIDC_TENANT_CLAIM, SPAKKY_OIDC_DISPLAY_NAME_CLAIM 같은 claim 매핑
환경변수로 설정합니다. 기본 scope claim은 표준 공백 구분 scope 문자열을 허용하며,
role과 custom scope claim은 문자열 배열도 허용합니다.
Inbound adapter는 boundary에서 bearer credential을 관찰하고 provider-neutral auth port를
호출해 AuthContext를 저장합니다. 애플리케이션 코드는 provider를 직접 호출하지 않고
spakky-auth decorator로 요구사항을 선언합니다.
라이선스
MIT
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file spakky_oidc-6.9.0.tar.gz.
File metadata
- Download URL: spakky_oidc-6.9.0.tar.gz
- Upload date:
- Size: 7.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d103728d4703d3775da4aad7916fc00b31972fd7e28580c40306e066d3ba3c72
|
|
| MD5 |
005e34d9774977ebed57829f1683910a
|
|
| BLAKE2b-256 |
9255268ded7a2d9e7181261071603fd86f15c2be65db4f6f2b3323e279933c91
|
Provenance
The following attestation bundles were made for spakky_oidc-6.9.0.tar.gz:
Publisher:
release.yml on E5presso/spakky-framework
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
spakky_oidc-6.9.0.tar.gz -
Subject digest:
d103728d4703d3775da4aad7916fc00b31972fd7e28580c40306e066d3ba3c72 - Sigstore transparency entry: 1878371316
- Sigstore integration time:
-
Permalink:
E5presso/spakky-framework@c0fef8e1039d0b5409c462608d4d1295804a6705 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/E5presso
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@c0fef8e1039d0b5409c462608d4d1295804a6705 -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file spakky_oidc-6.9.0-py3-none-any.whl.
File metadata
- Download URL: spakky_oidc-6.9.0-py3-none-any.whl
- Upload date:
- Size: 9.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
cfba00547a35b9307b371426bedadfc29b5bae0a159d61105067b4bb5a3a19f7
|
|
| MD5 |
d9b6f84f6b839a726e2690e8d86c3869
|
|
| BLAKE2b-256 |
78ff3abc0c4d4859aeeb6256920208e72571bf51faae70b10b20c3f4faa8db50
|
Provenance
The following attestation bundles were made for spakky_oidc-6.9.0-py3-none-any.whl:
Publisher:
release.yml on E5presso/spakky-framework
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
spakky_oidc-6.9.0-py3-none-any.whl -
Subject digest:
cfba00547a35b9307b371426bedadfc29b5bae0a159d61105067b4bb5a3a19f7 - Sigstore transparency entry: 1878371426
- Sigstore integration time:
-
Permalink:
E5presso/spakky-framework@c0fef8e1039d0b5409c462608d4d1295804a6705 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/E5presso
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@c0fef8e1039d0b5409c462608d4d1295804a6705 -
Trigger Event:
workflow_dispatch
-
Statement type:
