Skip to main content

TFRS 跨语言共享凭证工具包(Python):PAT/client_credentials → 短 JWT 换发 + 缓存/刷新 + 纯 RS256 验签

Project description

tfrs-auth (Python)

TFRS AccessToken 客户端工具包:把「PAT / client_credentials → 短 RS256 JWT 换发 (RFC 8693)+ 缓存/刷新」与「Claims/scope 契约 + 纯验签」抽成可复用包,避免每个 MCP 工具 / SDK 重复实现 token 获取与生命周期管理。

SoT = TFRSManager Contract Registry。本包 contract.py 为镜像,变更先改 Manager。 强制执行层(验签中间件/Socket.IO/ESO/默认拒绝 CI)不在本包,留 TFRobotServer。

安装

# 从 PyPI(推荐)
uv add tfrs-auth                  # 核心:契约 + 纯验签
uv add "tfrs-auth[httpx]"         # 含客户端 token source / JWKS live 拉取
# 或:pip install "tfrs-auth[httpx]"

# 或从 git + tag(未发布版本)
uv add "tfrs-auth[httpx] @ git+https://cnb.cool/turingfocus/foundation/tfrs-foundation-py@<tag>#subdirectory=packages/tfrs-auth"
  • 核心依赖:pyjwt[crypto](契约 + 纯验签)。
  • 可选 extra httpx:客户端 token source / JWKS live 拉取。
  • 许可证:MIT。

用法

客户端 token source(client_credentials,S5 A2A 主叫端)

from tfrs_auth import AsyncCachingTokenSource, ClientCredentials

cred = ClientCredentials.for_robot(
    client_id=machine_client_id,          # 机器人自身 Account.ID
    client_secret=machine_client_secret,  # tfp_ 明文(machineClientSecret)
    callee_robot_id=callee_id,            # → aud=robot:<calleeId>
    scope=["a2a:invoke"],
)
async with AsyncCachingTokenSource(
    cred, token_url="https://<user-host>/api/v1/oauth/token"
) as source:
    token = await source.token()          # 缓存 + 临期自动刷新 + 退避
    headers = {"Authorization": f"Bearer {token.access_token}"}

同步场景用 CachingTokenSource(API 对称)。

纯验签(资源服务器侧,零网络)

from tfrs_auth import JwtVerifier

verifier = JwtVerifier.from_jwks(jwks_dict, issuer="https://<user-host>", audience="robot:42")
claims = verifier.verify(access_token)    # 失败抛 TokenVerificationError
assert claims.has_scope("a2a:invoke")

live 拉取 JWKS:JwtVerifier.from_url("https://<user-host>/.well-known/jwks.json", ...)

⚠️ 资源服务器务必传 issueraudience:二者仅在提供时才校验。不传 audience 会放行签给任意机器人的 token,丧失 aud=robot:<id> 受众隔离(issuer 之于颁发者 隔离同理)。from_url 的未知-kid 刷新已内置限速(min_refresh_interval,默认 10s), 避免被构造的随机-kid token 放大成对 JWKS 端点的 DoS。

异常约定:验签失败抛 TokenVerificationErrorfrom_url 模式下 JWKS 拉取的网络失败抛 TransportError。消费方应 except (TokenVerificationError, TransportError) 同时兜住。

模块

模块 内容
contract Scope(8 active + 2 reserved) · Claims · GrantType/SubjectTokenType URN · OAuthErrorCode · JWKS/kid 形状
errors 异常树(InvalidClientError(401) / InvalidTargetError / TemporarilyUnavailableError(503) …)+ from_oauth_error
client Token · TokenSource/AsyncTokenSource · CachingTokenSource / AsyncCachingTokenSource(single-flight + 退避)
credentials ClientCredentials(✅)· PatCredential / UserJwtCredential(骨架)
verify JwtVerifier(RS256 + JWKS)
transport BearerAuth(httpx auth,骨架)

边界与状态

  • 已实现contract / errors / client(sync+async caching) / credentials.ClientCredentials / verify
  • 骨架(首批 CNB Issue)credentials.PatCredential / credentials.UserJwtCredential / transport.BearerAuth

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tfrs_auth-0.1.1.tar.gz (24.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tfrs_auth-0.1.1-py3-none-any.whl (25.3 kB view details)

Uploaded Python 3

File details

Details for the file tfrs_auth-0.1.1.tar.gz.

File metadata

  • Download URL: tfrs_auth-0.1.1.tar.gz
  • Upload date:
  • Size: 24.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.23 {"installer":{"name":"uv","version":"0.11.23","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Debian GNU/Linux","version":"13","id":"trixie","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for tfrs_auth-0.1.1.tar.gz
Algorithm Hash digest
SHA256 e40759aa105611d79e3d94bdc9a3573e298bbd71a6289642c53ae5e1d053a826
MD5 5ac20f68b21e62cd8c7c3db10ba94b5f
BLAKE2b-256 16da9fc9c99adb38ca863648f43eb83f6dcffc80073e364d1b6f9c64fa2e01b6

See more details on using hashes here.

File details

Details for the file tfrs_auth-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: tfrs_auth-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 25.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: uv/0.11.23 {"installer":{"name":"uv","version":"0.11.23","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Debian GNU/Linux","version":"13","id":"trixie","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}

File hashes

Hashes for tfrs_auth-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 94a347c2b5a972041deaf0d6fa4910832e37ba5f85f3289d5b7751a449b541b5
MD5 f44042868a056a5878d70c3369b32543
BLAKE2b-256 817179c7ce0e7e032ebc9e9f8902cdf9e17b6538b74cc058c9b6a8097c02f4fa

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page