Verify OIDC JWT identity tokens using OIDC discovery

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rjw57 from gravatar.com rjw57

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Rich Wareham
  • Requires: Python <4.0, >=3.10
Classifiers
Report project as malware

Project description

Python library to verify id tokens using OIDC discovery

PyPI - Version PyPI - Python Version GitHub Release Test suite status

OpenID connect identity tokens are a popular choice for federating identity between different systems without the need to share secrets. For example Trusted publishing on PyPI allows use of OIDC tokens created by GitHub or GitLab CI jobs to be used to authenticate when uploading new Python packages. Similarly, OIDC tokens can be used to authenticate to Google Cloud, AWS and Azure from any OIDC identity provider.

The jwt.io and jwt.ms tools allow validating OIDC id tokens without first configuring public keys by means of the OpenID connect discovery protocol.

This library implements the OpenID Connect discovery standard in Python to allow verification of OpenID Connect id tokens without previous configuration of public keys, etc.

Both synchronous and asynchronous (asyncio) implementations are provided.

Example

Suppose you created a GitLab OIDC token as part of a CI job to make an authenticated HTTP GET request to some service:

# .gitlab-ci.yml within https://gitlab.com/my-group/my-project

job_with_id_token:
  id_tokens:
    ID_TOKEN:
      aud: https://my-service.example.com
  script:
    - curl -X GET -H "Authorization: Bearer $ID_TOKEN" https://my-service.example.com

The following example shows how to verify the OIDC token came from a specific project within a backend implementation:

from typing import Any
from federatedidentity import Issuer, verifiers, verify_id_token

# Use OIDC discovery to fetch public keys for verifying GitLab tokens.
GITLAB_ISSUER = Issuer.from_discovery("https://gitlab.com")

# Expected project path for id token
EXPECTED_PROJECT_PATH = "my-group/my-project"

# Expected audience claim for id token.
EXPECTED_AUDIENCE_CLAIM = "https://my-service.example.com"

def verify_gitlab_token(token: str) -> dict[str, Any]:
    """
    Verify an OIDC token from GitLab and return the dictionary of claims. Raises
    federatedidentity.exceptions.FederatedIdentityError if the token failed verification.
    """
    return verify_id_token(
        token,
        valid_issuers=[GITLAB_ISSUER],
        valid_audiences=[EXPECTED_AUDIENCE_CLAIM],
        required_claims=[
            # The "project_path" claim must match the expected project.
            {"project_path": EXPECTED_PROJECT_PATH},
        ],
    )

See the full documentation for more examples.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rjw57 from gravatar.com rjw57

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Rich Wareham
  • Requires: Python <4.0, >=3.10
Classifiers

Release history Release notifications | RSS feed

0.4.42

0.4.41

This version

0.4.40

0.4.39

0.4.38

0.4.37

0.4.36

0.4.35

0.4.34

0.4.33

0.4.32

0.4.31

0.4.30

0.4.29

0.4.28

0.4.27

0.4.26

0.4.25

0.4.24

0.4.23

0.4.22

0.4.21

0.4.20

0.4.19

0.4.18

0.4.17

0.4.16

0.4.15

0.4.14

0.4.13

0.4.12

0.4.11

0.4.10

0.4.9

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.8

0.3.7

0.3.6

0.3.5

0.3.4

0.3.0

0.2.0

0.1.0

0.0.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

verify_oidc_identity-0.4.40.tar.gz (7.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

verify_oidc_identity-0.4.40-py3-none-any.whl (10.6 kB view details)

Uploaded Python 3

File details

Details for the file verify_oidc_identity-0.4.40.tar.gz.

File metadata

  • Download URL: verify_oidc_identity-0.4.40.tar.gz
  • Upload date:
  • Size: 7.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for verify_oidc_identity-0.4.40.tar.gz
Algorithm Hash digest
SHA256 9d2e197edff61c5a1de597115b1587be4505e4e62a549f5ad06e47e5d81320a4
MD5 dc995bfa4ffa18be040d4eff73000d06
BLAKE2b-256 2ddf51b2764c53e5e65e34799e2a85f1c5e42dea6c04d9b94e765d4da4cd91fe

See more details on using hashes here.

Provenance

The following attestation bundles were made for verify_oidc_identity-0.4.40.tar.gz:

Publisher: main.yml on rjw57/verify-oidc-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file verify_oidc_identity-0.4.40-py3-none-any.whl.

File metadata

File hashes

Hashes for verify_oidc_identity-0.4.40-py3-none-any.whl
Algorithm Hash digest
SHA256 fcce3fdcc64a631873c736ad024c89160e485232a420d98d9541d71152407b50
MD5 6a69c53b7fec1d85a53c3c062579979c
BLAKE2b-256 b05c192beae456fec91dfb34a91e7d1ec7b9102b5d914ab7262cfd418f21a370

See more details on using hashes here.

Provenance

The following attestation bundles were made for verify_oidc_identity-0.4.40-py3-none-any.whl:

Publisher: main.yml on rjw57/verify-oidc-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page