Verify OIDC JWT identity tokens using OIDC discovery

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rjw57 from gravatar.com rjw57

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Rich Wareham
  • Requires: Python <4.0, >=3.10
Classifiers
Report project as malware

Project description

Python library to verify id tokens using OIDC discovery

PyPI - Version PyPI - Python Version GitHub Release Test suite status

OpenID connect identity tokens are a popular choice for federating identity between different systems without the need to share secrets. For example Trusted publishing on PyPI allows use of OIDC tokens created by GitHub or GitLab CI jobs to be used to authenticate when uploading new Python packages. Similarly, OIDC tokens can be used to authenticate to Google Cloud, AWS and Azure from any OIDC identity provider.

The jwt.io and jwt.ms tools allow validating OIDC id tokens without first configuring public keys by means of the OpenID connect discovery protocol.

This library implements the OpenID Connect discovery standard in Python to allow verification of OpenID Connect id tokens without previous configuration of public keys, etc.

Both synchronous and asynchronous (asyncio) implementations are provided.

Example

Suppose you created a GitLab OIDC token as part of a CI job to make an authenticated HTTP GET request to some service:

# .gitlab-ci.yml within https://gitlab.com/my-group/my-project

job_with_id_token:
  id_tokens:
    ID_TOKEN:
      aud: https://my-service.example.com
  script:
    - curl -X GET -H "Authorization: Bearer $ID_TOKEN" https://my-service.example.com

The following example shows how to verify the OIDC token came from a specific project within a backend implementation:

from typing import Any
from federatedidentity import Issuer, verifiers, verify_id_token

# Use OIDC discovery to fetch public keys for verifying GitLab tokens.
GITLAB_ISSUER = Issuer.from_discovery("https://gitlab.com")

# Expected project path for id token
EXPECTED_PROJECT_PATH = "my-group/my-project"

# Expected audience claim for id token.
EXPECTED_AUDIENCE_CLAIM = "https://my-service.example.com"

def verify_gitlab_token(token: str) -> dict[str, Any]:
    """
    Verify an OIDC token from GitLab and return the dictionary of claims. Raises
    federatedidentity.exceptions.FederatedIdentityError if the token failed verification.
    """
    return verify_id_token(
        token,
        valid_issuers=[GITLAB_ISSUER],
        valid_audiences=[EXPECTED_AUDIENCE_CLAIM],
        required_claims=[
            # The "project_path" claim must match the expected project.
            {"project_path": EXPECTED_PROJECT_PATH},
        ],
    )

See the full documentation for more examples.

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rjw57 from gravatar.com rjw57

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Rich Wareham
  • Requires: Python <4.0, >=3.10
Classifiers

Release history Release notifications | RSS feed

0.4.42

This version

0.4.41

0.4.40

0.4.39

0.4.38

0.4.37

0.4.36

0.4.35

0.4.34

0.4.33

0.4.32

0.4.31

0.4.30

0.4.29

0.4.28

0.4.27

0.4.26

0.4.25

0.4.24

0.4.23

0.4.22

0.4.21

0.4.20

0.4.19

0.4.18

0.4.17

0.4.16

0.4.15

0.4.14

0.4.13

0.4.12

0.4.11

0.4.10

0.4.9

0.4.8

0.4.7

0.4.6

0.4.5

0.4.4

0.4.3

0.4.2

0.4.1

0.4.0

0.3.8

0.3.7

0.3.6

0.3.5

0.3.4

0.3.0

0.2.0

0.1.0

0.0.2

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

verify_oidc_identity-0.4.41.tar.gz (7.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

verify_oidc_identity-0.4.41-py3-none-any.whl (10.6 kB view details)

Uploaded Python 3

File details

Details for the file verify_oidc_identity-0.4.41.tar.gz.

File metadata

  • Download URL: verify_oidc_identity-0.4.41.tar.gz
  • Upload date:
  • Size: 7.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for verify_oidc_identity-0.4.41.tar.gz
Algorithm Hash digest
SHA256 987ce43004d610dd7f4920ed81094aaeae7a14c5e9aa3236ee4a5d3696d1732a
MD5 033b0dc38c2a8f4fa60264bd4c6ee803
BLAKE2b-256 77c2d1c1f11cd6899af58140ef7b8ae45728394b70981bc2bfebb6576e6b29af

See more details on using hashes here.

Provenance

The following attestation bundles were made for verify_oidc_identity-0.4.41.tar.gz:

Publisher: main.yml on rjw57/verify-oidc-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file verify_oidc_identity-0.4.41-py3-none-any.whl.

File metadata

File hashes

Hashes for verify_oidc_identity-0.4.41-py3-none-any.whl
Algorithm Hash digest
SHA256 73ddc2692527eff08f81588cb08b60ec943279f71fa989e598d2ff766b9e137e
MD5 3f092986b9868446622605f18541cef3
BLAKE2b-256 9599113ae9f7640348c0b5b72bf59379129d38f230a6ef8f3ad2bd4c1dae3fcf

See more details on using hashes here.

Provenance

The following attestation bundles were made for verify_oidc_identity-0.4.41-py3-none-any.whl:

Publisher: main.yml on rjw57/verify-oidc-identity

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page