aoidc 0.0.1__tar.gz

aoidc-0.0.1/.envrc

@@ -0,0 +1 @@
+use flake .

aoidc-0.0.1/.gitignore

@@ -0,0 +1,171 @@
+# Byte-compiled / optimized / DLL files
+__pycache__/
+*.py[cod]
+*$py.class
+
+# C extensions
+*.so
+
+# Distribution / packaging
+.Python
+build/
+develop-eggs/
+dist/
+downloads/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+share/python-wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+
+# PyInstaller
+#  Usually these files are written by a python script from a template
+#  before PyInstaller builds the exe, so as to inject date/other infos into it.
+*.manifest
+*.spec
+
+# Installer logs
+pip-log.txt
+pip-delete-this-directory.txt
+
+# Unit test / coverage reports
+htmlcov/
+.tox/
+.nox/
+.coverage
+.coverage.*
+.cache
+nosetests.xml
+coverage.xml
+*.cover
+*.py,cover
+.hypothesis/
+.pytest_cache/
+cover/
+
+# Translations
+*.mo
+*.pot
+
+# Django stuff:
+*.log
+local_settings.py
+db.sqlite3
+db.sqlite3-journal
+
+# Flask stuff:
+instance/
+.webassets-cache
+
+# Scrapy stuff:
+.scrapy
+
+# Sphinx documentation
+docs/_build/
+
+# PyBuilder
+.pybuilder/
+target/
+
+# Jupyter Notebook
+.ipynb_checkpoints
+
+# IPython
+profile_default/
+ipython_config.py
+
+# pyenv
+#   For a library or package, you might want to ignore these files since the code is
+#   intended to run in multiple environments; otherwise, check them in:
+# .python-version
+
+# pipenv
+#   According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control.
+#   However, in case of collaboration, if having platform-specific dependencies or dependencies
+#   having no cross-platform support, pipenv may install dependencies that don't work, or not
+#   install all needed dependencies.
+#Pipfile.lock
+
+# UV
+#   Similar to Pipfile.lock, it is generally recommended to include uv.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#uv.lock
+
+# poetry
+#   Similar to Pipfile.lock, it is generally recommended to include poetry.lock in version control.
+#   This is especially recommended for binary packages to ensure reproducibility, and is more
+#   commonly ignored for libraries.
+#   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
+#poetry.lock
+
+# pdm
+#   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
+#pdm.lock
+#   pdm stores project-wide configurations in .pdm.toml, but it is recommended to not include it
+#   in version control.
+#   https://pdm.fming.dev/latest/usage/project/#working-with-version-control
+.pdm.toml
+.pdm-python
+.pdm-build/
+
+# PEP 582; used by e.g. github.com/David-OConnor/pyflow and github.com/pdm-project/pdm
+__pypackages__/
+
+# Celery stuff
+celerybeat-schedule
+celerybeat.pid
+
+# SageMath parsed files
+*.sage.py
+
+# Environments
+.env
+.venv
+env/
+venv/
+ENV/
+env.bak/
+venv.bak/
+
+# Spyder project settings
+.spyderproject
+.spyproject
+
+# Rope project settings
+.ropeproject
+
+# mkdocs documentation
+/site
+
+# mypy
+.mypy_cache/
+.dmypy.json
+dmypy.json
+
+# Pyre type checker
+.pyre/
+
+# pytype static type analyzer
+.pytype/
+
+# Cython debug symbols
+cython_debug/
+
+# PyCharm
+#  JetBrains specific template is maintained in a separate JetBrains.gitignore that can
+#  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
+#  and can be added to the global gitignore or merged into this file.  For a more nuclear
+#  option (not recommended) you can uncomment the following to ignore the entire idea folder.
+#.idea/
+
+# VSCode
+.vscode/

aoidc-0.0.1/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Rubikoid
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

aoidc-0.0.1/PKG-INFO

@@ -0,0 +1,62 @@
+Metadata-Version: 2.4
+Name: aoidc
+Version: 0.0.1
+Summary: Suckless implementation of OIDC with asyncs in mind
+Author-email: Rubikoid <rubikoid@rubikoid.ru>
+License-Expression: MIT
+License-File: LICENSE
+Classifier: Development Status :: 2 - Pre-Alpha
+Classifier: Framework :: AsyncIO
+Classifier: Operating System :: OS Independent
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Security
+Requires-Python: <4,>=3.12
+Requires-Dist: httpx<1,>=0.28.1
+Requires-Dist: joserfc<2,>=1.6.1
+Requires-Dist: msgspec<1,>=0.19.0
+Requires-Dist: pydantic-settings<3,>=2.8.1
+Requires-Dist: pydantic<3,>=2.10.6
+Description-Content-Type: text/markdown
+
+# aOIDC
+
+Suckless implementation of [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0-final.html) for python with asyncio support in mind.
+
+🚧 Currently under development 🚧
+
+Also implemented:
+
+- [ ] [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749): The OAuth 2.0 Authorization Framework
+- [ ] [RFC 7033](https://datatracker.ietf.org/doc/html/rfc7033): WebFinger
+- [ ] [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591): OAuth 2.0 Dynamic Client Registration Protocol - **partically**
+- [ ] [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636): Proof Key for Code Exchange by OAuth Public Clients
+- [ ] [RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662): OAuth 2.0 Token Introspection
+- [ ] [RFC 8414](https://datatracker.ietf.org/doc/html/rfc8414): OAuth 2.0 Authorization Server Metadata
+  - [x] Metadata model
+  - [ ] `/.well-known/oauth-authorization-server` request
+- [ ] [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0-final.html)
+- [ ] [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0-final.html)
+  - [ ] WebFinger discovery
+  - [x] Model
+  - [x] `.well-known/openid-configuration` request
+
+## Implementation status / Roadmap
+
+Core functional that I need from such library is simple client authentication via authorization code flow, so this will be implemented first.
+
+1. [ ] OIDC Client for `CODE` flow
+2. [ ] OIDC Client for `PKCE` flow
+3. [ ] OIDC Client for token verification
+4. [ ] OIDC Client for `client_credentials` flow
+
+## Motivation
+
+All the existing python OIDC RP libs are the big balls of mud:
+
+- [pyoidc](https://github.com/CZ-NIC/pyoidc) - synchronous, a little obscure, but the best of all existing.
+- [idpy-oidc](https://github.com/IdentityPython/idpy-oidc) - older lib from the same dev as `pyoidc`.
+- [authlib](https://github.com/lepture/authlib) - synchronous, no typing, giant pain to use, dual licensing, bad kwargs architecture, bad docs. Worst library.
+- [oauthlib](https://github.com/oauthlib/oauthlib) - synchronous, no OIDC client, only provider.
+- [oidc-client](https://gitlab.com/yzr-oss/oidc-client) - not really a library.
+
+There are few libraries which supports OAuth 2.0 & OIDC as provider (server), but they are out-of-scope.

aoidc-0.0.1/README.md

@@ -0,0 +1,42 @@
+# aOIDC
+
+Suckless implementation of [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0-final.html) for python with asyncio support in mind.
+
+🚧 Currently under development 🚧
+
+Also implemented:
+
+- [ ] [RFC 6749](https://datatracker.ietf.org/doc/html/rfc6749): The OAuth 2.0 Authorization Framework
+- [ ] [RFC 7033](https://datatracker.ietf.org/doc/html/rfc7033): WebFinger
+- [ ] [RFC 7591](https://datatracker.ietf.org/doc/html/rfc7591): OAuth 2.0 Dynamic Client Registration Protocol - **partically**
+- [ ] [RFC 7636](https://datatracker.ietf.org/doc/html/rfc7636): Proof Key for Code Exchange by OAuth Public Clients
+- [ ] [RFC 7662](https://datatracker.ietf.org/doc/html/rfc7662): OAuth 2.0 Token Introspection
+- [ ] [RFC 8414](https://datatracker.ietf.org/doc/html/rfc8414): OAuth 2.0 Authorization Server Metadata
+  - [x] Metadata model
+  - [ ] `/.well-known/oauth-authorization-server` request
+- [ ] [OpenID Connect Core](https://openid.net/specs/openid-connect-core-1_0-final.html)
+- [ ] [OpenID Connect Discovery 1.0](https://openid.net/specs/openid-connect-discovery-1_0-final.html)
+  - [ ] WebFinger discovery
+  - [x] Model
+  - [x] `.well-known/openid-configuration` request
+
+## Implementation status / Roadmap
+
+Core functional that I need from such library is simple client authentication via authorization code flow, so this will be implemented first.
+
+1. [ ] OIDC Client for `CODE` flow
+2. [ ] OIDC Client for `PKCE` flow
+3. [ ] OIDC Client for token verification
+4. [ ] OIDC Client for `client_credentials` flow
+
+## Motivation
+
+All the existing python OIDC RP libs are the big balls of mud:
+
+- [pyoidc](https://github.com/CZ-NIC/pyoidc) - synchronous, a little obscure, but the best of all existing.
+- [idpy-oidc](https://github.com/IdentityPython/idpy-oidc) - older lib from the same dev as `pyoidc`.
+- [authlib](https://github.com/lepture/authlib) - synchronous, no typing, giant pain to use, dual licensing, bad kwargs architecture, bad docs. Worst library.
+- [oauthlib](https://github.com/oauthlib/oauthlib) - synchronous, no OIDC client, only provider.
+- [oidc-client](https://gitlab.com/yzr-oss/oidc-client) - not really a library.
+
+There are few libraries which supports OAuth 2.0 & OIDC as provider (server), but they are out-of-scope.

aoidc-0.0.1/aoidc/__init__.py

@@ -0,0 +1 @@
+from .version import __version__  # noqa: F401

aoidc-0.0.1/aoidc/__main__.py

@@ -0,0 +1,32 @@
+import asyncio
+from .oidc.oidc import OIDCClient
+
+public_tests = [
+    # (
+    #     "284523826908311692",
+    #     "pflw13U3o1RDXBPOHfDQtPJPfYUeqFWNLQekt8fSXjRiXLo8icmFwdkM0pWBgiNc",
+    #     "https://idp.cypol.dev",
+    # ),
+    # (
+    #     None,
+    #     None,
+    #     "https://idphydra-uat.beeline.ru",
+    # ),
+    (
+        "1",
+        "A",
+        "https://www.certification.openid.net/test/a/test-1/.well-known/openid-configuration",
+    ),
+]
+
+
+async def main():
+    for CLIENT_ID, CLIENT_SECRET, DISCOVERY in public_tests:
+        client = OIDCClient(discovery_endpoint=DISCOVERY, client_id=CLIENT_ID, client_secret=CLIENT_SECRET)
+        await client.init()
+        auth_link = await client.authorization_code_flow_start(redirect_uri="http://127.0.0.1:9999")
+        print(auth_link)
+
+
+if __name__ == "__main__":
+    asyncio.run(main())

aoidc-0.0.1/aoidc/config.py

@@ -0,0 +1,21 @@
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+
+class _Settings(BaseSettings):
+    DEBUG: bool = False
+
+    ALLOW_HTTP: bool = False
+    """This option violates the RFCs, but may be useful for debugging, and MUST NOT be enabled in production env"""
+
+    ALLOW_ALG_NONE: bool = False
+    """This option violates the RFCs, but may be useful for debugging, and MUST NOT be enabled in production env"""
+
+    ALLOW_ALL_URLS: bool = False
+    """This option is INSECURE, but may be useful for debugging, and MUST NOT be enabled in production env"""
+
+    model_config = SettingsConfigDict(
+        env_prefix="AOIDC_",
+    )
+
+
+settings = _Settings()

aoidc-0.0.1/aoidc/errors/__init__.py

@@ -0,0 +1,13 @@
+class GenericError(Exception):
+    pass
+
+
+class GenericAuthError(GenericError):
+    pass
+
+
+class GenericValidationError(ValueError, GenericError):
+    pass
+
+
+class GenericOIDCError(GenericError): ...

aoidc-0.0.1/aoidc/jwt.py

@@ -0,0 +1,34 @@
+# ruff: noqa: S105
+from enum import StrEnum
+
+
+class JsonWebAlgos(StrEnum):
+    """
+    https://datatracker.ietf.org/doc/html/rfc7518#section-3.1
+
+    + https://datatracker.ietf.org/doc/html/rfc9864#section-2.2
+    """
+
+    NONE = "none"
+
+    HS256 = "HS256"
+    HS384 = "HS384"
+    HS512 = "HS512"
+
+    RS256 = "RS256"
+    RS384 = "RS384"
+    RS512 = "RS512"
+
+    ES256 = "ES256"
+    ES256K = "ES256K"
+
+    ES384 = "ES384"
+    ES512 = "ES512"
+
+    PS256 = "PS256"
+    PS384 = "PS384"
+    PS512 = "PS512"
+
+    EDDSA = "EdDSA"
+    ED25519 = "Ed25519"
+    ED448 = "Ed448"

aoidc-0.0.1/aoidc/oauth2/context.py

@@ -0,0 +1,14 @@
+"""
+Helper module for passing validation context
+"""
+
+from dataclasses import dataclass, field
+
+from httpx import URL
+
+
+@dataclass(init=True, frozen=True, slots=True)
+class ValidationContext:
+    origin_url: URL
+
+    allowed_urls: list[URL] = field(default_factory=list)

aoidc-0.0.1/aoidc/oauth2/enums.py

@@ -0,0 +1,84 @@
+# ruff: noqa: S105
+from enum import StrEnum
+from typing import Annotated, Any
+
+from pydantic import BeforeValidator
+
+"""
+Taken from https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml as of 11.03.2025
+
+Defined here, instead of RFCs, because of extending among many RFCs, and I don't want to define state for 
+each RFC
+"""
+
+
+class ResponseType(StrEnum):
+    """
+    https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#endpoint
+
+    Несмотря на то, что в стандарте написаны конкретные комбинации,
+    некоторые IdP (например, ory hydra) возвращает конструкции вида `token id_token` и `token id_token code`
+    Тогда как в стандарте написаны `token id_token code`
+    """
+
+    NONE = "none"
+
+    CODE = "code"
+    TOKEN = "token"
+    ID_TOKEN = "id_token"
+
+
+def reconstruct_response_types(data: Any) -> set[tuple[ResponseType, ...]]:
+    if not isinstance(data, list) or any(not isinstance(i, str) for i in data):
+        raise ValueError("Invalid ResponseTypes input")
+
+    result: set[tuple[ResponseType, ...]] = set()
+    for entry in data:
+        responses: list[str] = entry.split(" ")
+        result_part = {ResponseType(i) for i in responses}
+        result.add(tuple(sorted(result_part)))
+
+    return result
+
+
+ResponseTypes = Annotated[
+    set[tuple[ResponseType, ...]],
+    BeforeValidator(reconstruct_response_types, json_schema_input_type=list[str]),
+]
+
+
+class AccessTokenTypes(StrEnum):
+    """
+    https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-types
+    """
+
+    BEARER = "Bearer"
+
+    DPoP = "DPoP"
+    N_A = "N_A"
+    PoP = "PoP"
+
+
+class TokenEndpointAuthMetod(StrEnum):
+    """
+    https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#token-endpoint-auth-method
+    """
+
+    NONE = "none"
+    CLIENT_SECRET_POST = "client_secret_post"
+    CLIENT_SECRET_BASIC = "client_secret_basic"
+
+    CLIENT_SECRET_JWT = "client_secret_jwt"
+    PRIVATE_KEY_JWT = "private_key_jwt"
+
+    TLS_CLIENT_AUTH = "tls_client_auth"
+    SELF_SIGNED_TLS_CLIENT_AUTH = "self_signed_tls_client_auth"
+
+
+class CodeChallendeMethods(StrEnum):
+    """
+    https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml#pkce-code-challenge-method
+    """
+
+    PLAIN = "plain"
+    S256 = "S256"

aoidc-0.0.1/aoidc/oauth2/rfc_7591_dynamic_client/enums.py

@@ -0,0 +1,16 @@
+# ruff: noqa: S105
+from enum import StrEnum
+
+
+class GrantTypes(StrEnum):
+    AUTHORIZATION_CODE = "authorization_code"
+    IMPLICIT = "implicit"
+
+    PASSWORD = "password"
+    CLIENT_CREDENTIALS = "client_credentials"
+
+    REFRESH_TOKEN = "refresh_token"
+
+    JWT_BEARER = "urn:ietf:params:oauth:grant-type:jwt-bearer"
+    SAML2_BEARER = "urn:ietf:params:oauth:grant-type:saml2-bearer"
+    DEVICE_CODE = "urn:ietf:params:oauth:grant-type:device_code"

aoidc-0.0.1/aoidc/oauth2/rfc_7636_pkce/enums.py

@@ -0,0 +1,2 @@
+# ruff: noqa: S105
+from enum import StrEnum

aoidc-0.0.1/aoidc/oauth2/rfc_8414_server_metadata/enum.py

@@ -0,0 +1,9 @@
+# ruff: noqa: S105
+from enum import StrEnum
+
+
+class ResponseModes(StrEnum):
+    QUERY = "query"
+    FRAGMENT = "fragment"
+    FORM_POST = "form_post"
+