auth-middleware 0.1.0__tar.gz

auth_middleware-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2024 Press Any Key
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

auth_middleware-0.1.0/PKG-INFO

@@ -0,0 +1,98 @@
+Metadata-Version: 2.1
+Name: auth-middleware
+Version: 0.1.0
+Summary: Async Auth Middleware for FastAPI/Starlette
+Author: impalah
+Author-email: impalah@gmail.com
+Requires-Python: >=3.12,<4.0
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Requires-Dist: colorlog (>=6.8.0,<7.0.0)
+Requires-Dist: fastapi (>=0.105.0,<0.106.0)
+Requires-Dist: pydantic[email] (>=2.5.3,<3.0.0)
+Requires-Dist: python-dotenv (>=1.0.0,<2.0.0)
+Requires-Dist: python-jose[cryptography] (>=3.3.0,<4.0.0)
+Requires-Dist: requests (>=2.31.0,<3.0.0)
+Requires-Dist: svix-ksuid (>=0.6.2,<0.7.0)
+Description-Content-Type: text/markdown
+
+# auth-middleware
+
+Async Auth Middleware for FastAPI/Starlette.
+
+## Technology Stack:
+
+- FastAPI
+- Pytest (\*)
+
+## Development environment
+
+### Requirements:
+
+- Python >= 3.12 (Pyenv, best option)
+- Poetry as dependency manager
+
+### Activate development environment
+
+```
+poetry install
+```
+
+This will create a new virtual environment (if it does not exists) and will install all the dependencies.
+
+To activate the virtual environment use:
+
+```
+poetry shell
+```
+
+### Add/remove dependencies
+
+```
+poetry add PIP_PACKAGE [-G group.name]
+```
+
+Add dependency to the given group. If not specified will be added to the default group.
+
+```
+poetry remove PIP_PACKAGE [-G group.name]
+```
+
+Remove dependency from the given group
+
+## Tests
+
+### Debug From VS Code
+
+Get the path of the virtual environment created by poetry:
+
+```bash
+poetry env info -p
+```
+
+Set in visual studio code the default interpreter to the virtual environment created by poetry.(SHIT+CTRL+P Select interpreter)
+
+Launch "Pytest launch" from the run/debug tab.
+
+You can set breakpoints and inspections
+
+### Launch tests from command line
+
+```
+poetry run pytest --cov-report term-missing --cov=web_api_template ./tests
+```
+
+This will launch tests and creates a code coverage report.
+
+### Exclude code from coverage
+
+When you need to exclude code from the code coverage report set, in the lines or function to be excluded, the line:
+
+```
+# pragma: no cover
+```
+
+See: https://coverage.readthedocs.io/en/6.4.4/excluding.html
+
+
+

auth_middleware-0.1.0/README.md

@@ -0,0 +1,79 @@
+# auth-middleware
+
+Async Auth Middleware for FastAPI/Starlette.
+
+## Technology Stack:
+
+- FastAPI
+- Pytest (\*)
+
+## Development environment
+
+### Requirements:
+
+- Python >= 3.12 (Pyenv, best option)
+- Poetry as dependency manager
+
+### Activate development environment
+
+```
+poetry install
+```
+
+This will create a new virtual environment (if it does not exists) and will install all the dependencies.
+
+To activate the virtual environment use:
+
+```
+poetry shell
+```
+
+### Add/remove dependencies
+
+```
+poetry add PIP_PACKAGE [-G group.name]
+```
+
+Add dependency to the given group. If not specified will be added to the default group.
+
+```
+poetry remove PIP_PACKAGE [-G group.name]
+```
+
+Remove dependency from the given group
+
+## Tests
+
+### Debug From VS Code
+
+Get the path of the virtual environment created by poetry:
+
+```bash
+poetry env info -p
+```
+
+Set in visual studio code the default interpreter to the virtual environment created by poetry.(SHIT+CTRL+P Select interpreter)
+
+Launch "Pytest launch" from the run/debug tab.
+
+You can set breakpoints and inspections
+
+### Launch tests from command line
+
+```
+poetry run pytest --cov-report term-missing --cov=web_api_template ./tests
+```
+
+This will launch tests and creates a code coverage report.
+
+### Exclude code from coverage
+
+When you need to exclude code from the code coverage report set, in the lines or function to be excluded, the line:
+
+```
+# pragma: no cover
+```
+
+See: https://coverage.readthedocs.io/en/6.4.4/excluding.html
+
+

auth_middleware-0.1.0/pyproject.toml

@@ -0,0 +1,31 @@
+[tool.poetry]
+name = "auth-middleware"
+version = "0.1.0"
+description = "Async Auth Middleware for FastAPI/Starlette"
+authors = ["impalah <impalah@gmail.com>"]
+readme = "README.md"
+packages = [{include = "auth_middleware", from = "src"}]
+
+[tool.poetry.dependencies]
+python = "^3.12"
+fastapi = "^0.105.0"
+python-dotenv = "^1.0.0"
+svix-ksuid = "^0.6.2"
+colorlog = "^6.8.0"
+python-jose = {extras = ["cryptography"], version = "^3.3.0"}
+requests = "^2.31.0"
+pydantic = {extras = ["email"], version = "^2.5.3"}
+
+[tool.poetry.group.dev.dependencies]
+pytest = "^7.4.4"
+pytest-mock = "^3.12.0"
+pytest-asyncio = "^0.23.3"
+mock = "^5.1.0"
+pytest-cov = "^4.1.0"
+black = "^23.12.1"
+pytest-env = "^1.1.3"
+mypy = "^1.8.0"
+
+[build-system]
+requires = ["poetry-core>=1.0.0"]
+build-backend = "poetry.core.masonry.api"

auth_middleware-0.1.0/src/auth_middleware/__init__.py

@@ -0,0 +1,20 @@
+from .functions import require_groups, require_user
+from .group_checker import GroupChecker
+from .exceptions import InvalidTokenException
+from .jwt_auth_middleware import JwtAuthMiddleware
+from .jwt_auth_provider import JWTAuthProvider
+from .types import JWK, JWKS, JWTAuthorizationCredentials, User
+
+__all__ = [
+    "require_groups",
+    "require_user",
+    "GroupChecker",
+    "User",
+    "InvalidTokenException",
+    "JwtAuthMiddleware",
+    "User",
+    "JWK",
+    "JWKS",
+    "JWTAuthorizationCredentials",
+    "JWTAuthProvider",
+]

auth_middleware-0.1.0/src/auth_middleware/exceptions.py

@@ -0,0 +1,5 @@
+from fastapi import HTTPException
+
+
+class InvalidTokenException(HTTPException):
+    pass

auth_middleware-0.1.0/src/auth_middleware/functions.py

@@ -0,0 +1,33 @@
+from typing import List
+
+from fastapi import HTTPException, Request
+
+from auth_middleware.group_checker import GroupChecker
+from auth_middleware.settings import settings
+
+
+def require_groups(allowed_groups: List[str]):
+    """Check if the user has the required groups
+
+    Args:
+        allowed_groups (List[str]): _description_
+    """
+
+    def _group_checker(request: Request):
+        return GroupChecker(allowed_groups)(request)
+
+    return _group_checker
+
+
+def require_user():
+    """Check if the user is authenticated"""
+
+    def _user_checker(request: Request):
+
+        if settings.AUTH_DISABLED:
+            return
+
+        if not hasattr(request.state, "current_user") or not request.state.current_user:
+            raise HTTPException(status_code=401, detail="Authentication required")
+
+    return _user_checker

auth_middleware-0.1.0/src/auth_middleware/group_checker.py

@@ -0,0 +1,34 @@
+from typing import List
+
+from fastapi import HTTPException, Request
+
+from auth_middleware.logging import logger
+from auth_middleware.settings import settings
+from auth_middleware.types import User
+
+
+class GroupChecker:
+    """Controls if user has the required group (user_type)"""
+
+    __allowed_groups: list = []
+
+    def __init__(self, allowed_groups: List):
+        self.__allowed_groups = allowed_groups
+
+    def __call__(self, request: Request):
+
+        if settings.AUTH_DISABLED:
+            return
+
+        if not hasattr(request.state, "current_user") or not request.state.current_user:
+            raise HTTPException(status_code=401, detail="Authentication required")
+
+        user: User = request.state.current_user
+
+        if user.groups is not None and not any(
+            group in self.__allowed_groups for group in user.groups
+        ):
+            logger.debug(
+                f"User with groups {user.groups} not in {self.__allowed_groups}"
+            )
+            raise HTTPException(status_code=403, detail="Operation not allowed")

auth_middleware-0.1.0/src/auth_middleware/jwt_auth_middleware.py

@@ -0,0 +1,117 @@
+from typing import Optional
+
+from fastapi import Request, status
+from fastapi.security.utils import get_authorization_scheme_param
+from starlette.middleware.base import BaseHTTPMiddleware, RequestResponseEndpoint
+from starlette.responses import JSONResponse, Response
+
+from auth_middleware.exceptions import InvalidTokenException
+from auth_middleware.jwt_auth_provider import JWTAuthProvider
+from auth_middleware.jwt_bearer_manager import JWTBearerManager
+from auth_middleware.logging import logger
+from auth_middleware.types import JWTAuthorizationCredentials, User
+
+
+class JwtAuthMiddleware(BaseHTTPMiddleware):
+    """JWT Authorization middleware for FastAPI
+    Adds the current user to the request state.
+
+    Args:
+        BaseHTTPMiddleware (_type_): _description_
+    """
+
+    _auth_provider: JWTAuthProvider
+    _jwt_bearer_manager = JWTBearerManager
+
+    def __init__(self, auth_provider: JWTAuthProvider, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self._auth_provider = auth_provider
+        self._jwt_bearer_manager = JWTBearerManager(
+            auth_provider=self._auth_provider,
+        )
+
+    async def dispatch(
+        self, request: Request, call_next: RequestResponseEndpoint
+    ) -> Response | JSONResponse:
+        try:
+            request.state.current_user = await self.get_current_user(request=request)
+        except InvalidTokenException as ite:
+            logger.error("Invalid Token %s", str(ite))
+            return JSONResponse(
+                status_code=status.HTTP_401_UNAUTHORIZED,
+                content={"detail": "Invalid token"},
+                headers={"WWW-Authenticate": "Bearer"},
+            )
+        except Exception as e:
+            logger.error("Error in AuthMiddleware: %s", str(e))
+            return JSONResponse(
+                status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+                content={"detail": f"Server error: {str(e)}"},
+            )
+
+        response = await call_next(request)
+        return response
+
+    async def get_current_user(self, request: Request) -> User | None:
+        """Get current logged in and active user
+
+
+        Raises:
+            HTTPException: _description_
+
+        Returns:
+            User: Domain object.
+        """
+
+        logger.debug("Get Current Active User ...")
+
+        try:
+
+            if not self.__validate_credentials(request=request):
+                logger.debug("There are no credentiasl in the request")
+                return None
+
+            token: Optional[JWTAuthorizationCredentials] = (
+                await self._jwt_bearer_manager.get_credentials(request=request)
+            )
+
+            # Create User object from token
+            user: User = (
+                self._auth_provider.create_user_from_token(token=token)
+                if token
+                else self.__create_synthetic_user()
+            )
+            logger.debug("Returning %s", user)
+            return user
+        except InvalidTokenException as ite:
+            logger.error("Invalid Token %s", str(ite))
+            raise
+        except Exception as e:
+            logger.error("Not controlled exception %s", str(e))
+            raise
+
+    def __validate_credentials(self, request: Request) -> bool:
+        """Validate if credentials exist in the request headers
+
+        Args:
+            request (Request): _description_
+
+        Returns:
+            bool: _description_
+        """
+        authorization = request.headers.get("Authorization")
+        scheme, credentials = get_authorization_scheme_param(authorization)
+        return bool(authorization and scheme and credentials)
+
+    def __create_synthetic_user(self) -> User:
+        """Create a synthetic user for testing purposes
+
+        Returns:
+            User: Domain object.
+        """
+        return User(
+            id="synthetic",
+            name="synthetic",
+            groups=[],
+            email="synthetic@email.com",
+        )

auth_middleware-0.1.0/src/auth_middleware/jwt_auth_provider.py

@@ -0,0 +1,67 @@
+from abc import ABCMeta, abstractmethod
+from time import time, time_ns
+from typing import Optional
+
+from jose import jwk
+from jose.utils import base64url_decode
+
+from auth_middleware.types import JWK, JWKS, JWTAuthorizationCredentials, User
+
+
+class JWTAuthProvider(metaclass=ABCMeta):
+
+    def _get_jwks(self) -> JWKS | None:
+        """
+        Returns a structure that caches the public keys used by the auth provider to sign its JWT tokens.
+        Cache is refreshed after a settable time or number of reads (usages)
+        """
+        reload_cache = False
+        try:
+            if (
+                not hasattr(self, "jks")
+                or self.jks.timestamp is None
+                or self.jks.timestamp < time_ns()
+                or self.jks.usage_counter is None
+                or self.jks.usage_counter <= 0
+            ):
+                reload_cache = True
+        except AttributeError:
+            # the first time after application startup, self.jks is NOT defined
+            reload_cache = True
+
+        try:
+            if reload_cache:
+                self.jks: JWKS = self.load_jwks()
+            else:
+                if self.jks.usage_counter is not None:
+                    self.jks.usage_counter -= 1
+
+        except KeyError:
+            return None
+
+        return self.jks
+
+    def _get_hmac_key(self, token: JWTAuthorizationCredentials) -> Optional[JWK]:
+        jwks: Optional[JWKS] = self._get_jwks()
+        if jwks is not None and jwks.keys is not None:
+            for key in jwks.keys:
+                if key["kid"] == token.header["kid"]:
+                    return key
+        return None
+
+    @abstractmethod
+    def load_jwks(
+        self,
+    ) -> JWKS: ...
+
+    @abstractmethod
+    async def verify_token(
+        self,
+        token: JWTAuthorizationCredentials,
+    ) -> bool: ...
+
+    @abstractmethod
+    def create_user_from_token(
+        self,
+        token: JWTAuthorizationCredentials,
+    ) -> User: ...

auth_middleware-0.1.0/src/auth_middleware/jwt_bearer_manager.py

@@ -0,0 +1,83 @@
+from typing import Optional
+
+from fastapi import HTTPException
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from jose import JWTError, jwt
+from starlette.requests import Request
+from starlette.status import HTTP_403_FORBIDDEN
+
+from auth_middleware.exceptions import InvalidTokenException
+from auth_middleware.jwt_auth_provider import JWTAuthProvider
+from auth_middleware.logging import logger
+from auth_middleware.settings import settings
+from auth_middleware.types import JWTAuthorizationCredentials
+
+
+class JWTBearerManager(HTTPBearer):
+
+    def __init__(
+        self,
+        auth_provider: JWTAuthProvider,
+        auto_error: bool = True,
+    ):
+        super().__init__(auto_error=auto_error)
+        self.auth_provider = auth_provider
+
+    async def get_credentials(
+        self, request: Request
+    ) -> Optional[JWTAuthorizationCredentials]:
+        if settings.AUTH_DISABLED:
+            return None
+
+        try:
+            credentials: Optional[HTTPAuthorizationCredentials] = (
+                await super().__call__(request)
+            )
+        except HTTPException as e:
+            logger.error("Error in JWTBearerManager: %s", str(e))
+            raise e
+        except Exception as e:
+            logger.error("Error in JWTBearerManager: %s", str(e))
+            raise InvalidTokenException(
+                status_code=HTTP_403_FORBIDDEN,
+                detail="JWK-invalid",
+            )
+
+        if credentials:
+            # TODO: use a constant for the string "Bearer"
+            if credentials.scheme != "Bearer":
+                logger.error("Error in JWTBearerManager: Wrong authentication method")
+                raise InvalidTokenException(
+                    status_code=HTTP_403_FORBIDDEN,
+                    detail="Wrong authentication method",
+                )
+
+            jwt_token = credentials.credentials
+
+            message, signature = jwt_token.rsplit(".", 1)
+
+            try:
+                jwt_credentials = JWTAuthorizationCredentials(
+                    jwt_token=jwt_token,
+                    header=jwt.get_unverified_header(jwt_token),
+                    claims=jwt.get_unverified_claims(jwt_token),
+                    signature=signature,
+                    message=message,
+                )
+            except JWTError:
+                logger.error("Error in JWTBearerManager: JWTError")
+                raise InvalidTokenException(
+                    status_code=HTTP_403_FORBIDDEN,
+                    detail="JWK-invalid",
+                )
+
+            if not self.auth_provider.verify_token(jwt_credentials):
+                logger.error("Error in JWTBearerManager: token not verified")
+                raise InvalidTokenException(
+                    status_code=HTTP_403_FORBIDDEN,
+                    detail="JWK_invalid",
+                )
+
+            return jwt_credentials
+
+        return None

auth_middleware-0.1.0/src/auth_middleware/logging.py

@@ -0,0 +1,33 @@
+import logging
+
+import colorlog
+
+from auth_middleware.settings import settings
+
+logger = logging.getLogger(
+    __name__ if settings.LOGGER_NAME == "" else settings.LOGGER_NAME
+)
+logger.setLevel(settings.LOG_LEVEL)
+
+# create console handler and set level to debug
+ch = logging.StreamHandler()
+ch.setLevel(settings.LOG_LEVEL)
+
+# create formatter
+formatter = colorlog.ColoredFormatter(
+    settings.LOG_FORMAT,
+    reset=True,
+    log_colors={
+        "DEBUG": "cyan",
+        "INFO": "green",
+        "WARNING": "yellow",
+        "ERROR": "red",
+        "CRITICAL": "red,bg_white",
+    },
+)
+
+# add formatter to ch
+ch.setFormatter(formatter)
+
+# add ch to logger
+logger.addHandler(ch)

auth_middleware-0.1.0/src/auth_middleware/providers/cognito/cognito_provider.py

@@ -0,0 +1,93 @@
+from time import time, time_ns
+from typing import List
+
+import requests
+from jose import jwk
+from jose.utils import base64url_decode
+
+from auth_middleware.jwt_auth_provider import JWTAuthProvider
+from auth_middleware.logging import logger
+from auth_middleware.providers.cognito.exceptions import AWSException
+from auth_middleware.providers.cognito.settings import settings
+from auth_middleware.types import JWK, JWKS, JWTAuthorizationCredentials, User
+
+
+class CognitoProvider(JWTAuthProvider):
+
+    def __new__(cls):
+        if not hasattr(cls, "instance"):
+            cls.instance = super(CognitoProvider, cls).__new__(cls)
+        return cls.instance
+
+    def load_jwks(
+        self,
+    ) -> JWKS:
+        """Load JWKS credentials from remote Identity Provider
+
+        Returns:
+            JWKS: _description_
+        """
+
+        # TODO: Control errors
+        keys: List[JWK] = requests.get(
+            settings.AWS_COGNITO_JWKS_URL_TEMPLATE.format(
+                settings.AWS_COGNITO_USER_POOL_REGION,
+                settings.AWS_COGNITO_USER_POOL_ID,
+            )
+        ).json()["keys"]
+        timestamp: int = (
+            time_ns() + settings.AUTH_JWKS_CACHE_INTERVAL_MINUTES * 60 * 1000000000
+        )
+        usage_counter: int = settings.AUTH_JWKS_CACHE_USAGES
+        jks: JWKS = JWKS(keys=keys, timestamp=timestamp, usage_counter=usage_counter)
+
+        return jks
+
+    def verify_token(self, token: JWTAuthorizationCredentials) -> bool:
+
+        hmac_key_candidate = self._get_hmac_key(token)
+
+        if not hmac_key_candidate:
+            logger.error(
+                "No public key found that matches the one present in the TOKEN!"
+            )
+            raise AWSException("No public key found!")
+
+        hmac_key = jwk.construct(hmac_key_candidate)
+
+        decoded_signature = base64url_decode(token.signature.encode())
+
+        # if crypto is OK, then check expiry date
+        if hmac_key.verify(token.message.encode(), decoded_signature):
+            return token.claims["exp"] > time()
+
+        return False
+
+    def create_user_from_token(self, token: JWTAuthorizationCredentials) -> User:
+        """Initializes a domain User object with data recovered from a JWT TOKEN.
+        Args:
+        token (JWTAuthorizationCredentials): Defaults to Depends(oauth2_scheme).
+
+        Returns:
+            User: Domain object.
+
+        """
+
+        name_property: str = (
+            "username" if "username" in token.claims else "cognito:username"
+        )
+
+        return User(
+            id=token.claims["sub"],
+            name=(
+                token.claims[name_property]
+                if name_property in token.claims
+                else token.claims["sub"]
+            ),
+            groups=(
+                token.claims["cognito:groups"]
+                if "cognito:groups" in token.claims
+                else [str(token.claims["scope"]).split("/")[-1]]
+            ),
+            email=token.claims["email"] if "email" in token.claims else None,
+        )

auth_middleware-0.1.0/src/auth_middleware/providers/cognito/exceptions.py

@@ -0,0 +1,8 @@
+class AWSException(Exception):
+    """Domain exception fro wrapping AWS-related exceptions.
+
+    Args:
+        Exception (Exception): inherits from base exception
+    """
+
+    ...

auth_middleware-0.1.0/src/auth_middleware/providers/cognito/settings.py

@@ -0,0 +1,44 @@
+from typing import Optional
+
+from starlette.config import Config
+
+from auth_middleware.settings import Settings
+
+config = Config()
+
+
+class ModuleSettings(Settings):
+    """Settings for the module"""
+
+    AWS_COGNITO_USER_POOL_ID: Optional[str] = config(
+        "AWS_COGNITO_USER_POOL_ID",
+        cast=str,
+        default=None,
+    )
+
+    AWS_COGNITO_USER_POOL_REGION: Optional[str] = config(
+        "AWS_COGNITO_USER_POOL_REGION",
+        cast=str,
+        default=None,
+    )
+
+    AWS_COGNITO_JWKS_URL_TEMPLATE: str = config(
+        "AWS_COGNITO_JWKS_URL_TEMPLATE",
+        cast=str,
+        default="https://cognito-idp.{}.amazonaws.com/{}/.well-known/jwks.json",
+    )
+
+    AWS_COGNITO_USER_POOL_CLIENT_ID: Optional[str] = config(
+        "AWS_COGNITO_USER_POOL_CLIENT_ID",
+        cast=str,
+        default=None,
+    )
+
+    AWS_COGNITO_USER_POOL_CLIENT_SECRET: Optional[str] = config(
+        "AWS_COGNITO_USER_POOL_CLIENT_SECRET",
+        cast=str,
+        default=None,
+    )
+
+
+settings = ModuleSettings()

auth_middleware-0.1.0/src/auth_middleware/providers/entra_id/entra_id_provider.py

@@ -0,0 +1,125 @@
+from time import time, time_ns
+
+import requests
+from jose import JWTError, jwt
+
+from auth_middleware.jwt_auth_provider import JWTAuthProvider
+from auth_middleware.logging import logger
+from auth_middleware.providers.entra_id.exceptions import AzureException
+from auth_middleware.providers.entra_id.settings import settings
+from auth_middleware.types import JWK, JWKS, JWTAuthorizationCredentials, User
+
+
+class EntraIDProvider(JWTAuthProvider):
+
+    def __new__(cls):
+        if not hasattr(cls, "instance"):
+            cls.instance = super(EntraIDProvider, cls).__new__(cls)
+        return cls.instance
+
+    def load_jwks(
+        self,
+    ) -> JWKS:
+        """Load JWKS credentials from remote Identity Provider
+
+        Returns:
+            JWKS: _description_
+        """
+
+        # TODO: Control errors
+        openid_config = requests.get(
+            settings.AZURE_ENTRA_ID_JWKS_URL_TEMPLATE.format(
+                settings.AZURE_ENTRA_ID_TENANT_ID,
+            )
+        ).json()
+        jwks_uri = openid_config["jwks_uri"]
+        keys = requests.get(jwks_uri).json()["keys"]
+
+        # Convert 'x5c' field in each key from list to string
+        for key in keys:
+            if "x5c" in key and isinstance(key["x5c"], list):
+                key["x5c"] = "".join(key["x5c"])
+
+        timestamp: int = (
+            time_ns() + settings.AUTH_JWKS_CACHE_INTERVAL_MINUTES * 60 * 1000000000
+        )
+        usage_counter: int = settings.AUTH_JWKS_CACHE_USAGES
+        jks: JWKS = JWKS(keys=keys, timestamp=timestamp, usage_counter=usage_counter)
+        return jks
+
+    def verify_token(self, token: JWTAuthorizationCredentials) -> bool:
+        """Verifiy token signature
+
+        Args:
+            token (JWTAuthorizationCredentials): _description_
+
+        Raises:
+            AzureException: _description_
+
+        Returns:
+            bool: _description_
+        """
+
+        hmac_key_candidate = self._get_hmac_key(token)
+
+        if not hmac_key_candidate:
+            logger.error(
+                "No public key found that matches the one present in the TOKEN!"
+            )
+            raise AzureException("No public key found!")
+
+        # hmac_key = jwk.construct(hmac_key_candidate)
+
+        try:
+            rsa_key = {
+                "kty": hmac_key_candidate["kty"],
+                "kid": hmac_key_candidate["kid"],
+                "use": hmac_key_candidate["use"],
+                "n": hmac_key_candidate["n"],
+                "e": hmac_key_candidate["e"],
+            }
+
+            # Decode jwt token
+            payload = jwt.decode(
+                token.jwt_token,
+                rsa_key,
+                algorithms=["RS256"],
+                audience=settings.AZURE_ENTRA_ID_AUDIENCE_ID,
+                options={"verify_at_hash": False},  # Disable at_hash verification
+            )
+            return False if payload.get("sub") is None else True
+        except JWTError as je:
+            logger.error("Error in EntraIDClient: %s", str(je))
+            return False
+        except Exception as e:
+            logger.error("Error in JWTBearerManager: %s", str(e))
+            raise AzureException("Error in JWTBearerManager")
+
+    def create_user_from_token(self, token: JWTAuthorizationCredentials) -> User:
+        """Initializes a domain User object with data recovered from a JWT TOKEN.
+        Args:
+        token (JWTAuthorizationCredentials): Defaults to Depends(oauth2_scheme).
+
+        Returns:
+            User: Domain object.
+
+        """
+
+        name_property: str = (
+            "username" if "username" in token.claims else "preferred_username"
+        )
+
+        return User(
+            id=token.claims["sub"],
+            name=(
+                token.claims[name_property]
+                if name_property in token.claims
+                else token.claims["sub"]
+            ),
+            groups=(
+                token.claims["groups"]
+                if "groups" in token.claims
+                else [str(token.claims["scope"]).split("/")[-1]]
+            ),
+            email=token.claims["email"] if "email" in token.claims else None,
+        )

auth_middleware-0.1.0/src/auth_middleware/providers/entra_id/exceptions.py

@@ -0,0 +1,8 @@
+class AzureException(Exception):
+    """Domain exception for wrapping Azure-related exceptions.
+
+    Args:
+        Exception (Exception): inherits from base exception
+    """
+
+    ...

auth_middleware-0.1.0/src/auth_middleware/providers/entra_id/settings.py

@@ -0,0 +1,33 @@
+from typing import Optional
+
+from starlette.config import Config
+
+from auth_middleware.settings import Settings
+
+config = Config()
+
+
+class ModuleSettings(Settings):
+    """Settings for the module"""
+
+    AZURE_ENTRA_ID_TENANT_ID: Optional[str] = config(
+        "AZURE_ENTRA_ID_TENANT_ID",
+        cast=str,
+        default=None,
+    )
+
+    # The audience id is the client id of the application
+    AZURE_ENTRA_ID_AUDIENCE_ID: Optional[str] = config(
+        "AZURE_ENTRA_ID_AUDIENCE_ID",
+        cast=str,
+        default=None,
+    )
+
+    AZURE_ENTRA_ID_JWKS_URL_TEMPLATE: str = config(
+        "AZURE_ENTRA_ID_JWKS_URL_TEMPLATE",
+        cast=str,
+        default="https://login.microsoftonline.com/{}/v2.0/.well-known/openid-configuration",
+    )
+
+
+settings = ModuleSettings()

auth_middleware-0.1.0/src/auth_middleware/settings.py

@@ -0,0 +1,33 @@
+from starlette.config import Config
+
+config = Config()
+
+
+class Settings:
+    """Settings for the module"""
+
+    LOG_LEVEL: str = config("LOG_LEVEL", cast=str, default="INFO").upper()
+    LOG_FORMAT: str = config(
+        "LOG_FORMAT",
+        cast=str,
+        default="%(log_color)s%(levelname)-9s%(reset)s %(asctime)s %(name)s %(message)s",
+    )
+
+    LOGGER_NAME: str = config("LOGGER_NAME", cast=str, default="authmiddleware")
+
+    # Disable authentication for the whole application
+    AUTH_DISABLED = config("AUTH_DISABLED", cast=bool, default=False)
+
+    AUTH_JWKS_CACHE_INTERVAL_MINUTES: int = config(
+        "AUTH_JWKS_CACHE_INTERVAL_MINUTES",
+        cast=int,
+        default=20,
+    )
+    AUTH_JWKS_CACHE_USAGES: int = config(
+        "AUTH_JWKS_CACHE_USAGES",
+        cast=int,
+        default=1000,
+    )
+
+
+settings = Settings()

auth_middleware-0.1.0/src/auth_middleware/types.py

@@ -0,0 +1,62 @@
+from typing import Any, Dict, List, Optional
+
+from pydantic import BaseModel, EmailStr, Field
+
+JWK = Dict[str, str]
+
+
+class JWKS(BaseModel):
+    keys: Optional[List[JWK]] = []
+    timestamp: Optional[int] = None
+    usage_counter: Optional[int] = 0
+
+
+class JWTAuthorizationCredentials(BaseModel):
+    jwt_token: str
+    header: Dict[str, str]
+    claims: Dict[str, Any]
+    signature: str
+    message: str
+
+
+class User(BaseModel):
+    """Application User
+
+    Args:
+        BaseModel (BaseModel): Inherited properties
+    """
+
+    id: str = Field(
+        ...,
+        max_length=500,
+        json_schema_extra={
+            "description": "Unique user ID (sub)",
+            "example": "0ujsswThIGTUYm2K8FjOOfXtY1K",
+        },
+    )
+
+    name: Optional[str] = Field(
+        default=None,
+        max_length=500,
+        json_schema_extra={
+            "description": "User name",
+            "example": "test_user",
+        },
+    )
+
+    email: Optional[EmailStr] = Field(
+        default=None,
+        max_length=500,
+        json_schema_extra={
+            "description": "User's email address (Optional)",
+            "example": "useradmin@user.com",
+        },
+    )
+
+    groups: Optional[List[str]] = Field(
+        default=[],
+        json_schema_extra={
+            "description": "List of user groups",
+            "example": '["admin", "user"]',
+        },
+    )