auth0-api-python 1.0.0b3__tar.gz → 1.0.0b5__tar.gz

{auth0_api_python-1.0.0b3 → auth0_api_python-1.0.0b5}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.3
 Name: auth0-api-python
-Version: 1.0.0b3
+Version: 1.0.0b5
 Summary: SDK for verifying access tokens and securing APIs with Auth0, using Authlib.
 License: MIT
 Author: Auth0
@@ -13,6 +13,7 @@ Classifier: Programming Language :: Python :: 3.10
 Classifier: Programming Language :: Python :: 3.11
 Classifier: Programming Language :: Python :: 3.12
 Classifier: Programming Language :: Python :: 3.13
+Requires-Dist: ada-url (>=1.25.0,<2.0.0)
 Requires-Dist: authlib (>=1.0,<2.0)
 Requires-Dist: httpx (>=0.28.1,<0.29.0)
 Requires-Dist: requests (>=2.31.0,<3.0.0)
@@ -26,6 +27,24 @@ It’s intended as a foundation for building more framework-specific integration
 
 📚 [Documentation](#documentation) - 🚀 [Getting Started](#getting-started) - 💬 [Feedback](#feedback)
 
+## Features & Authentication Schemes
+
+This SDK provides comprehensive support for securing APIs with Auth0-issued access tokens:
+
+### **Authentication Schemes**
+- **Bearer Token Authentication** - Traditional OAuth 2.0 Bearer tokens (RS256)
+- **DPoP Authentication** - Enhanced security with Demonstrating Proof-of-Possession (ES256)
+- **Mixed Mode Support** - Seamlessly handles both Bearer and DPoP in the same API
+
+### **Core Features**
+- **Unified Entry Point**: `verify_request()` - automatically detects and validates Bearer or DPoP schemes
+- **OIDC Discovery** - Automatic fetching of Auth0 metadata and JWKS
+- **JWT Validation** - Complete RS256 signature verification with claim validation
+- **DPoP Proof Verification** - Full RFC 9449 compliance with ES256 signature validation
+- **Flexible Configuration** - Support for both "Allowed" and "Required" DPoP modes
+- **Comprehensive Error Handling** - Detailed errors with proper HTTP status codes and WWW-Authenticate headers
+- **Framework Agnostic** - Works with FastAPI, Django, Flask, or any Python web framework
+
 ## Documentation
 
 - [Docs Site](https://auth0.com/docs) - explore our docs site and learn more about Auth0.
@@ -87,6 +106,34 @@ asyncio.run(main())
 
 In this example, the returned dictionary contains the decoded claims (like `sub`, `scope`, etc.) from the verified token.
 
+### 4. Get an access token for a connection
+
+If you need to get an access token for an upstream idp via a connection, you can use the `get_access_token_for_connection` method:
+
+```python
+import asyncio
+
+from auth0_api_python import ApiClient, ApiClientOptions
+
+async def main():
+    api_client = ApiClient(ApiClientOptions(
+        domain="<AUTH0_DOMAIN>",
+        audience="<AUTH0_AUDIENCE>",
+        client_id="<AUTH0_CLIENT_ID>",
+        client_secret="<AUTH0_CLIENT_SECRET>",
+    ))
+    connection = "my-connection" # The Auth0 connection to the upstream idp
+    access_token = "..." # The Auth0 access token to exchange
+
+    connection_access_token = await api_client.get_access_token_for_connection({"connection": connection, "access_token": access_token})
+    # The returned token is the access token for the upstream idp
+    print(connection_access_token)
+
+asyncio.run(main())
+```
+
+More info https://auth0.com/docs/secure/tokens/token-vault
+
 #### Requiring Additional Claims
 
 If your application demands extra claims, specify them with `required_claims`:
@@ -100,6 +147,61 @@ decoded_and_verified_token = await api_client.verify_access_token(
 
 If the token lacks `my_custom_claim` or fails any standard check (issuer mismatch, expired token, invalid signature), the method raises a `VerifyAccessTokenError`.
 
+### 5. DPoP Authentication
+
+> [!NOTE]  
+> This feature is currently available in [Early Access](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#early-access). Please reach out to Auth0 support to get it enabled for your tenant.
+
+This library supports **DPoP (Demonstrating Proof-of-Possession)** for enhanced security, allowing clients to prove possession of private keys bound to access tokens.
+
+#### Allowed Mode (Default)
+
+Accepts both Bearer and DPoP tokens - ideal for gradual migration:
+
+```python
+api_client = ApiClient(ApiClientOptions(
+    domain="<AUTH0_DOMAIN>",
+    audience="<AUTH0_AUDIENCE>",
+    dpop_enabled=True,      # Default - enables DPoP support
+    dpop_required=False     # Default - allows both Bearer and DPoP
+))
+
+# Use verify_request() for automatic scheme detection
+result = await api_client.verify_request(
+    headers={
+        "authorization": "DPoP eyJ0eXAiOiJKV1Q...",  # DPoP scheme
+        "dpop": "eyJ0eXAiOiJkcG9wK2p3dC...",        # DPoP proof
+    },
+    http_method="GET",
+    http_url="https://api.example.com/resource"
+)
+```
+
+#### Required Mode
+
+Enforces DPoP-only authentication, rejecting Bearer tokens:
+
+```python
+api_client = ApiClient(ApiClientOptions(
+    domain="<AUTH0_DOMAIN>",
+    audience="<AUTH0_AUDIENCE>", 
+    dpop_required=True      # Rejects Bearer tokens
+))
+```
+
+#### Configuration Options
+
+```python
+api_client = ApiClient(ApiClientOptions(
+    domain="<AUTH0_DOMAIN>",
+    audience="<AUTH0_AUDIENCE>",
+    dpop_enabled=True,          # Enable/disable DPoP support
+    dpop_required=False,        # Require DPoP (reject Bearer)
+    dpop_iat_leeway=30,         # Clock skew tolerance (seconds)
+    dpop_iat_offset=300,        # Maximum proof age (seconds)
+))
+```
+
 ## Feedback
 
 ### Contributing
@@ -108,7 +210,7 @@ We appreciate feedback and contribution to this repo! Before you get started, pl
 
 - [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
 - [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
-- [This repo's contribution guide](./../../CONTRIBUTING.md)
+- [This repo's contribution guide](https://github.com/auth0/auth0-api-python/CONTRIBUTING.md)
 
 ### Raise an issue
 
@@ -131,5 +233,5 @@ Please do not report security vulnerabilities on the public GitHub issue tracker
   Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a>
 </p>
 <p align="center">
-  This project is licensed under the MIT license. See the <a href="https://github.com/auth0/auth0-server-python/blob/main/packages/auth0_api_python/LICENSE"> LICENSE</a> file for more info.
+  This project is licensed under the MIT license. See the <a href="https://github.com/auth0/auth0-api-python/LICENSE"> LICENSE</a> file for more info.
 </p>

{auth0_api_python-1.0.0b3 → auth0_api_python-1.0.0b5}/README.md

@@ -6,6 +6,24 @@ It’s intended as a foundation for building more framework-specific integration
 
 📚 [Documentation](#documentation) - 🚀 [Getting Started](#getting-started) - 💬 [Feedback](#feedback)
 
+## Features & Authentication Schemes
+
+This SDK provides comprehensive support for securing APIs with Auth0-issued access tokens:
+
+### **Authentication Schemes**
+- **Bearer Token Authentication** - Traditional OAuth 2.0 Bearer tokens (RS256)
+- **DPoP Authentication** - Enhanced security with Demonstrating Proof-of-Possession (ES256)
+- **Mixed Mode Support** - Seamlessly handles both Bearer and DPoP in the same API
+
+### **Core Features**
+- **Unified Entry Point**: `verify_request()` - automatically detects and validates Bearer or DPoP schemes
+- **OIDC Discovery** - Automatic fetching of Auth0 metadata and JWKS
+- **JWT Validation** - Complete RS256 signature verification with claim validation
+- **DPoP Proof Verification** - Full RFC 9449 compliance with ES256 signature validation
+- **Flexible Configuration** - Support for both "Allowed" and "Required" DPoP modes
+- **Comprehensive Error Handling** - Detailed errors with proper HTTP status codes and WWW-Authenticate headers
+- **Framework Agnostic** - Works with FastAPI, Django, Flask, or any Python web framework
+
 ## Documentation
 
 - [Docs Site](https://auth0.com/docs) - explore our docs site and learn more about Auth0.
@@ -67,6 +85,34 @@ asyncio.run(main())
 
 In this example, the returned dictionary contains the decoded claims (like `sub`, `scope`, etc.) from the verified token.
 
+### 4. Get an access token for a connection
+
+If you need to get an access token for an upstream idp via a connection, you can use the `get_access_token_for_connection` method:
+
+```python
+import asyncio
+
+from auth0_api_python import ApiClient, ApiClientOptions
+
+async def main():
+    api_client = ApiClient(ApiClientOptions(
+        domain="<AUTH0_DOMAIN>",
+        audience="<AUTH0_AUDIENCE>",
+        client_id="<AUTH0_CLIENT_ID>",
+        client_secret="<AUTH0_CLIENT_SECRET>",
+    ))
+    connection = "my-connection" # The Auth0 connection to the upstream idp
+    access_token = "..." # The Auth0 access token to exchange
+
+    connection_access_token = await api_client.get_access_token_for_connection({"connection": connection, "access_token": access_token})
+    # The returned token is the access token for the upstream idp
+    print(connection_access_token)
+
+asyncio.run(main())
+```
+
+More info https://auth0.com/docs/secure/tokens/token-vault
+
 #### Requiring Additional Claims
 
 If your application demands extra claims, specify them with `required_claims`:
@@ -80,6 +126,61 @@ decoded_and_verified_token = await api_client.verify_access_token(
 
 If the token lacks `my_custom_claim` or fails any standard check (issuer mismatch, expired token, invalid signature), the method raises a `VerifyAccessTokenError`.
 
+### 5. DPoP Authentication
+
+> [!NOTE]  
+> This feature is currently available in [Early Access](https://auth0.com/docs/troubleshoot/product-lifecycle/product-release-stages#early-access). Please reach out to Auth0 support to get it enabled for your tenant.
+
+This library supports **DPoP (Demonstrating Proof-of-Possession)** for enhanced security, allowing clients to prove possession of private keys bound to access tokens.
+
+#### Allowed Mode (Default)
+
+Accepts both Bearer and DPoP tokens - ideal for gradual migration:
+
+```python
+api_client = ApiClient(ApiClientOptions(
+    domain="<AUTH0_DOMAIN>",
+    audience="<AUTH0_AUDIENCE>",
+    dpop_enabled=True,      # Default - enables DPoP support
+    dpop_required=False     # Default - allows both Bearer and DPoP
+))
+
+# Use verify_request() for automatic scheme detection
+result = await api_client.verify_request(
+    headers={
+        "authorization": "DPoP eyJ0eXAiOiJKV1Q...",  # DPoP scheme
+        "dpop": "eyJ0eXAiOiJkcG9wK2p3dC...",        # DPoP proof
+    },
+    http_method="GET",
+    http_url="https://api.example.com/resource"
+)
+```
+
+#### Required Mode
+
+Enforces DPoP-only authentication, rejecting Bearer tokens:
+
+```python
+api_client = ApiClient(ApiClientOptions(
+    domain="<AUTH0_DOMAIN>",
+    audience="<AUTH0_AUDIENCE>", 
+    dpop_required=True      # Rejects Bearer tokens
+))
+```
+
+#### Configuration Options
+
+```python
+api_client = ApiClient(ApiClientOptions(
+    domain="<AUTH0_DOMAIN>",
+    audience="<AUTH0_AUDIENCE>",
+    dpop_enabled=True,          # Enable/disable DPoP support
+    dpop_required=False,        # Require DPoP (reject Bearer)
+    dpop_iat_leeway=30,         # Clock skew tolerance (seconds)
+    dpop_iat_offset=300,        # Maximum proof age (seconds)
+))
+```
+
 ## Feedback
 
 ### Contributing
@@ -88,7 +189,7 @@ We appreciate feedback and contribution to this repo! Before you get started, pl
 
 - [Auth0's general contribution guidelines](https://github.com/auth0/open-source-template/blob/master/GENERAL-CONTRIBUTING.md)
 - [Auth0's code of conduct guidelines](https://github.com/auth0/open-source-template/blob/master/CODE-OF-CONDUCT.md)
-- [This repo's contribution guide](./../../CONTRIBUTING.md)
+- [This repo's contribution guide](https://github.com/auth0/auth0-api-python/CONTRIBUTING.md)
 
 ### Raise an issue
 
@@ -111,5 +212,5 @@ Please do not report security vulnerabilities on the public GitHub issue tracker
   Auth0 is an easy to implement, adaptable authentication and authorization platform. To learn more checkout <a href="https://auth0.com/why-auth0">Why Auth0?</a>
 </p>
 <p align="center">
-  This project is licensed under the MIT license. See the <a href="https://github.com/auth0/auth0-server-python/blob/main/packages/auth0_api_python/LICENSE"> LICENSE</a> file for more info.
+  This project is licensed under the MIT license. See the <a href="https://github.com/auth0/auth0-api-python/LICENSE"> LICENSE</a> file for more info.
 </p>

{auth0_api_python-1.0.0b3 → auth0_api_python-1.0.0b5}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "auth0-api-python"
-version = "1.0.0.b3"
+version = "1.0.0.b5"
 description = "SDK for verifying access tokens and securing APIs with Auth0, using Authlib."
 authors = ["Auth0 <support@auth0.com>"]
 license = "MIT"
@@ -15,6 +15,7 @@ python = "^3.9"
 authlib = "^1.0"      # For JWT/OIDC features
 requests = "^2.31.0"  # If you use requests for HTTP calls (e.g., discovery)
 httpx = "^0.28.1"
+ada-url = "^1.25.0"
 
 [tool.poetry.group.dev.dependencies]
 pytest = "^8.0"
@@ -22,7 +23,7 @@ pytest-cov = "^4.0"
 pytest-asyncio = "^0.20.3"
 pytest-mock = "^3.14.0"
 pytest-httpx = "^0.35.0"
-twine = "^6.1.0"
+ruff = "^0.1.0"
 
 [tool.pytest.ini_options]
 addopts = "--cov=src --cov-report=term-missing:skip-covered --cov-report=xml"

{auth0_api_python-1.0.0b3 → auth0_api_python-1.0.0b5}/src/auth0_api_python/__init__.py

@@ -11,4 +11,4 @@ from .config import ApiClientOptions
 __all__ = [
     "ApiClient",
     "ApiClientOptions"
-]
+]